New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update wanem_exec exploit module #9699
Conversation
Nothing like spackle over the fissure to "fix a vuln" eh? |
}, 25) | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("Connection failed") | ||
res = execute_cmdstager :linemax => 2_000, :temp => '/tmp' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
execute_cmdstager info specifies @return [void]
. res
is being set to nil
even when the exploit works. Maybe the unless res
and unless res.code ...
checks should be moved to the execute_command
function?
@bcoles
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Jenkins test this please |
@bcoles During testing HTTP response times for WANem servers: |
@jrobles-r7 That's unusual. The check method times out much faster for me. Closing because I don't care enough about this module enough to bother pursuing it. |
Thanks anyway @jrobles-r7 |
This PR updates the linux/http/wanem_exec exploit module; primarily adding documentation, meterpreter cmdstager, and support for WANem 3.x targets.
The original exploit module was written in 2012 and targeted WANem version 2.x. Since then, the developers released version 3.0 Beta and 3.0 Beta 2 in 2013 and 2014 respectively. The new versions patched the exploit (perhaps accidentally) but didn't resolve the underlying issue.
Exploitation methods vary between the 2.x and 3.x branches - largely due to updating the version of the underlying Knoppix operating system in use by the ISO distributions, rather than changes to the code base.
3.x Targets
The targets need to be set manually with
set TARGET [0 or 1]
due to differences between the two branches. Adding auto targeting wasn't worth the time investment.Payload and Command Stager
Updated to use a command stager, because why not?
In the process, the poor payload URL encoding in the original exploit has been fixed, and the
send_request_cgi
HTTP method has been updated fromGET
toPOST
to decrease the chances of the payload appearing in HTTP access logs.Due to the change in operating system version and shell, different
cmdstager::flavor
s were tested and known-good flavors are specified for each target, as per above.'Privileged' => false
The original exploit specified
'Privileged' => true
and took advantage of adosu
binary which allowed execution of arbitrary commands asroot
. This binary has been removed from the 3.x branch, but there's still half a dozen ways to getroot
from thewww-data
user largely due to a weaksudo
configuration.Modifying the exploit to privesc for each target version was not worth the time investment. Instead, I opted to set
'Privileged' => false
, and document the privesc methods in the documentation.Additionally, it's worth noting that the
dosu
privesc method in the original exploit made use ofclient.shell_command_token
inon_new_session
which would only work for command shell sessions. It would not work for meterpreter sessions, asdosu
effectively launches a new shell in a similar fashion tosudo /bin/sh
.Documentation
Documentation to keep h00die happy.
References
The OSVDB references have been removed and the original reference URL reinstated.
The reference URL was erroneously removed from this module a while ago. The script used to clean up dead URLs in module references doesn't take into account instances where the reference URL specified
http
but the URL now redirects tohttps
- flagging them as dead.