Cypress ctm200 command injection #19426
Conversation
This module exploits a command injection vulnerability in the Cypress Solutions CTM-200 version 2.7.1.
By injecting commands via the `fw_url` POST parameter in the `ctm-config-upgrade.sh` script,
an attacker can execute arbitrary commands as the root user.
|
It looks like this is failing our liniting process: If you have any questions, let us know! |
bwatters-r7
added
the
needs-linting
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
1 file inspected, 40 offenses detected, 34 offenses corrected, 2 more offenses can be corrected with `rubocop -A`
|
Deleted a bunch of files? |
|
This is the second PR I've seen in the last 24 hours with files deleted that I think was unintended....? |
| 'Arch' => [ARCH_CMD, ARCH_ARM], | ||
| 'Targets' => [ | ||
| ['Automatic', {}], | ||
| ['ARM Linux', { 'Arch' => ARCH_ARM }] |
There was a problem hiding this comment.
| ['ARM Linux', { 'Arch' => ARCH_ARM }] | |
| ['ARM Linux', { 'Arch' => ARCH_ARM }], | |
| ['CMD Linux', { 'Arch' => ARCH_CMD }] |
| def exploit | ||
| if target.name == 'ARM Linux' | ||
| # Use CmdStager for ARM payloads | ||
| cmd_exec payload.encoded |
There was a problem hiding this comment.
I don't see where cmd_exec defined for this context?
To use CmdStager, you must implement the execute_command method, then call the builtin execute_cmdstager method that will use your execute_command method. See https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.htm
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
| 'Payload' => { | ||
| 'Space' => 2048, | ||
| 'BadChars' => '' | ||
| }, |
There was a problem hiding this comment.
These settings probably need to be different between the two targets.
| 'DefaultOptions' => { | ||
| 'PAYLOAD' => 'cmd/unix/reverse_netcat' | ||
| } |
There was a problem hiding this comment.
This should also be defined in the target, if it needs to be defined at all. As it is now, it'll be an invalid payload for the ARM target.
I think the author's antivirus ate them. |
Architecture Support: Added support for ARM-based payloads alongside the existing command-based payloads, including the use of the CmdStager mixin for ARM targets.
TARGETURI Handling: Updated the TARGETURI option to handle non-standard installation directories by defaulting to / and adjusted the request path accordingly.
Option Cleanup: Removed explicit datastore options (RHOST, LHOST, LPORT) as they are included with the payload and no longer needed in the module's options.