Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added Sage X3 modules #15400

Merged
merged 16 commits into from
Jul 21, 2021
Merged

added Sage X3 modules #15400

merged 16 commits into from
Jul 21, 2021

Conversation

deadjakk
Copy link
Contributor

@deadjakk deadjakk commented Jul 7, 2021
edited by wvu
Loading

This exploits a vulnerability in the Sage X3 administrative service which results in an unauthenticated remote command execution. This branch contains the following three files:

  • modules/exploits/x3/x3_adxsrv_cmd.rb | the remote command execution exploit module
  • modules/auxiliary/scanner/x3/x3_adxsrv_login.rb | a login scanner for the X3 service
  • lib/metasploit/framework/login_scanner/x3.rb | a ruby port of the X3Crypt function used by the X3 service for x3_login

Reference: https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/
Tagging @wvu-r7 per request

Verification

  • Start msfconsole
  • use exploit/x3/x3_adxsrv_cmd
  • set the RHOSTS
  • set the RPORT
  • run
  • Confirm you received the output nt authority\system

Output Images

Remote Command Exploit

screenshot-show-info

screenshot-all-targets-running

Login Scanner

screenshot-login-scanner

@deadjakk
removed a false positive in the login_scanner
730531a
@deadjakk
Added changes requested by @smcintyre-r7
dadc59e 
- Updated default port number to match documentation
- Updated the str append to '<<'
- Fixed issue with the login scanner returning false positives
- Removed rank from login scanner
- Removed Custom Executable target in favor of EXE::CUSTOM
- Moved the X3Crypt code out of the exception block
- Added additional checks to the exploit module, the same that were made in login_scanner
- Changed the check function to produce the proper return 'CheckCode' values
@deadjakk
added Sage X3 modules
21446c8
@wvu wvu added library module needs-docs needs-linting The module needs additional work to pass our automated linting rules labels Jul 7, 2021
@github-actions
Copy link

github-actions bot commented Jul 7, 2021

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

@github-actions
Copy link

github-actions bot commented Jul 7, 2021

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@wvu wvu self-assigned this Jul 7, 2021
@wvu wvu marked this pull request as draft July 7, 2021 19:10
bcoles
bcoles reviewed Jul 7, 2021
View reviewed changes
Copy link
Contributor

@bcoles bcoles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of these files are missing license headers.

Also, not that it really matters, but sometimes review can take a while, and modules can be merged faster if they're split into multiple PRs. ie, one PR for the login scanner library + module, and one for the exploit module. However, if the exploit module is going to be updated to use the scanner modules as a CheckModule then disregard this comment.

modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_cmd.rb Outdated Show resolved Hide resolved
deadjakk and others added 4 commits July 7, 2021 18:50
@deadjakk @bcoles
Update modules/exploits/x3/x3_adxsrv_cmd.rb
15a197b 
Co-authored-by: bcoles <bcoles@gmail.com>
@deadjakk @bcoles
Update modules/exploits/x3/x3_adxsrv_cmd.rb
5ee429f 
Co-authored-by: bcoles <bcoles@gmail.com>
@deadjakk
Made a number of changes according to review: rapid7#15400
fa98e9a 
- Renamed exploit module to x3_adxsrv_auth_bypass_cmd_exec.rb
- Changed print_bad to fail_with
- Updated Name in module to reflect the auth bypass element
- Updated the rand number generation
- Added error checking to adxdir function return value
- Changed payload variable name -> sage_payload
@deadjakk
Merge branch 'rapid7:master' into SageX3-CVE-2020-7388
3825b39
smcintyre-r7
smcintyre-r7 previously requested changes Jul 8, 2021
View reviewed changes
lib/metasploit/framework/login_scanner/x3.rb Outdated Show resolved Hide resolved
lib/metasploit/framework/login_scanner/x3.rb Outdated Show resolved Hide resolved
lib/metasploit/framework/login_scanner/x3.rb Outdated Show resolved Hide resolved
lib/metasploit/framework/login_scanner/x3.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/x3/x3_adxsrv_login.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb Outdated Show resolved Hide resolved
modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb Outdated Show resolved Hide resolved
deadjakk and others added 3 commits July 8, 2021 10:29
@deadjakk @smcintyre-r7
Update lib/metasploit/framework/login_scanner/x3.rb
3f5e4fb 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
@deadjakk @smcintyre-r7
Update modules/exploits/x3/x3_adxsrv_auth_bypass_cmd_exec.rb
3a9a16f 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
@deadjakk
Merge branch 'SageX3-CVE-2020-7388' of github.com:deadjakk/metasploit…
a914124 
…-framework into SageX3-CVE-2020-7388
@wvu wvu removed the needs-linting The module needs additional work to pass our automated linting rules label Jul 20, 2021
@wvu wvu force-pushed the SageX3-CVE-2020-7388 branch 3 times, most recently from cdd8f83 to aefdb8d Compare July 20, 2021 21:46
@wvu wvu force-pushed the SageX3-CVE-2020-7388 branch 6 times, most recently from 61d765b to edfc680 Compare July 20, 2021 23:36
@wvu wvu removed the needs-docs label Jul 21, 2021
@wvu wvu marked this pull request as ready for review July 21, 2021 00:27
@wvu wvu added the docs label Jul 21, 2021
@wvu wvu dismissed smcintyre-r7’s stale review July 21, 2021 00:40

Comments addressed.

wvu added 2 commits July 20, 2021 20:07
@wvu
Fix a bunch of things
0ba430c 
Mostly RuboCop and refactoring.
@wvu
Add module docs
b9a7144
@wvu wvu merged commit af0092f into rapid7:master Jul 21, 2021
@wvu
Copy link
Contributor

wvu commented Jul 21, 2021

Release Notes

Added a Sage X3 login scanner and CVE-2020-7387 + CVE-2020-7388 exploit.

@gwillcox-r7 gwillcox-r7 added the rn-modules release notes for new or majorly enhanced modules label Jul 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@wvu wvu wvu left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

Assignees

@wvu wvu

Labels
docs library module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@deadjakk @wvu @bcoles @smcintyre-r7 @gwillcox-r7 @wvu-r7