Drupal 8.5.0 honeypot

Low-interaction Drupal honeypot (v8.5.0), vulnerable to Drupalgeddon 2 (CVE-2018-7600).

Author: Sleeptime17

services/drupal/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Cymmetria
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

services/drupal/README.md

@@ -0,0 +1,11 @@
+# Drupal 8.50 Honeypot
+
+Cymmetria Research, 2018.
+
+https://www.cymmetria.com/
+
+Contact: [email protected]
+
+Drupal 8.50 is a low interaction honeypot meant to detect exploitation of CVE-2018-7600.
+The html/ directory contains files in order to be fingerprinted correctly by Droopescan (https://github.com/droope/droopescan) and Fingerprinter (https://github.com/erwanlr/Fingerprinter/).
+It is released under the MIT license for the use of the community.

services/drupal/__init__.py

@@ -0,0 +1,3 @@
+# -*- coding: utf-8 -*-
+"""Honeycomb Drupal service."""
+from __future__ import unicode_literals

services/drupal/config.json

@@ -0,0 +1,26 @@
+{
+    "event_types": [
+        {
+            "name": "drupal_rce",
+            "label": "Remote code execution attempt (CVE-2018-7600)",
+            "fields": ["originating_ip", "originating_port", "request"],
+            "policy": "Alert"
+        }
+    ],
+    "service": {
+        "allow_many": false,
+        "supported_os_families": "All",
+        "ports": [
+            {
+                "protocol": "TCP",
+                "port": 80
+            }
+        ],
+        "name": "drupal",
+        "label": "Drupal Honeypot",
+        "description": "Drupal 8.50 honeypot, detecting CVE-2018-7600 exploit attempt",
+        "conflicts_with": ["http"]
+    },
+    "parameters": [
+    ]
+}

services/drupal/drupal_server.py

@@ -0,0 +1,112 @@
+# -*- coding: utf-8 -*-
+"""A Drupal CMS server based on Python's HTTPServer."""
+from __future__ import unicode_literals
+
+import os
+
+from six.moves.socketserver import ThreadingMixIn
+from six.moves.BaseHTTPServer import HTTPServer
+from six.moves.SimpleHTTPServer import SimpleHTTPRequestHandler
+from six.moves.urllib_parse import unquote, urlparse
+
+
+WEB_PORT = 80
+WWW_FOLDER_NAME = "html"
+WEB_ALERT_TYPE_NAME = "drupal_rce"
+DEFAULT_SERVER_VERSION = "Apache 2"
+ALERTS = [WEB_ALERT_TYPE_NAME]
+
+
+class ThreadingHTTPServer(ThreadingMixIn, HTTPServer):
+    """Extend both classes to have threading capabilities."""
+
+
+class HoneyHTTPRequestHandler(SimpleHTTPRequestHandler, object):
+    """Filter requests to catch Drupalgeddon 2 exploit attempts."""
+
+    def version_string(self):
+        """Return the web server name that we run on."""
+        return DEFAULT_SERVER_VERSION
+
+    def verify(self, query):
+        """Filter HTTP request to make sure it's not an exploit attempt."""
+        self.logger.debug("Query: %s", query)
+        if query and query.find("&") != -1:
+            query_components = {}
+            for param in query.split("&"):
+                if param.find("=") == -1:
+                    continue
+                else:
+                    key, value = param.split("=")
+                    query_components[key] = value
+
+            for component in query_components:
+                if component.find("[#") != -1 and len(component) > 1:
+                    self.alert(event_name=WEB_ALERT_TYPE_NAME,
+                               request=query,
+                               orig_ip=self.client_address[0],
+                               orig_port=self.client_address[1])
+                    break
+
+    def do_GET(self):
+        """Handle an HTTP GET request."""
+        query = unquote(urlparse(self.path).query)
+        self.verify(query)
+        super(HoneyHTTPRequestHandler, self).do_GET()
+
+    def do_POST(self):
+        """Handle an HTTP POST request."""
+        content_length = int(self.headers['Content-Length'])
+        post_data = unquote(self.rfile.read(content_length).decode())
+        self.verify(post_data)
+        super(HoneyHTTPRequestHandler, self).do_GET()
+
+    def log_error(self, message, *args):
+        """Log an error."""
+        self.log_message("error", message, *args)
+
+    def log_request(self, code="-", size="-"):
+        """Log an incoming request."""
+        # Due to hilarity involving HTTPServer using "%s"-style formatting to format strings,
+        # and the URLs sometimes having extra %'s in them, we have to escape them by making
+        # them into %%'s.
+        self.log_message("debug", '"{!s}" {!s} {!s}'.format(self.requestline.replace("%", "%%"), code, size))
+
+    def log_message(self, level, message, *args):
+        """Send message to logger with standard apache format."""
+        try:
+            getattr(self.logger, level)
+        except AttributeError:
+            self.logger.error("Invalid level of debug requested ({}), logging as debug".format(level))
+            level = "debug"
+
+        self.logger.debug(message)
+        self.logger.debug(str(args))
+        getattr(self.logger, level)("{!s} - - [{!s}] {!s}".format(self.client_address[0],
+                                                                  self.log_date_time_string(),
+                                                                  message % args))
+
+
+class DrupalServer(object):
+    """Drupal CMS honeypot."""
+
+    def __init__(self, logger, alert):
+        self.logger = logger
+        alerting_client_handler = HoneyHTTPRequestHandler
+        alerting_client_handler.logger = logger
+        alerting_client_handler.alert = alert
+        self.httpd = ThreadingHTTPServer(("", WEB_PORT), alerting_client_handler)
+
+    def start(self):
+        """Start serving requests by starting the underlying HTTP server."""
+        os.chdir(os.path.join(os.path.dirname(__file__), WWW_FOLDER_NAME))
+        self.logger.info("Starting Drupal server on port {port}".format(port=WEB_PORT))
+        self.httpd.serve_forever()
+        return True
+
+    def stop(self):
+        """Stop serving requests."""
+        self.logger.info("Shutting down Drupal server...")
+        if self.httpd:
+            self.httpd.shutdown()
+            self.httpd = None

services/drupal/drupal_service.py

@@ -0,0 +1,77 @@
+# -*- coding: utf-8 -*-
+"""Drupal CMS honeypot service, for catching CVE-2018-7600 (Drupalgeddon 2)."""
+from __future__ import unicode_literals
+
+from base_service import ServerCustomService
+
+from drupal_server import DrupalServer, ALERTS, WEB_PORT
+
+EVENT_TYPE_FIELD_NAME = "event_type"
+ORIGINATING_IP_FIELD_NAME = "originating_ip"
+ORIGINATING_PORT_FIELD_NAME = "originating_port"
+REQUEST_FIELD_NAME = "request"
+EXPLOIT_USING_POST = "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+EXPLOIT_USING_GET = "user/password?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup"
+EXPLOIT_FORMAT = "{target}{exploit}"
+
+
+class DrupalService(ServerCustomService):
+    """Plugin class for Honeycomb/Mazerunner that runs a Drupal CMS service."""
+
+    def __init__(self, *args, **kwargs):
+        super(DrupalService, self).__init__(*args, **kwargs)
+        self.honeypot = None
+
+    def alert(self, event_name, orig_ip, orig_port, request):
+        """Report an alert to the framework."""
+        params = {
+            EVENT_TYPE_FIELD_NAME: event_name,
+            ORIGINATING_IP_FIELD_NAME: orig_ip,
+            ORIGINATING_PORT_FIELD_NAME: orig_port,
+            REQUEST_FIELD_NAME: request
+        }
+
+        self.add_alert_to_queue(params)
+
+    def on_server_start(self):
+        """Set up a drupal honeypot server."""
+        self.logger.info("{name!s} received start".format(name=self))
+        self.honeypot = DrupalServer(self.logger, self.alert)
+        self.signal_ready()
+        if not self.honeypot.start():
+            self.logger.debug("Failed to start simple HTTP Drupal server")
+
+    def on_server_shutdown(self):
+        """Stop the honeypot server."""
+        self.logger.debug("{name!s} received stop".format(name=self))
+        if self.honeypot:
+            self.honeypot.stop()
+
+    def test(self):
+        """Trigger service alerts and return a list of triggered event types."""
+        import requests
+
+        event_types = list()
+
+        self.logger.debug("Executing service test...")
+
+        # Drupal CVE-2018-7600 test - once with POST, once with GET
+        target = "http://127.0.0.1:{port}/".format(port=WEB_PORT)
+        payload = {"form_id": "user_register_form",
+                   "_drupal_ajax": "1",
+                   "timezone[a][#lazy_builder][]": "exec",
+                   "timezone[a][#lazy_builder][][]": "touch+/tmp/1"}
+        requests.post(EXPLOIT_FORMAT.format(target=target, exploit=EXPLOIT_USING_POST), data=payload)
+        event_types += ALERTS
+
+        # Now it's GET's turn..
+        requests.get(EXPLOIT_FORMAT.format(target=target, exploit=EXPLOIT_USING_GET))
+        event_types += ALERTS
+
+        return event_types
+
+    def __str__(self):
+        return "Drupal Honeypot"
+
+
+service_class = DrupalService