Add lucee rce exploit

modules/vulnerabilities/unix/http/lucee_rce/files/lucee.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Lucee
+[Service]
+Type=forking
+ExecStart=/usr/local/src/bin/startup.sh
+ExecStop=/usr/local/src/bin/shutdown.sh
+TimeoutStopSec=5
+# The exit code of the tomcat java process when terminated via shutdown.sh is 143.
+# Don't treat that non-zero exit code as a failure.
+SuccessExitStatus=143
+Restart=always
+RestartSec=5
+[Install]
+WantedBy=multi-user.target

modules/vulnerabilities/unix/http/lucee_rce/lucee_rce.pp

@@ -0,0 +1,6 @@
+contain lucee_rce::install
+contain lucee_rce::service
+contain lucee_rce::configure
+Class['lucee_rce::install']
+-> Class['lucee_rce::service']
+-> Class['lucee_rce::configure']

modules/vulnerabilities/unix/http/lucee_rce/manifests/configure.pp

@@ -0,0 +1,18 @@
+# Class: lucee_rce::configure
+# Configuration for lucee with secgen
+#
+class lucee_rce::configure {
+  $leaked_filenames = ['flagtest'] ##$secgen_parameters['leaked_filenames']
+  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  ::secgen_functions::leak_files { 'lucee-flag-leak':
+    storage_directory => '/',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => 'root',
+    mode              => '0750',
+    leaked_from       => 'lucee_rce',
+  }
+}

modules/vulnerabilities/unix/http/lucee_rce/manifests/install.pp

@@ -0,0 +1,37 @@
+# Class: lucee_rce::install
+# Install process for lucee can be found at:
+# https://docs.lucee.org/guides/installing-lucee/download-and-install.html
+class lucee_rce::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  $modulename = 'lucee_rce'
+  $releasename = 'lucee-express-5.3.7.43.zip'
+  $splits = ["${releasename}.partaa",
+  "${releasename}.partab"]
+
+  ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'})
+
+  $splits.each |String $split| {
+    file { "/tmp/${split}":
+      ensure => file,
+      source => "puppet:///modules/${modulename}/${split}",
+    }
+  }
+
+  exec { 'rebuild-archive':
+    cwd     => '/tmp/',
+    command => "cat ${releasename}.parta* >/usr/local/src/${releasename}",
+  }
+  -> exec { 'unpack-lucee':
+    cwd     => '/usr/local/src/',
+    command => 'unzip -n lucee-express-5.3.7.43.zip',
+  }
+  -> file { '/usr/local/src/logs/':
+    ensure => directory,
+  }
+  -> exec { 'giveperms-lucee':
+    command => 'chmod -R 777 /usr/local/src/bin/',
+  }
+  #-> file { '/usr/local/src/lucee-express-5.3.7.43.zip':
+  #  ensure => absent
+  #}
+}

modules/vulnerabilities/unix/http/lucee_rce/manifests/service.pp

@@ -0,0 +1,15 @@
+# Class: lucee_rce::service
+# Service behaviour
+#
+class lucee_rce::service {
+  file { '/etc/systemd/system/lucee.service':
+    source => 'puppet:///modules/lucee_rce/lucee.service',
+    owner  => 'root',
+    mode   => '0777',
+  }
+
+  service { 'lucee':
+    ensure => 'running',
+    enable => 'true',
+  }
+}

modules/vulnerabilities/unix/http/lucee_rce/secgen_metadata.xml

@@ -0,0 +1,65 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>Lucee Administrator imgProcess.cfm Arbitrary File Write</name>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description>
+    This module exploits an arbitrary file write in Lucee Administrator's
+    imgProcess.cfm file to execute commands as the Tomcat user.
+  </description>
+
+  <type>http</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+
+  <default_input into="port">
+    <value>8888</value>
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <!--optional
+  vulnerability details-->
+  <cve>CVE-2021-21307</cve>
+  <cvss_base_score>9.8</cvss_base_score>
+  <cvss_vector>
+    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
+  <software_name>Lucee Server</software_name>
+  <software_license>
+    Apache/LGPL</software_license>
+  <reference>
+    https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md</reference>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb</reference>
+
+  <!--optional
+  hints-->
+  <hint>visit
+    ip:8888</hint>
+
+  <requires>
+    <module_path>services/unix/**check modules**</module_path>
+  </requires>
+
+  <requires>
+    <module_path>services/unix/**add service file**</module_path>
+  </requires>
+
+</vulnerability>