New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module IGEL OS Remote Command Execution #14947
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Please also run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thank you for the module! I left a few comments, mostly related to stylistic changes and leveraging some of Framework's mixins. Please let me know if you have any questions. Thanks!
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
- had to switch away from python payload to appease CmdStager - removed systemd service adjustments preferring to use sleep to avoid rate limits - updated check function to accomodate more current vulnerable version information in vendor advisory
Retested and the changes worked great. Thanks so much!
I went ahead and added the |
Release NotesNew module |
Vulnerable Application
IGEL OS before 11.04.270 and 10.06.220 are vulnerable to remote command execution into a
system()
call via Secure Terminal and Secure Shadow services.This module uses the vulnerability to modify certain systemd limits for the targeted service before transfering the payload; this is done to increase payload transfer throughput and preserve service stability. After exploitation these changes are reverted.
Secure Terminal/telnet_ssl_connector: 30022/tcp
Secure Shadow/vnc_ssl_connector: 5900/tcp
Verification Steps
Download Vulnerable IGEL OS version (e.g. 11.04.130) from: https://www.igel.com/software-downloads/workspace-edition/.
Unpack downloaded zip file and create a VM using the included .iso.
Navigate through the installation menus to install the firmware, reboot when prompted
After rebooted work through the presented configuration wizard. In the Activation section use the starter license (selected by default). Skip the ICG Agent Setup. Upon completion the system will reboot again.
Turn on vulnerable services
Exploitation
use exploit/linux/misc/igel_command_injection
set RHOST [TARGET IP]
set RPORT [30022 or 5900]
set LHOST [LOCAL IP]
exploit
Misc
To obtain the IGEL's IP address to test against click the up/down arrows on the right side of the task bar then click "More Details". A shell is available on a virtual console by ctrl+alt+F11, switch back to the GUI with ctrl+alt+F1.
This module has been successfully tested against IGEL OS 11.04.130 and 10.05.500 with metasploit framework 6.0.31-dev on Kali.
Scenarios
IGEL OS 11.04.130
Targeting the Secure Terminal service (30022/tcp):
IGEL OS 10.05.500
Targeting the Secure Shadowing service (5900/tcp):