Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow explicit SSL configuration in start_service method #19330

Merged
merged 5 commits into from
Sep 5, 2024
Merged

feat: Allow explicit SSL configuration in start_service method #19330

merged 5 commits into from
Sep 5, 2024

Conversation

heyder
Copy link
Contributor

@heyder heyder commented Jul 19, 2024

The start_service method now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore['SSL'].

This change enhances the flexibility and usability of the start_service method, preventing unintended behavior when users need to control the SSL setting explicitly.

Closes #19329

heyder added 2 commits July 19, 2024 12:33
@heyder
feat: Allow explicit SSL configuration in start_service method
117c2b9 
The start_service method now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore['SSL'].

This change enhances the flexibility and usability of the start_service method, preventing unintended behavior when users need to control the SSL setting explicitly.

Closes rapid7#19329
@heyder
Cleanup
dc282f5
@heyder
Copy link
Contributor Author

heyder commented Jul 19, 2024

The following modules might benefit from this feature:

$  git grep   'ssl_restore = true'
modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb:        ssl_restore = true
modules/exploits/linux/http/dlink_dir615_up_exec.rb:        ssl_restore = true
modules/exploits/linux/http/dlink_hnap_login_bof.rb:        ssl_restore = true
modules/exploits/linux/http/linksys_e1500_apply_exec.rb:        ssl_restore = true
modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb:        ssl_restore = true
modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb:        ssl_restore = true
modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb:        ssl_restore = true
modules/exploits/linux/http/trendmicro_websecurity_exec.rb:      ssl_restore = true
modules/exploits/linux/http/vestacp_exec.rb:      ssl_restore = true
modules/exploits/linux/http/vestacp_exec.rb:      ssl_restore = true
modules/exploits/linux/smtp/exim4_dovecot_exec.rb:        ssl_restore = true
modules/exploits/multi/http/bassmaster_js_injection.rb:      ssl_restore = true
modules/exploits/multi/http/mutiny_subnetmask_exec.rb:      ssl_restore = true
modules/exploits/multi/http/rails_dynamic_render_code_exec.rb:      ssl_restore = true
modules/exploits/multi/http/struts_default_action_mapper.rb:      ssl_restore = true
modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb:      ssl_restore = true
modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb:      ssl_restore = true
modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb:        ssl_restore = true
modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb:      ssl_restore = true

@jheysel-r7 jheysel-r7 self-assigned this Sep 4, 2024
jheysel-r7
jheysel-r7 reviewed Sep 5, 2024
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @heyder for taking the time to fix this properly and for going back and refactoring all the modules that shared the same pattern, much appreciated.

After running the same grep command as you I just have one suggestion but agree that the ssl_restore instances in trendmicro_websecurity_exec and vestacp_exec.rb are unaffected by this change.

Before:

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set ssl false
ssl => false
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set rport 80
rport => 80
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set rhost localhost
rhost => localhost
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://172.16.199.1:8080/
[+] File read succeeded!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set rport 443
rport => 443
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://172.16.199.1:8080/
[+] File read succeeded!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

After

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > reload_lib lib/msf/core/exploit/remote/http_server.rb
[*] Reloading /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http_server.rb

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://172.16.199.1:8080/
[+] File read succeeded!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set rport 80
rport => 80
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://172.16.199.1:8080/
[+] File read succeeded!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/bash
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

modules/exploits/linux/http/dlink_hnap_login_bof.rb Outdated
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
datastore['SSL'] = true if ssl_restore

@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Sep 5, 2024
@jheysel-r7 jheysel-r7 merged commit 1527104 into rapid7:master Sep 5, 2024
63 checks passed
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Sep 5, 2024
edited
Loading

Release Notes

The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"]

@heyder heyder deleted the feature/19329 branch September 12, 2024 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

Assignees

@jheysel-r7 jheysel-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow Explicit SSL Configuration for start_service Method
3 participants
@heyder @jheysel-r7 @sjanusz-r7