Land #16735, Fix defaults for aerohive module

This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module.
rapid7 · Jul 7, 2022 · 4da72a9 · 4da72a9
2 parents 2296db8 + b56242c
commit 4da72a9
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/documentation/modules/exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.md b/documentation/modules/exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.md
@@ -19,10 +19,9 @@ This request includes two POST parameters:
 2. The parameter that is used to execute commands via `/tmp/messages`.
 In our example the name would be `cmd`, but the module sets this to an arbitrary value.
 
-Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open.
-Closing the session should render the app responsive again.  It is also possible that enabling the meterpreter option
-'TryToFork` might prevent the application hang after exploitation, but given access constraints we were unable to verify the
-resultant behavior for enabling that option.  Try at your own risk (but let us know how it goes if you do).
+Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open.
+If the Linux target is selected with a meterpreter payload, the `MeterpreterTryToFork` option is likely to prevent this,
+and is therefore enabled by default. If the app does hang, closing the session should render the app responsive again.
 
 The module provides an automatic cleanup option to clean the log.
 However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed,

diff --git a/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb b/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb
@@ -26,8 +26,10 @@ def initialize(info = {})
           issue in conjunction with log poisoning to gain RCE as root.
 
           Upon successful exploitation, the Aerohive NetConfig application
-          will hang for as long as the spawned shell remains open. Closing
-          the session should render the app responsive again.
+          may hang for as long as the spawned shell remains open. For the
+          Linux target, the MeterpreterTryToFork option (enabled by default)
+          will likely prevent this. If the app hangs, closing the session
+          should render it responsive again.
 
           The module provides an automatic cleanup option to clean the log.
           However, this option is disabled by default because any modifications
@@ -59,7 +61,8 @@ def initialize(info = {})
               'Platform' => 'linux',
               'DefaultOptions' => {
                 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
-                'CMDSTAGER::FLAVOR' => 'curl'
+                'CMDSTAGER::FLAVOR' => 'curl',
+                'MeterpreterTryToFork' => true # prevent the web server from hanging when we get a meterpreter session
               }
             }
           ],