New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for ZDI-13-190 #2269
Conversation
|
||
def send_request_soap(data) | ||
res = send_request_cgi({ | ||
'uri' => target_uri.path, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please normalize this to avoid possible double slashes made by the user.
Even better with a powershell cmdstager - 1 cmd exec rather than all the multiple execs > file ;) |
@Meatballs1, do you mean through executing the powershell encoded payload from a Web location, like in ms13_005_hwnd_broadcast :? If it's the case I don't like a lot the option for a Server side exploit. |
No like psexec_psh |
@Meatballs1 liked :-) Bad thing (just pointing): there isn't a CMD Stager really around the psh feature, so no command line split feature, you need to put the full command in just one injection. Shouldn't be an issue in this case due to the cmd on W2008 allowing really long commands (8191 chars). Doing some calculations to be sure payloads fit and updating. Since the supported operating system for Endeca is W2008 I like this way of proceeding. If someone disagrees just let me know! |
Switched to powershell:
|
Yeah for most cmd exec on windows powershell can do a one liner. If you needed more would be possible to do a psh cmd stager to drop a ps1 (or into env vars) that can auto detect architecture too (would have to drop both payloads). Avoids writing a stock exe so much less likely to be picked up by AV. |
Tested successfully with Oracle Endeca Server 7.4.0.787 / Microsoft Windows 2008 R2. Oracle Endeca Server can be downloaded from: http://www.oracle.com/technetwork/middleware/endecaserver/downloads/endeca-server-downloads-1721978.html
The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).
Test: