Update wanem_exec exploit module #9699
Conversation
|
Nothing like spackle over the fissure to "fix a vuln" eh? |
| }, 25) | ||
| rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
| print_error("Connection failed") | ||
| res = execute_cmdstager :linemax => 2_000, :temp => '/tmp' |
There was a problem hiding this comment.
execute_cmdstager info specifies @return [void]. res is being set to nil even when the exploit works. Maybe the unless res and unless res.code ... checks should be moved to the execute_command function?
@bcoles
|
Jenkins test this please |
|
@bcoles During testing HTTP response times for WANem servers: |
|
@jrobles-r7 That's unusual. The check method times out much faster for me. Closing because I don't care enough about this module enough to bother pursuing it. |
|
Thanks anyway @jrobles-r7 |
This PR updates the linux/http/wanem_exec exploit module; primarily adding documentation, meterpreter cmdstager, and support for WANem 3.x targets.
The original exploit module was written in 2012 and targeted WANem version 2.x. Since then, the developers released version 3.0 Beta and 3.0 Beta 2 in 2013 and 2014 respectively. The new versions patched the exploit (perhaps accidentally) but didn't resolve the underlying issue.
Exploitation methods vary between the 2.x and 3.x branches - largely due to updating the version of the underlying Knoppix operating system in use by the ISO distributions, rather than changes to the code base.
3.x Targets
The targets need to be set manually with
set TARGET [0 or 1]due to differences between the two branches. Adding auto targeting wasn't worth the time investment.Payload and Command Stager
Updated to use a command stager, because why not?
In the process, the poor payload URL encoding in the original exploit has been fixed, and the
send_request_cgiHTTP method has been updated fromGETtoPOSTto decrease the chances of the payload appearing in HTTP access logs.Due to the change in operating system version and shell, different
cmdstager::flavors were tested and known-good flavors are specified for each target, as per above.'Privileged' => false
The original exploit specified
'Privileged' => trueand took advantage of adosubinary which allowed execution of arbitrary commands asroot. This binary has been removed from the 3.x branch, but there's still half a dozen ways to getrootfrom thewww-datauser largely due to a weaksudoconfiguration.Modifying the exploit to privesc for each target version was not worth the time investment. Instead, I opted to set
'Privileged' => false, and document the privesc methods in the documentation.Additionally, it's worth noting that the
dosuprivesc method in the original exploit made use ofclient.shell_command_tokeninon_new_sessionwhich would only work for command shell sessions. It would not work for meterpreter sessions, asdosueffectively launches a new shell in a similar fashion tosudo /bin/sh.Documentation
Documentation to keep h00die happy.
References
The OSVDB references have been removed and the original reference URL reinstated.
The reference URL was erroneously removed from this module a while ago. The script used to clean up dead URLs in module references doesn't take into account instances where the reference URL specified
httpbut the URL now redirects tohttps- flagging them as dead.