This has been my weekend project off and on since February. I would still consider it in a "preview" state, but I also think it's far enough along to be useful to at least a few people.
The idea behind it is to use a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
This initial release includes a number of different modules for four different vulnerable software packages:
CVE-2013-6407 - Apache Solr
SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1
CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without Hotfix 940148)
CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3
To my knowledge, this is the first public release of exploit code for CVE-2013-6407 and CVE-2012-2239.
The Squiz Matrix and Mahara modules make use of On The Outside, Reaching In's co-conspirator She Wore A Mirrored Mask, which is an extremely lightweight webserver that pretends to be something innocuous (Apache Coyote 1.1 by default), but is actually used for Yunusov-Osipov-style out-of-band XXE data-exfiltration.
Again, these are really early versions, and the code is a bit of a mess, but they do work very effectively, at least if you run them under Python 2.7.3. The code is GPLv3.
Main pages:
http://www.beneaththewaves.net
http://www.beneaththewaves.net
In-depth tutorials:
http://www.beneaththewaves.net
http://www.beneaththewaves.net
http://www.beneaththewaves.net
http://www.beneaththewaves.net
Feedback is appreciated, and if anyone is able to make good use of them in a pen-test, I'd love to hear about it.
- Ben Lincoln
F7EFC8C9@beneaththewaves.net
The idea behind it is to use a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
This initial release includes a number of different modules for four different vulnerable software packages:
CVE-2013-6407 - Apache Solr
SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1
CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without Hotfix 940148)
CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3
To my knowledge, this is the first public release of exploit code for CVE-2013-6407 and CVE-2012-2239.
The Squiz Matrix and Mahara modules make use of On The Outside, Reaching In's co-conspirator She Wore A Mirrored Mask, which is an extremely lightweight webserver that pretends to be something innocuous (Apache Coyote 1.1 by default), but is actually used for Yunusov-Osipov-style out-of-band XXE data-exfiltration.
Again, these are really early versions, and the code is a bit of a mess, but they do work very effectively, at least if you run them under Python 2.7.3. The code is GPLv3.
Main pages:
http://www.beneaththewaves.net
http://www.beneaththewaves.net
In-depth tutorials:
http://www.beneaththewaves.net
http://www.beneaththewaves.net
http://www.beneaththewaves.net
http://www.beneaththewaves.net
Feedback is appreciated, and if anyone is able to make good use of them in a pen-test, I'd love to hear about it.
- Ben Lincoln
F7EFC8C9@beneaththewaves.net