Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable MeterpreterTryToFork by default for aerohive_netconfig_lfi_log_poison_rce #16735

Merged
merged 1 commit into from
Jul 7, 2022
Merged

enable MeterpreterTryToFork by default for aerohive_netconfig_lfi_log_poison_rce #16735

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions documentation/modules/exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,9 @@ This request includes two POST parameters:
2. The parameter that is used to execute commands via `/tmp/messages`.
In our example the name would be `cmd`, but the module sets this to an arbitrary value.

Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open.
Closing the session should render the app responsive again. It is also possible that enabling the meterpreter option
'TryToFork` might prevent the application hang after exploitation, but given access constraints we were unable to verify the
resultant behavior for enabling that option. Try at your own risk (but let us know how it goes if you do).
Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open.
If the Linux target is selected with a meterpreter payload, the `MeterpreterTryToFork` option is likely to prevent this,
and is therefore enabled by default. If the app does hang, closing the session should render the app responsive again.

The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed,
Expand Down
9 changes: 6 additions & 3 deletions modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ def initialize(info = {})
issue in conjunction with log poisoning to gain RCE as root.

Upon successful exploitation, the Aerohive NetConfig application
will hang for as long as the spawned shell remains open. Closing
the session should render the app responsive again.
may hang for as long as the spawned shell remains open. For the
Linux target, the MeterpreterTryToFork option (enabled by default)
will likely prevent this. If the app hangs, closing the session
should render it responsive again.

The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications
Expand Down Expand Up @@ -59,7 +61,8 @@ def initialize(info = {})
'Platform' => 'linux',
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
'CMDSTAGER::FLAVOR' => 'curl'
'CMDSTAGER::FLAVOR' => 'curl',
'MeterpreterTryToFork' => true # prevent the web server from hanging when we get a meterpreter session
}
}
],
Expand Down