Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[Tool] XXE exploit automation - On The Outside, Reaching In 0.2

From: "Ben Lincoln (F7EFC8C9)" <F7EFC8C9 () beneaththewaves net>
Date: Mon, 16 Jun 2014 01:24:58 -0700
This has been my weekend project off and on since February. I would still consider it in a "preview" state, but I also think it's far enough along to be useful to at least a few people.
The idea behind it is to use a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
This initial release includes a number of different modules for four different vulnerable software packages: 

CVE-2013-6407 - Apache Solr
SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1
CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without Hotfix 940148) 
CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3
To my knowledge, this is the first public release of exploit code for CVE-2013-6407 and CVE-2012-2239.
The Squiz Matrix and Mahara modules make use of On The Outside, Reaching In's co-conspirator She Wore A Mirrored Mask, which is an extremely lightweight webserver that pretends to be something innocuous (Apache Coyote 1.1 by default), but is actually used for Yunusov-Osipov-style out-of-band XXE data-exfiltration.
Again, these are really early versions, and the code is a bit of a mess, but they do work very effectively, at least if you run them under Python 2.7.3. The code is GPLv3. 

Main pages:

http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
http://www.beneaththewaves.net/Software/She_Wore_A_Mirrored_Mask.html

In-depth tutorials:

http://www.beneaththewaves.net/Software/OTORI_-_Example_1_Apache_Solr.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_2_Squiz_Matrix.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_3_Mahara.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_4_McAfee_ePO.html
Feedback is appreciated, and if anyone is able to make good use of them in a pen-test, I'd love to hear about it. 

- Ben Lincoln

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: