Add user context exploit

2026-02-21 11:18:06 +00:00 · 2023-04-20 00:10:17 +01:00
parent b61a5bdd3f
commit 13357c3c0c
5 changed files with 86 additions and 46 deletions
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
@@ -1,11 +1,10 @@
 class jboss::flags {
-  # this is how secgen
-##  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-  $leaked_filenames = ["flagsecret"] ##$secgen_parameters['leaked_filenames']
-  $strings_to_leak = ["flag message"] ##$secgen_parameters['strings_to_leak']
-  
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
  ::secgen_functions::leak_files { 'jboss-flag':
-    storage_directory => "/opt/jboss-6.1.0.Final",
+    storage_directory => '/opt/jboss-6.1.0.Final',
    leaked_filenames  => $leaked_filenames,
    strings_to_leak   => $strings_to_leak,
    leaked_from       => 'jboss',
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
@@ -1,25 +1,35 @@
 class jboss::install {
-  Exec {
-    path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'], 
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
    environment => ['JAVA_HOME="/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java"']}

  ensure_packages(['apt-transport-https', 'ca-certificates', 'wget', 'dirmngr', 'gnupg', 'software-properties-common'])

+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
  file { '/usr/local/java':
    ensure => 'directory'
-  } ->
-  file { '/usr/local/java/jre-archive-files':
-    source => 'puppet:///modules/jboss/jre-archive-files',
-    ensure => directory,
+  }
+  -> file { '/usr/local/java/jre-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jre-archive-files',
    recurse => true,
-  } ->
-  exec { 'extract-java':
+  }
+  -> exec { 'extract-java':
    command => 'cat jre-archive-files/jre* > jre-8u351-linux-x64.tar.gz; tar -xvzf jre-8u351-linux-x64.tar.gz',
-    cwd => '/usr/local/java',
+    cwd     => '/usr/local/java',
    creates => '/usr/local/java/jre1.8.0_351'
-  } ->
-  tidy {'delete-jre-archive-parts':
-    path => '/usr/local/java/jre-archive-files',
+  }
+  -> tidy {'delete-jre-archive-parts':
+    path    => '/usr/local/java/jre-archive-files',
    recurse => true,
  }
  tidy {'delete-jre-archive':
@@ -27,22 +37,25 @@ class jboss::install {
  }
  exec { 'change-java-install-dir-permissions':
    command => 'chmod -R 755 /usr/local/java',
-  } ->
-  exec { 'update-java-location':
+  }
+  -> exec { 'update-java-location':
    command => 'sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jre1.8.0_351/bin/java" 1',
-  } ->
-  file { '/opt/jboss-archive-files':
-    source => 'puppet:///modules/jboss/jboss-archive-files',
-    ensure => directory,
+  }
+  -> file { '/opt/jboss-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jboss-archive-files',
    recurse => true,
-  } ->
-  exec { 'unzip-jboss':
+  }
+  -> exec { 'unzip-jboss':
    command => 'cat jboss-archive-files/jboss* > jboss-as-distribution-6.1.0.Final.zip; unzip jboss-as-distribution-6.1.0.Final.zip',
-    cwd => '/opt',
+    cwd     => '/opt',
    creates => '/opt/jboss-6.1.0.Final/bin'
-  } ->
-  tidy {'delete-jboss-archive-parts':
-    path => '/opt/jboss-archive-files',
+  }
+  -> exec { 'chown-jboss':
+    command => "chown -R ${user} /opt/jboss-6.1.0.Final/",
+  }
+  -> tidy {'delete-jboss-archive-parts':
+    path    => '/opt/jboss-archive-files',
    recurse => true,
  }
  tidy {'delete-jboss-archive':
@@ -51,14 +64,15 @@ class jboss::install {
  exec { 'set-listening-interface':
    command => 'echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> /opt/jboss-6.1.0.Final/bin/run.conf; mkdir /opt/made-interface',
    creates => '/opt/made-interface'
-  } ->
-  exec { 'change-permissions':
+  }
+  -> exec { 'change-permissions':
    command => 'chmod a+x /opt/jboss-6.1.0.Final',
-  } ->
-  file { '/etc/systemd/system/jboss.service':
-    source => 'puppet:///modules/jboss/jboss.service'
-  } ->
-  exec { 'enable-jboss-service-using-systemd':
-    command => 'systemctl enable --now jboss'
+  }
+  -> file { '/etc/systemd/system/jboss.service':
+    content => template('jboss/jboss.service.erb'),
+  }
+  -> service { 'jboss':
+    ensure => running,
+    enable => true,
  }
 }
--- a/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
@@ -1,29 +1,36 @@
 <?xml version="1.0"?>
-<vulnerability xmlns="http://github.com/cliffe/SecGen/vulnerability"
-               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-               xsi:schemaLocation="http://github.com/cliffe/SecGen/vulnerability">
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">

  <name>JBOSS EAP/AS Remoting Unified Invoker RCE</name>
  <author>Harry J. Hall</author>
+  <author>James Davis</author>
  <module_license>MIT</module_license>
-  <description>JBOSS EAP versions 6.x contain an RCE vulnerability that can be executed by a unauthenticated user.
+  <description>JBOSS EAP versions 6.x contain an RCE vulnerability that can be executed by a
+    unauthenticated user.
    This invovles sending a serialized Java object to JBOSS EAP over a network.</description>

  <type>Java web exploit</type>
-  <privilege>root_rwx</privilege>
+  <privilege>user_rwx</privilege>
  <access>remote</access>
  <platform>linux</platform>
  <difficulty>medium</difficulty>

-  <read_fact>server_name</read_fact>
  <read_fact>strings_to_leak</read_fact>
  <read_fact>leaked_filenames</read_fact>
+  <read_fact>leaked_username</read_fact>

  <default_input into="strings_to_leak">
-    <generator type="message_generator"/>
+    <generator type="message_generator" />
  </default_input>

  <default_input into="leaked_filenames">
-    <generator type="filename_generator">
+    <generator type="filename_generator" />
  </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
+  </default_input>
+
 </vulnerability>
--- a/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
+++ b/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
@@ -2,7 +2,11 @@
 Description=Vulnerable JBOSS server.

 [Service]
+Type=simple
+User=<%= @user %>
 ExecStart=/opt/jboss-6.1.0.Final/bin/run.sh
+Restart=on-abort
+RestartSec=1

 [Install]
 WantedBy=multi-user.target
--- a/scenarios/examples/vulnerability_examples/jboss.xml
+++ b/scenarios/examples/vulnerability_examples/jboss.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>jboss</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/jboss" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>