Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bug where vhost wasn't being set correctly when using rhost http url #14609

Merged
merged 2 commits into from
Jan 19, 2021
Merged

Fix bug where vhost wasn't being set correctly when using rhost http url #14609

merged 2 commits into from
Jan 19, 2021

Conversation

dwelch-r7
Copy link
Contributor

@adfoster-r7 noticed a bug where the VHOST datastore option was not being set correctly when using the RHOST_HTTP_URL option, this PR is to fix that particular issue

Verification steps

  • Start up msfconsole

  • set HTTPTRACE true

  • features set RHOST_HTTP_URL true

  • use exploit/multi/http/gitlab_file_read_rce

  • set RHOST_HTTP_URL <http://example.com>
    - Targeting hackthebox laboratory box 10.10.10.216
    - Add git.laboratory.htb to your /etc/hosts:

  • set username foo

  • set password foo

  • run the module

  • With this fix you should see the Host header properly filled in with the domain name (on master this is not populated correctly)

dwelch-r7
dwelch-r7 commented Jan 13, 2021
View reviewed changes
lib/msf/core/opt_http_rhost_url.rb
@@ -51,7 +51,7 @@ def calculate_value(datastore)
return unless datastore['RHOSTS']
begin
uri_type = datastore['SSL'] ? URI::HTTPS : URI::HTTP
uri = uri_type.build(host: datastore['RHOSTS'])
uri = uri_type.build(host: datastore['VHOST'] || datastore['RHOSTS'])
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we have a VHOST set we should be attempting to rebuild the full url from that rather than just using the IP

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be great to update the existing tests to cover this scenario 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm I'll look into that, could be tricky though, the tests already should be testing that, the problem here is something else is modifying it 😬

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adfoster-r7 sorted, I was wrong very easy after you helped me out 🙃

@gwillcox-r7 gwillcox-r7 self-assigned this Jan 16, 2021
@gwillcox-r7
Copy link
Contributor

Before the patch:

msf6 exploit(multi/http/gitlab_file_read_rce) > set HTTPTRACE true
HTTPTRACE => true
msf6 exploit(multi/http/gitlab_file_read_rce) > features set RHOST_HTTP_URL true
RHOST_HTTP_URL => true
[*] Reloading module...
msf6 exploit(multi/http/gitlab_file_read_rce) > use exploit/multi/http/gitlab_file_read_rce
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/http/gitlab_file_read_rce) > set RHOST_HTTP_URL http://git.laboratory.htb
RHOST_HTTP_URL => http://git.laboratory.htb/
msf6 exploit(multi/http/gitlab_file_read_rce) > set username foo
username => foo
msf6 exploit(multi/http/gitlab_file_read_rce) > set password fo
password => fo
msf6 exploit(multi/http/gitlab_file_read_rce) > run

[*] Started reverse TCP handler on 172.25.253.32:4444 
[*] Executing automatic check (disable AutoCheck to override)
####################
# Request:
####################
GET /users/sign_in HTTP/1.1
Host: 10.10.10.216
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


####################
# Response:
####################
HTTP/1.1 302 Found
Date: Tue, 19 Jan 2021 17:11:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://laboratory.htb/users/sign_in
Content-Length: 298
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://laboratory.htb/users/sign_in">here</a>.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 10.10.10.216 Port 80</address>
</body></html>

[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Unexpected HTTP 302 response. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/gitlab_file_read_rce) >

After the patch:

msf6 > set HTTPTRACE true
HTTPTRACE => true
msf6 > features set RHOST_HTTP_URL true
RHOST_HTTP_URL => true
msf6 > use exploit/multi/http/gitlab_file_read_rce
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/http/gitlab_file_read_rce) > set RHOST_HTTP_URL http://git.laboratory.htb
RHOST_HTTP_URL => http://git.laboratory.htb/
msf6 exploit(multi/http/gitlab_file_read_rce) > set username foo
username => foo
msf6 exploit(multi/http/gitlab_file_read_rce) > set password fo
password => fo
msf6 exploit(multi/http/gitlab_file_read_rce) > run

[*] Started reverse TCP handler on 172.25.253.32:4444 
[*] Executing automatic check (disable AutoCheck to override)
####################
# Request:
####################
GET /users/sign_in HTTP/1.1
Host: git.laboratory.htb
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


####################
# Response:
####################
HTTP/1.1 302 Found
Date: Tue, 19 Jan 2021 17:17:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://git.laboratory.htb/users/sign_in
Content-Length: 308
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://git.laboratory.htb/users/sign_in">here</a>.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at git.laboratory.htb Port 80</address>
</body></html>

[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Unexpected HTTP 302 response. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/gitlab_file_read_rce) >

@gwillcox-r7 gwillcox-r7 merged commit 0fc8df3 into rapid7:master Jan 19, 2021
@gwillcox-r7 gwillcox-r7 added the rn-fix release notes fix label Jan 19, 2021
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Jan 19, 2021
edited by pbarry-r7
Loading

Release Notes

Fixed an issue in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries where the VHOST datastore variable would be set incorrectly if a user used an /etc/hosts entry for resolving a hostname to an IP address.

@adfoster-r7 adfoster-r7 mentioned this pull request Jan 29, 2021
Closed
@adfoster-r7
Copy link
Contributor

Looks like this breaks modules by dropping the vhost in some scenarios:

#14673

This was referenced Feb 1, 2021
Closed
Merged
@gwillcox-r7
Copy link
Contributor

Looks like this breaks modules by dropping the vhost in some scenarios:

#14673

Let me know how I can assist in helping to fix this, sorry for the inconvenience!

@dwelch-r7 dwelch-r7 mentioned this pull request Feb 4, 2021
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dwelch-r7 @gwillcox-r7 @adfoster-r7