Update werkzeug rce module #19533
Update werkzeug rce module #19533
Conversation
| 'Description' => 'This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug ' \ | ||
| 'is included with Flask, but not enabled by default. It is also included in other ' \ | ||
| 'projects, for example the RunServerPlus extension for Django. It may also be used ' \ | ||
| "alone.\n\n" \ | ||
| 'The documentation states the following: "The debugger must never be used on production ' \ | ||
| 'machines. We cannot stress this enough. Do not enable the debugger in production." Of ' \ | ||
| "course this doesn't prevent developers from mistakenly enabling it in production!\n\n" \ | ||
| "Tested against the following Werkzeug versions:\n" \ | ||
| "- 3.0.3 on Debian 12, Windows 11 and macOS 14.6\n" \ | ||
| "- 1.1.4 on Debian 12\n" \ | ||
| "- 1.0.1 on Debian 12\n" \ | ||
| "- 0.11.5 on Debian 12\n" \ | ||
| '- 0.10 on Debian 12', |
There was a problem hiding this comment.
The new lines are required for formatting when the userinfo command is run in msfconsole
|
I'll update the documentation soon to include the logs that were previously verbose |
Done |
|
This looks really nice. Thanks for sending it to us and taking the time to integrate the updates with the existing module. |
bwatters-r7
added
the
rn-modules
| 'Arch' => ARCH_PYTHON, | ||
| 'DefaultTarget' => 0, | ||
| 'DisclosureDate' => '2015-06-28' | ||
| 'DisclosureDate' => 'Jun 28, 2015', |
There was a problem hiding this comment.
Reading this, we realized our documentation was old. Pleas leave the original date format.
Also, please run this module through Rubocop: https://docs.metasploit.com/docs/development/quality/using-rubocop.html#rubocop
There was a problem hiding this comment.
Changed the date, but haven't run it through rubocop yet.
@bwatters-r7, is there a rubocop.yml with rules in that I should use?
There was a problem hiding this comment.
There was a problem hiding this comment.
I've run it through rubocop and it changed a bunch of things, but it also printed out an error:
An error occurred while Layout/ModuleDescriptionIndentation cop was inspecting /home/grobinson/metasploit-framework/modules/exploits/multi/http/werkzeug_debug_rce.rb:17:2
This updates an existing module that only targeted older version of the vulnerable Werkzeug application that didn't include any authentication. The update adds support for newer versions of Werkzeug that do support authentication. The updated module supports the following authentication methods:
When generating a cookie (and PIN), there are 3 different algorithms used, depending on the target selected by the user. This is because the algorithm used to generate the cookie/PIN has changed throughout the application's development.
Verification
msfconsoleuse exploit/multi/http/werkzeug_debug_rceset RHOSTS <Iip>set LHOST <ip>set VHOST 127.0.0.1set MACADDRESS <mac-address>set MACHINEID <machine-id>set FLASKPATH /usr/local/lib/python3.12/site-packages/flask/app.pyrunSample vulnerable app code is included in the documentation, as well as additional verification steps, covering multiple versions of Werkzeug, and multiple exploit paths.