digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #247 from JD2344/lucee_rce

Browse Source 
Add lucee rce exploit
This commit is contained in:
Cliffe
2023-04-04 11:03:35 +01:00
committed by GitHub
parent 5941edfa89 3eebcc82b5
commit f514cb637a
9 changed files with 189 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partaa Normal file
View File

Binary file not shown.

BIN
modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partab Normal file
View File

Binary file not shown.

6
modules/vulnerabilities/unix/http/lucee_rce/lucee_rce.pp Normal file
View File

@@ -0,0 +1,6 @@
contain lucee_rce::install
contain lucee_rce::service
contain lucee_rce::configure
Class['lucee_rce::install']
-> Class['lucee_rce::configure']
-> Class['lucee_rce::service']

25
modules/vulnerabilities/unix/http/lucee_rce/manifests/configure.pp Normal file
View File

@@ -0,0 +1,25 @@
# Class: lucee_rce::configure
# Configuration for lucee with secgen
#
class lucee_rce::configure {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$leaked_filenames = $secgen_parameters['leaked_filenames']
$strings_to_leak = $secgen_parameters['strings_to_leak']
$user = $secgen_parameters['leaked_username'][0]
$user_home = "/home/${user}"
Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
file { '/usr/local/src/lucee-express-5.3.7.43.zip':
ensure => absent
}
::secgen_functions::leak_files { 'lucee-flag-leak':
storage_directory => $user_home,
leaked_filenames => $leaked_filenames,
strings_to_leak => $strings_to_leak,
owner => $user,
mode => '0644',
leaked_from => 'lucee_rce',
}
}

52
modules/vulnerabilities/unix/http/lucee_rce/manifests/install.pp Normal file
View File

@@ -0,0 +1,52 @@
# Class: lucee_rce::install
# Install process for lucee can be found at:
# https://docs.lucee.org/guides/installing-lucee/download-and-install.html
class lucee_rce::install {
Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
$modulename = 'lucee_rce'
$releasename = 'lucee-express-5.3.7.43.zip'
$splits = ["${releasename}.partaa",
"${releasename}.partab"]
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$port = $secgen_parameters['port'][0]
$user = $secgen_parameters['leaked_username'][0]
$user_home = "/home/${user}"
ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'})
$splits.each |String $split| {
file { "/tmp/${split}":
ensure => file,
source => "puppet:///modules/${modulename}/${split}",
}
}
# Create user
user { $user:
ensure => present,
home => $user_home,
managehome => true,
}
exec { 'rebuild-archive':
cwd => '/tmp/',
command => "cat ${releasename}.parta* >/usr/local/src/${releasename}",
}
-> exec { 'unpack-lucee':
cwd => '/usr/local/src/',
command => 'unzip -n lucee-express-5.3.7.43.zip',
}
-> file { '/usr/local/src/logs/':
ensure => directory,
}
-> exec { 'giveperms-lucee':
command => 'chmod -R 777 /usr/local/src/bin/',
}
-> exec { 'chmod-lucee':
command => "chown -R ${user} /usr/local/src/",
}
-> exec { 'set-port':
command => "sed -i 's/8888/${port}/' /usr/local/src/conf/server.xml"
}
}

18
modules/vulnerabilities/unix/http/lucee_rce/manifests/service.pp Normal file
View File

@@ -0,0 +1,18 @@
# Class: lucee_rce::service
# Service behaviour
#
class lucee_rce::service {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$user = $secgen_parameters['leaked_username'][0]
file { '/etc/systemd/system/lucee.service':
content => template('lucee_rce/lucee.service.erb'),
owner => 'root',
mode => '0777',
}
service { 'lucee':
ensure => 'running',
enable => 'true',
}
}

57
modules/vulnerabilities/unix/http/lucee_rce/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,57 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>Lucee Administrator imgProcess.cfm Arbitrary File Write</name>
<author>James Davis</author>
<module_license>MIT</module_license>
<description>
This module exploits an arbitrary file write in Lucee Administrator's
imgProcess.cfm file to execute commands as the Tomcat user.
</description>
<type>http</type>
<type>in_the_wild</type>
<privilege>user_rwx</privilege>
<access>remote</access>
<platform>linux</platform>
<difficulty>low</difficulty>
<read_fact>port</read_fact>
<read_fact>strings_to_leak</read_fact>
<read_fact>leaked_filenames</read_fact>
<default_input into="port">
<generator module_path=".*/random_unregistered_port" />
</default_input>
<!-- flags or other secrets exposed after exploitation -->
<default_input into="strings_to_leak">
<generator type="flag_generator" />
</default_input>
<default_input into="leaked_filenames">
<value>flag</value>
</default_input>
<default_input into="leaked_username">
<generator type="username_generator" />
</default_input>
<!--optional
vulnerability details-->
<cve>CVE-2021-21307</cve>
<cvss_base_score>9.8</cvss_base_score>
<cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
<reference>https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md</reference>
<reference>
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb</reference>
<software_name>Lucee Server</software_name>
<software_license>Apache/LGPL</software_license>
<requires>
<type>update</type>
</requires>
</vulnerability>

15
modules/vulnerabilities/unix/http/lucee_rce/templates/lucee.service.erb Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=Lucee
[Service]
Type=forking
User=<%= @user %>
ExecStart=/usr/local/src/bin/startup.sh
ExecStop=/usr/local/src/bin/shutdown.sh
TimeoutStopSec=5
# The exit code of the tomcat java process when terminated via shutdown.sh is 143.
# Don't treat that non-zero exit code as a failure.
SuccessExitStatus=143
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

16
scenarios/examples/vulnerability_examples/lucee_rce.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<system>
<system_name>lucee</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/lucee_rce" />
<network type="private_network" range="dhcp" />
</system>
</scenario>