-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cypress ctm200 command injection #19426
Conversation
This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1. By injecting commands via the `fw_url` POST parameter in the `ctm-config-upgrade.sh` script, an attacker can execute arbitrary commands as the root user.
It looks like this is failing our liniting process:
If you have any questions, let us know! |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
1 file inspected, 40 offenses detected, 34 offenses corrected, 2 more offenses can be corrected with `rubocop -A`
Deleted a bunch of files? |
This is the second PR I've seen in the last 24 hours with files deleted that I think was unintended....? |
'Arch' => [ARCH_CMD, ARCH_ARM], | ||
'Targets' => [ | ||
['Automatic', {}], | ||
['ARM Linux', { 'Arch' => ARCH_ARM }] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
['ARM Linux', { 'Arch' => ARCH_ARM }] | |
['ARM Linux', { 'Arch' => ARCH_ARM }], | |
['CMD Linux', { 'Arch' => ARCH_CMD }] |
def exploit | ||
if target.name == 'ARM Linux' | ||
# Use CmdStager for ARM payloads | ||
cmd_exec payload.encoded |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see where cmd_exec
defined for this context?
To use CmdStager, you must implement the execute_command
method, then call the builtin execute_cmdstager
method that will use your execute_command
method. See https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.htm
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
'Payload' => { | ||
'Space' => 2048, | ||
'BadChars' => '' | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These settings probably need to be different between the two targets.
'DefaultOptions' => { | ||
'PAYLOAD' => 'cmd/unix/reverse_netcat' | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should also be defined in the target, if it needs to be defined at all. As it is now, it'll be an invalid payload for the ARM target.
I think the author's antivirus ate them. |
I'm going to attic this. If you'd like to continue working on it, just let us know and we can reopen it. Thanks! |
Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it What does this generally mean? It could be one or more of several things:
We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this! |
Architecture Support: Added support for ARM-based payloads alongside the existing command-based payloads, including the use of the CmdStager mixin for ARM targets.
TARGETURI Handling: Updated the TARGETURI option to handle non-standard installation directories by defaulting to / and adjusted the request path accordingly.
Option Cleanup: Removed explicit datastore options (RHOST, LHOST, LPORT) as they are included with the payload and no longer needed in the module's options.